tomcat

tomcat copied to clipboard

This is an effort of introducing Parameter Limit Valve to allow limiting the number of parameters in HTTP requests, but explicitly allowing more parameters for specific URLs. (The idea raised by this email)

It's worth to be noted that if the Parameter Limit Valve is configured, it operates independently of the Connector's maxParameterCount attribute. The Connector's maxParameterCount sets a global limit, while the Parameter Limit Valve offers additional flexibility by allowing different limits for specific URLs. However, if the maxParameterCount defined in the Connector is lower, it effectively overrides the valve by preventing large requests from ever reaching it.

---

For manual testing one can add something like the following in context.xml

Valve className="org.apache.catalina.valves.ParameterLimitValve"
           maxGlobalParams="4"
           urlPatternLimits="/api/.*=2,/admin/.*=1,/my/special/url1=3" />

and run some relevant test cases:

curl -X POST http://localhost:8080/api/resource -d "param1=val1&param2=val2" PASS curl -X POST http://localhost:8080/api/resource -d "param1=val1&param2=val2&param3=val3" FAIL curl -X POST http://localhost:8080/admin/settings -d "param1=val1" PASS curl -X POST http://localhost:8080/admin/settings -d "param1=val1&param2=val2" FAIL curl -X POST http://localhost:8080/my/special/url1 -d "param1=val1&param2=val2&param3=val3" PASS curl -X POST http://localhost:8080/my/special/url1 -d "param1=val1&param2=val2&param3=val3&param4=val4" FAIL curl -X POST http://localhost:8080/random -d "param1=val1&param2=val2&param3=val3&param4=val4" PASS curl -X POST http://localhost:8080/random -d "param1=val1&param2=val2&param3=val3&param4=val4&param5=val5" FAIL