[tomcat] branch 10.1.x updated: Reduce the default for maxParameterCount from 10,000 to 1,000.

markt Wed, 15 Mar 2023 02:08:47 -0700

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/10.1.x by this push:
     new 7b6949ea7b Reduce the default for maxParameterCount from 10,000 to 
1,000.
7b6949ea7b is described below

commit 7b6949ea7bac7473c2447f0a57b06c83dbf72590
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Mar 14 17:53:18 2023 +0000

    Reduce the default for maxParameterCount from 10,000 to 1,000.
---
 java/org/apache/catalina/connector/Connector.java         | 2 +-
 java/org/apache/catalina/connector/mbeans-descriptors.xml | 2 +-
 webapps/docs/changelog.xml                                | 4 ++++
 webapps/docs/config/ajp.xml                               | 2 +-
 webapps/docs/config/http.xml                              | 2 +-
 5 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/java/org/apache/catalina/connector/Connector.java 
b/java/org/apache/catalina/connector/Connector.java
index 235b987c65..54f9915ba6 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -206,7 +206,7 @@ public class Connector extends LifecycleMBeanBase {
      * The maximum number of parameters (GET plus POST) which will be 
automatically parsed by the container. 10000 by
      * default. A value of less than 0 means no limit.
      */
-    protected int maxParameterCount = 10000;
+    protected int maxParameterCount = 1000;
 
     /**
      * Maximum size of a POST which will be automatically parsed by the 
container. 2MB by default.
diff --git a/java/org/apache/catalina/connector/mbeans-descriptors.xml 
b/java/org/apache/catalina/connector/mbeans-descriptors.xml
index cf691ae769..263de6085f 100644
--- a/java/org/apache/catalina/connector/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/connector/mbeans-descriptors.xml
@@ -107,7 +107,7 @@
                  type="int"/>
 
     <attribute   name="maxParameterCount"
-          description="The maximum number of parameters (GET plus POST) which 
will be automatically parsed by the container. 10000 by default. A value of 
less than 0 means no limit."
+          description="The maximum number of parameters (GET plus POST) which 
will be automatically parsed by the container. 1000 by default. A value of less 
than 0 means no limit."
                  type="int"/>
 
     <attribute   name="maxPostSize"
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c574b05f88..b17f9aed13 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,6 +132,10 @@
         <bug>66524</bug> Correct eviction ordering in WebResource cache to
         by LRU as intended. (schultz)
       </fix>
+      <update>
+        Reduce the default value of <code>maxParameterCount</code> from 10,000
+        to 1,000. (markt)
+      </update>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index f4de8b0171..3b614394c1 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -155,7 +155,7 @@
       <code>application/x-www-form-urlencoded</code> or
       <code>multipart/form-data</code>. Request parameters beyond this limit
       will be ignored. A value of less than 0 means no limit. If not specified,
-      a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+      a default of 1000 is used. Note that <code>FailedRequestFilter</code>
       <a href="filter.html">filter</a> can be used to reject requests that
       exceed the limit.</p>
     </attribute>
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 98e22bf0e8..a76bee3edb 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -151,7 +151,7 @@
       <code>application/x-www-form-urlencoded</code> or
       <code>multipart/form-data</code>. Request parameters beyond this limit
       will be ignored. A value of less than 0 means no limit. If not specified,
-      a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+      a default of 1000 is used. Note that <code>FailedRequestFilter</code>
       <a href="filter.html">filter</a> can be used to reject requests that
       exceed the limit.</p>
     </attribute>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 10.1.x updated: Reduce the default for maxParameterCount from 10,000 to 1,000.

Reply via email to