This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new be5c4c9696 Reduce the default for maxParameterCount from 10,000 to
1,000.
be5c4c9696 is described below
commit be5c4c969659c65219ae173621317edacec7a2f8
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Mar 14 17:53:18 2023 +0000
Reduce the default for maxParameterCount from 10,000 to 1,000.
---
java/org/apache/catalina/connector/Connector.java | 2 +-
java/org/apache/catalina/connector/mbeans-descriptors.xml | 2 +-
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/ajp.xml | 2 +-
webapps/docs/config/http.xml | 2 +-
5 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/catalina/connector/Connector.java
b/java/org/apache/catalina/connector/Connector.java
index 1837372732..2d2d09560e 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -198,7 +198,7 @@ public class Connector extends LifecycleMBeanBase {
* The maximum number of parameters (GET plus POST) which will be
automatically parsed by the container. 10000 by
* default. A value of less than 0 means no limit.
*/
- protected int maxParameterCount = 10000;
+ protected int maxParameterCount = 1000;
/**
* Maximum size of a POST which will be automatically parsed by the
container. 2MB by default.
diff --git a/java/org/apache/catalina/connector/mbeans-descriptors.xml
b/java/org/apache/catalina/connector/mbeans-descriptors.xml
index cf691ae769..263de6085f 100644
--- a/java/org/apache/catalina/connector/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/connector/mbeans-descriptors.xml
@@ -107,7 +107,7 @@
type="int"/>
<attribute name="maxParameterCount"
- description="The maximum number of parameters (GET plus POST) which
will be automatically parsed by the container. 10000 by default. A value of
less than 0 means no limit."
+ description="The maximum number of parameters (GET plus POST) which
will be automatically parsed by the container. 1000 by default. A value of less
than 0 means no limit."
type="int"/>
<attribute name="maxPostSize"
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 39c4d6707f..15dc6233a6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,6 +132,10 @@
<bug>66524</bug> Correct eviction ordering in WebResource cache to
by LRU as intended. (schultz)
</fix>
+ <update>
+ Reduce the default value of <code>maxParameterCount</code> from 10,000
+ to 1,000. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 7d8d0933a5..976282f6f4 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -142,7 +142,7 @@
<code>application/x-www-form-urlencoded</code> or
<code>multipart/form-data</code>. Request parameters beyond this limit
will be ignored. A value of less than 0 means no limit. If not specified,
- a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ a default of 1000 is used. Note that <code>FailedRequestFilter</code>
<a href="filter.html">filter</a> can be used to reject requests that
exceed the limit.</p>
</attribute>
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index fcc253bd09..9876af9765 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -140,7 +140,7 @@
<code>application/x-www-form-urlencoded</code> or
<code>multipart/form-data</code>. Request parameters beyond this limit
will be ignored. A value of less than 0 means no limit. If not specified,
- a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ a default of 1000 is used. Note that <code>FailedRequestFilter</code>
<a href="filter.html">filter</a> can be used to reject requests that
exceed the limit.</p>
</attribute>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
