On Fri, Mar 24, 2023 at 10:01 AM Mark Thomas <ma...@apache.org> wrote: > > On 23/03/2023 20:20, Christopher Schultz wrote: > > Mark, > > > > On 3/22/23 07:38, Mark Thomas wrote: > >> Any more thoughts on this? > >> > >> There hasn't been much movement from the spec EG on this, so my > >> current thinking is to revert this change for 10.1.x and earlier to > >> wait and see what the Servlet EG decides. > > > > I'd like to leave our changes in, but I understand that Konstantin has a > > good point about silently discarding parameters. > > > > There is no particular reason not to implement option (c) (throw > > RuntimeException if the maximum number of parameters is exceeded). > > Anyone affected by it can change the setting, and an appropriate error > > message can direct operators to that setting to make it easy. > > The problem with option c) is that there would be no way for someone to > get back to the current behaviour of accepting the first 10,000 > parameters and then silently swallowing the rest. I agree that seems > unlikely but with such a wide user-base I wouldn't be surprised if that > was a problem for a few users. > > Which brings us back to Konstantin's point that this really needs to be > configurable. I hope that is the direction the Servlet EG is going to > head in but wherever the EG ends up, it isn't going to get there in time > for the April releases. > > I did think of another possible interim option this morning: > > - leave 11.0.x as is with a hard-coded limit of 1,000 > - for 10.1.x and earlier > - revert the change to the hard-coded limit > - configure a lower limit of 1,000 in server.xml > - review next steps once the Servlet EG has decided on a plan for > Servlet 6.1
Ok if it addresses some concern. 1000 seems already like "a lot" to me though so I don't really understand. Of course it is a limit that wasn't there before, but it's not the first time a similarly "high" limit is added due to resource use (IMO the HTTP header size is the most "limiting" one). > This effectively introduces the lower limit for "new" users. Upgrading > users will retain their current limit but should see the entry in the > change log, the note in the migration guide and the diff in server.xml. > We can also call it out as one of the key changes in the release > announcement. +1 Rémy > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
