This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 4867e4e028 Change how the reduced default for maxParameterCount is
implemented
4867e4e028 is described below
commit 4867e4e028f3a4ea801bcf8288ddca1a60d75e8b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Mar 29 10:31:58 2023 +0100
Change how the reduced default for maxParameterCount is implemented
The hard-coded limit remains at 10,000. A lower default of 1,000 is set
in server.xml. The expectation is the new users will get the new
default. Upgrading users will retain the existing default but see the
change when they check configuration changes and will adjust their
default appropriately for their system.
---
conf/server.xml | 20 +++++++++++++++-----
java/org/apache/catalina/connector/Connector.java | 6 +++---
.../apache/catalina/connector/mbeans-descriptors.xml | 2 +-
.../catalina/startup/TestTomcatStandalone.java | 4 +++-
webapps/docs/changelog.xml | 5 +++--
webapps/docs/ssl-howto.xml | 3 +++
6 files changed, 28 insertions(+), 12 deletions(-)
diff --git a/conf/server.xml b/conf/server.xml
index 1e8139dd33..c18d1f6023 100644
--- a/conf/server.xml
+++ b/conf/server.xml
@@ -68,13 +68,17 @@
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
- redirectPort="8443" />
+ redirectPort="8443"
+ maxParameterCount="1000"
+ />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
- redirectPort="8443" />
+ redirectPort="8443"
+ maxParameterCount="1000"
+ />
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
@@ -85,7 +89,9 @@
-->
<!--
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
- maxThreads="150" SSLEnabled="true">
+ maxThreads="150" SSLEnabled="true"
+ maxParameterCount="1000"
+ >
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
@@ -100,7 +106,9 @@
-->
<!--
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
- maxThreads="150" SSLEnabled="true" >
+ maxThreads="150" SSLEnabled="true"
+ maxParameterCount="1000"
+ >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
@@ -116,7 +124,9 @@
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
- redirectPort="8443" />
+ redirectPort="8443"
+ maxParameterCount="1000"
+ />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/java/org/apache/catalina/connector/Connector.java
b/java/org/apache/catalina/connector/Connector.java
index 833b5a33a9..c504210b64 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -195,10 +195,10 @@ public class Connector extends LifecycleMBeanBase {
private int maxCookieCount = 200;
/**
- * The maximum number of parameters (GET plus POST) which will be
automatically parsed by the container. 1000 by
- * default. A value of less than 0 means no limit.
+ * The maximum number of parameters (GET plus POST) which will be
automatically parsed by the container. 10000 by
+ * default. The default Tomcat server.xml configures a lower default of
1000. A value of less than 0 means no limit.
*/
- protected int maxParameterCount = 1000;
+ protected int maxParameterCount = 10000;
/**
* Maximum size of a POST which will be automatically parsed by the
container. 2MB by default.
diff --git a/java/org/apache/catalina/connector/mbeans-descriptors.xml
b/java/org/apache/catalina/connector/mbeans-descriptors.xml
index 263de6085f..fb55170c3a 100644
--- a/java/org/apache/catalina/connector/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/connector/mbeans-descriptors.xml
@@ -107,7 +107,7 @@
type="int"/>
<attribute name="maxParameterCount"
- description="The maximum number of parameters (GET plus POST) which
will be automatically parsed by the container. 1000 by default. A value of less
than 0 means no limit."
+ description="The maximum number of parameters (GET plus POST) which
will be automatically parsed by the container. 10000 by default. The default
Tomcat server.xml configures a lower default of 1000. A value of less than 0
means no limit."
type="int"/>
<attribute name="maxPostSize"
diff --git a/test/org/apache/catalina/startup/TestTomcatStandalone.java
b/test/org/apache/catalina/startup/TestTomcatStandalone.java
index 796bc63f0a..ebb763ad6f 100644
--- a/test/org/apache/catalina/startup/TestTomcatStandalone.java
+++ b/test/org/apache/catalina/startup/TestTomcatStandalone.java
@@ -53,7 +53,9 @@ public class TestTomcatStandalone extends LoggingBaseTest {
+ " <Service name=\"Catalina\">\n" + "\n"
+ " <Connector port=\"0\" protocol=\"HTTP/1.1\"\n"
+ " connectionTimeout=\"20000\"\n"
- + " redirectPort=\"8443\" />\n"
+ + " redirectPort=\"8443\"\n"
+ + " maxParameterCount=\"1000\"\n"
+ + " />\n"
+ " <Engine name=\"Catalina\" defaultHost=\"localhost\">\n"
+ "\n"
+ " <Realm
className=\"org.apache.catalina.realm.LockOutRealm\">\n"
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c305c2de06..ab4d20043e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -133,8 +133,9 @@
by LRU as intended. (schultz)
</fix>
<update>
- Reduce the default value of <code>maxParameterCount</code> from 10,000
- to 1,000. (markt)
+ Use server.xml to reduce the default value of
+ <code>maxParameterCount</code> from 10,000 to 1,000. If not configured
+ in server.xml, the default remains 10,000. (markt)
</update>
<add>
Update Digest authentication support to align with RFC 7616. This adds
a
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index c94e6d7413..3db5d1d828 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -337,6 +337,7 @@ this:</p>
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
+ maxParameterCount="1000"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>]]></source>
@@ -351,6 +352,7 @@ this:</p>
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
+ maxParameterCount="1000"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
@@ -529,6 +531,7 @@ for more information about installation of APR. A basic
OCSP-enabled connector
<