This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 2d6592dbba Change how the reduced default for maxParameterCount is
implemented
2d6592dbba is described below
commit 2d6592dbbabfca3ba1c26c2049d470d734dc4a5d
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Mar 29 10:31:58 2023 +0100
Change how the reduced default for maxParameterCount is implemented
The hard-coded limit remains at 10,000. A lower default of 1,000 is set
in server.xml. The expectation is the new users will get the new
default. Upgrading users will retain the existing default but see the
change when they check configuration changes and will adjust their
default appropriately for their system.
---
conf/server.xml | 20 +++++++++++++++-----
java/org/apache/catalina/connector/Connector.java | 6 +++---
.../apache/catalina/connector/mbeans-descriptors.xml | 2 +-
webapps/docs/changelog.xml | 5 +++--
webapps/docs/ssl-howto.xml | 3 +++
5 files changed, 25 insertions(+), 11 deletions(-)
diff --git a/conf/server.xml b/conf/server.xml
index 1e8139dd33..c18d1f6023 100644
--- a/conf/server.xml
+++ b/conf/server.xml
@@ -68,13 +68,17 @@
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
- redirectPort="8443" />
+ redirectPort="8443"
+ maxParameterCount="1000"
+ />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
- redirectPort="8443" />
+ redirectPort="8443"
+ maxParameterCount="1000"
+ />
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
@@ -85,7 +89,9 @@
-->
<!--
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
- maxThreads="150" SSLEnabled="true">
+ maxThreads="150" SSLEnabled="true"
+ maxParameterCount="1000"
+ >
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
@@ -100,7 +106,9 @@
-->
<!--
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
- maxThreads="150" SSLEnabled="true" >
+ maxThreads="150" SSLEnabled="true"
+ maxParameterCount="1000"
+ >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
@@ -116,7 +124,9 @@
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
- redirectPort="8443" />
+ redirectPort="8443"
+ maxParameterCount="1000"
+ />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/java/org/apache/catalina/connector/Connector.java
b/java/org/apache/catalina/connector/Connector.java
index 2f67c035d2..8d3ff0657a 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -197,10 +197,10 @@ public class Connector extends LifecycleMBeanBase {
private int maxCookieCount = 200;
/**
- * The maximum number of parameters (GET plus POST) which will be
automatically parsed by the container. 1000 by
- * default. A value of less than 0 means no limit.
+ * The maximum number of parameters (GET plus POST) which will be
automatically parsed by the container. 10000 by
+ * default. The default Tomcat server.xml configures a lower default of
1000. A value of less than 0 means no limit.
*/
- protected int maxParameterCount = 1000;
+ protected int maxParameterCount = 10000;
/**
* Maximum size of a POST which will be automatically parsed by the
container. 2MB by default.
diff --git a/java/org/apache/catalina/connector/mbeans-descriptors.xml
b/java/org/apache/catalina/connector/mbeans-descriptors.xml
index fa7725edfe..def663ff67 100644
--- a/java/org/apache/catalina/connector/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/connector/mbeans-descriptors.xml
@@ -107,7 +107,7 @@
type="int"/>
<attribute name="maxParameterCount"
- description="The maximum number of parameters (GET plus POST) which
will be automatically parsed by the container. 1000 by default. A value of less
than 0 means no limit."
+ description="The maximum number of parameters (GET plus POST) which
will be automatically parsed by the container. 10000 by default. The default
Tomcat server.xml configures a lower default of 1000. A value of less than 0
means no limit."
type="int"/>
<attribute name="maxPostSize"
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c538c08d23..56d8ccc54a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -133,8 +133,9 @@
by LRU as intended. (schultz)
</fix>
<update>
- Reduce the default value of <code>maxParameterCount</code> from 10,000
- to 1,000. (markt)
+ Use server.xml to reduce the default value of
+ <code>maxParameterCount</code> from 10,000 to 1,000. If not configured
+ in server.xml, the default remains 10,000. (markt)
</update>
<add>
Update Digest authentication support to align with RFC 7616. This adds
a
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index 668b4fc507..fcbd4303e8 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -337,6 +337,7 @@ this:</p>
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
+ maxParameterCount="1000"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>]]></source>
@@ -351,6 +352,7 @@ this:</p>
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
+ maxParameterCount="1000"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
@@ -529,6 +531,7 @@ for more information about installation of APR. A basic
OCSP-enabled connector
<![CDATA[<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
+ maxParameterCount="1000"
secure="true"
scheme="https"
SSLEnabled="true"
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
