https://bz.apache.org/bugzilla/show_bug.cgi?id=69710
--- Comment #17 from Remy Maucherat <r...@apache.org> --- 30 to 60 just like that seems too high to me, 25 would be 400MB, which is already huge. You got to realize that processing this is not free if an attacker shows up with a fully populated request. One thing I was considering personally is relaxing the default limit dynamically (maybe up to the proposed 50 or 60) if there is an authenticated user (userPrincipal != null). This does not cover everything 100%, and is clearly not out of reach of an attacker in some cases, but this is something that can reasonably make people's like easier. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
