https://bz.apache.org/bugzilla/show_bug.cgi?id=69710
--- Comment #18 from 123hay...@gmail.com --- My thoughs on this: 1. Communication of new enforced Limits. If Tomcat introduces new Limits for whatever reason (CVEs oder other things) it should be clearly stated that there are new limits to prevent confusion. No need to justify exactly why in the release notes, but instead of writing: "Provide finer grained control of multi-part request processing via two new attributes on the Connector element." It would be way more helpful for users to read something like: "Introduce new default limits for multi-part request processing. maxPartCount=10 and maxPartHeaderSize=512. Please check the documentation here: [link]" This is something that can easily be improved regardless of the discussion about whether the new limits are apropriate or not :) 2. regarding the proposed limits I think option b in combination with option a would be good default values. so 60 for Java 8 and 120 for everything newer. It would break way less apps and still be a considerable improvement. Also imho most servers have more than 1 GB RAM to spare. Especially in Enterprise contexts :) But in the end those are just default values. Maybe very low values are ok even if they break a lot of apps as long as people are aware of them. Maybe we could offer some examples like what Mark did here in the comments :) 10kb x ~1k x 8k x 4 = 320Gb 0.5k x 10 x 8k x 4 = 160Mb Maybe add some values for 1Gb and 500Mb as well. Imho the most actionable thing is to better communicate the new limits so people can make an informed decision what's best for their specific use case :) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
