This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 36e2c905ac BZ 69710 Increase default maxPartCount to 50
36e2c905ac is described below
commit 36e2c905ac3c933b6d2a4ec1250f0c30289d7a5f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 24 09:52:52 2025 +0100
BZ 69710 Increase default maxPartCount to 50
Document memory requirements for multipart requests
https://bz.apache.org/bugzilla/show_bug.cgi?id=69710
---
java/org/apache/catalina/connector/Connector.java | 2 +-
webapps/docs/changelog.xml | 6 ++++++
webapps/docs/config/ajp.xml | 10 +++++++++-
webapps/docs/config/http.xml | 10 +++++++++-
4 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/connector/Connector.java
b/java/org/apache/catalina/connector/Connector.java
index 1e6ae31e19..421b3f58f8 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -212,7 +212,7 @@ public class Connector extends LifecycleMBeanBase {
*/
protected int maxParameterCount = 10000;
- private int maxPartCount = 10;
+ private int maxPartCount = 50;
private int maxPartHeaderSize = 512;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7fdaf8ccd2..1ec89f0729 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -126,6 +126,12 @@
</subsection>
<subsection name="Coyote">
<changelog>
+ <fix>
+ <bug>69710</bug>: Increase the default for <code>maxPartCount</code>
+ from <code>10</code> to <code>50</code>. Update the documentation to
+ provide more details on the memory requirements to support multi-part
+ uploads while avoiding a denial of service risk. (markt)
+ </fix>
<fix>
<bug>69713</bug>: Correctly handle an HTTP/2 data frame that includes
padding when the headers include a content-length. (remm/markt)
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index b3e70e7807..69140c419c 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -193,7 +193,15 @@
content type is <code>multipart/form-data</code>. This limit is in
addition to <code>maxParameterCount</code>. Requests that exceed this
limit will be rejected. A value of less than 0 means no limit. If not
- specified, a default of 10 is used.</p>
+ specified, a default of 50 is used.</p>
+ <p>The nature of multipart requests and the associated Servlet API
+ requirements for processing them is such that they can place a
significant
+ demand on memory. Applications utilising multipart requests need to
ensure
+ sufficient memory is available to avoid a potential denial of service. As
+ a guide, the memory required is <code>maxPartHeaderSize</code> x
+ <code>maxPartCount</code> x <code>maxConnections</code> x 2 (due to the
+ implementation). For the defaults that is <code>512 x 50 x 8192 x
2</code>
+ which is 400MB.</p>
</attribute>
<attribute name="maxPartHeaderSize" required="false">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 6114d3bb64..09a1c858bd 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -189,7 +189,15 @@
content type is <code>multipart/form-data</code>. This limit is in
addition to <code>maxParameterCount</code>. Requests that exceed this
limit will be rejected. A value of less than 0 means no limit. If not
- specified, a default of 10 is used.</p>
+ specified, a default of 50 is used.</p>
+ <p>The nature of multipart requests and the associated Servlet API
+ requirements for processing them is such that they can place a
significant
+ demand on memory. Applications utilising multipart requests need to
ensure
+ sufficient memory is available to avoid a potential denial of service. As
+ a guide, the memory required is <code>maxPartHeaderSize</code> x
+ <code>maxPartCount</code> x <code>maxConnections</code> x 2 (due to the
+ implementation). For the defaults that is <code>512 x 50 x 8192 x
2</code>
+ which is 400MB.</p>
</attribute>
<attribute name="maxPartHeaderSize" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
