(tomcat) branch main updated: BZ 69710 Increase default maxPartCount to 50

Tue, 24 Jun 2025 02:02:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new f28a16681b BZ 69710 Increase default maxPartCount to 50
f28a16681b is described below

commit f28a16681b9a6a4a4404fc9a3da0280359b087dc
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 24 09:52:52 2025 +0100

    BZ 69710 Increase default maxPartCount to 50
    
    Document memory requirements for multipart requests
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=69710
---
 java/org/apache/catalina/connector/Connector.java |  2 +-
 webapps/docs/changelog.xml                        |  6 ++++++
 webapps/docs/config/ajp.xml                       | 10 +++++++++-
 webapps/docs/config/http.xml                      | 10 +++++++++-
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/connector/Connector.java 
b/java/org/apache/catalina/connector/Connector.java
index 9ff15c5e9a..d41bde2e8f 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -210,7 +210,7 @@ public class Connector extends LifecycleMBeanBase {
      */
     protected int maxParameterCount = 1000;
 
-    private int maxPartCount = 10;
+    private int maxPartCount = 50;
 
     private int maxPartHeaderSize = 512;
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 45d060ff3c..0e362e36b9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -199,6 +199,12 @@
         Remove NIO2 connector. (remm)
       </update>
       <!-- Entries for backport and removal before 12.0.0-M1 below this line 
-->
+      <fix>
+        <bug>69710</bug>: Increase the default for <code>maxPartCount</code>
+        from <code>10</code> to <code>50</code>. Update the documentation to
+        provide more details on the memory requirements to support multi-part
+        uploads while avoiding a denial of service risk. (markt)
+      </fix>
       <fix>
         <bug>69713</bug>: Correctly handle an HTTP/2 data frame that includes
         padding when the headers include a content-length. (remm/markt)
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 8a1af5750b..d19c0a32a1 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -190,7 +190,15 @@
       content type is <code>multipart/form-data</code>. This limit is in
       addition to <code>maxParameterCount</code>. Requests that exceed this
       limit will be rejected. A value of less than 0 means no limit. If not
-      specified, a default of 10 is used.</p>
+      specified, a default of 50 is used.</p>
+      <p>The nature of multipart requests and the associated Servlet API
+      requirements for processing them is such that they can place a 
significant
+      demand on memory. Applications utilising multipart requests need to 
ensure
+      sufficient memory is available to avoid a potential denial of service. As
+      a guide, the memory required is <code>maxPartHeaderSize</code> x
+      <code>maxPartCount</code> x <code>maxConnections</code> x 2 (due to the
+      implementation). For the defaults that is <code>512 x 50 x 8192 x 
2</code>
+      which is 400MB.</p>
     </attribute>
 
     <attribute name="maxPartHeaderSize" required="false">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 318d2e23db..262d3635dd 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -186,7 +186,15 @@
       content type is <code>multipart/form-data</code>. This limit is in
       addition to <code>maxParameterCount</code>. Requests that exceed this
       limit will be rejected. A value of less than 0 means no limit. If not
-      specified, a default of 10 is used.</p>
+      specified, a default of 50 is used.</p>
+      <p>The nature of multipart requests and the associated Servlet API
+      requirements for processing them is such that they can place a 
significant
+      demand on memory. Applications utilising multipart requests need to 
ensure
+      sufficient memory is available to avoid a potential denial of service. As
+      a guide, the memory required is <code>maxPartHeaderSize</code> x
+      <code>maxPartCount</code> x <code>maxConnections</code> x 2 (due to the
+      implementation). For the defaults that is <code>512 x 50 x 8192 x 
2</code>
+      which is 400MB.</p>
     </attribute>
 
     <attribute name="maxPartHeaderSize" required="false">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to