(tomcat) branch 9.0.x updated: BZ 69710 Increase default maxPartCount to 50

Tue, 24 Jun 2025 02:06:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new bda89919e5 BZ 69710 Increase default maxPartCount to 50
bda89919e5 is described below

commit bda89919e595f8d3f0e4cb7d8380fc8eb66de60b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 24 09:52:52 2025 +0100

    BZ 69710 Increase default maxPartCount to 50
    
    Document memory requirements for multipart requests
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=69710
---
 java/org/apache/catalina/connector/Connector.java |  2 +-
 webapps/docs/changelog.xml                        |  6 ++++++
 webapps/docs/config/ajp.xml                       | 12 +++++++++++-
 webapps/docs/config/http.xml                      | 12 +++++++++++-
 4 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/connector/Connector.java 
b/java/org/apache/catalina/connector/Connector.java
index 59565abf10..ba517710fc 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -204,7 +204,7 @@ public class Connector extends LifecycleMBeanBase {
      */
     protected int maxParameterCount = 10000;
 
-    private int maxPartCount = 10;
+    private int maxPartCount = 50;
 
     private int maxPartHeaderSize = 512;
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 20f75e931b..5c83a19304 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -126,6 +126,12 @@
   </subsection>
   <subsection name="Coyote">
     <changelog>
+      <fix>
+        <bug>69710</bug>: Increase the default for <code>maxPartCount</code>
+        from <code>10</code> to <code>50</code>. Update the documentation to
+        provide more details on the memory requirements to support multi-part
+        uploads while avoiding a denial of service risk. (markt)
+      </fix>
       <fix>
         <bug>69713</bug>: Correctly handle an HTTP/2 data frame that includes
         padding when the headers include a content-length. (remm/markt)
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 14ce080f37..c1224836f3 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -180,7 +180,17 @@
       content type is <code>multipart/form-data</code>. This limit is in
       addition to <code>maxParameterCount</code>. Requests that exceed this
       limit will be rejected. A value of less than 0 means no limit. If not
-      specified, a default of 10 is used.</p>
+      specified, a default of 50 is used.</p>
+      <p>The nature of multipart requests and the associated Servlet API
+      requirements for processing them is such that they can place a 
significant
+      demand on memory. Applications utilising multipart requests need to 
ensure
+      sufficient memory is available to avoid a potential denial of service. As
+      a guide, the memory required is <code>maxPartHeaderSize</code> x
+      <code>maxPartCount</code> x <code>maxConnections</code> x 2 (due to the
+      implementation). For the defaults that is <code>512 x 50 x 8192 x 
2</code>
+      which is 400MB. If running on Java 8, this is increased by a further
+      factor of 2 due to the way Java stores Strings internally which increases
+      the default memory requirements to 800MB.</p>
     </attribute>
 
     <attribute name="maxPartHeaderSize" required="false">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index a12c740fc1..ad3eb9234c 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -178,7 +178,17 @@
       content type is <code>multipart/form-data</code>. This limit is in
       addition to <code>maxParameterCount</code>. Requests that exceed this
       limit will be rejected. A value of less than 0 means no limit. If not
-      specified, a default of 10 is used.</p>
+      specified, a default of 50 is used.</p>
+      <p>The nature of multipart requests and the associated Servlet API
+      requirements for processing them is such that they can place a 
significant
+      demand on memory. Applications utilising multipart requests need to 
ensure
+      sufficient memory is available to avoid a potential denial of service. As
+      a guide, the memory required is <code>maxPartHeaderSize</code> x
+      <code>maxPartCount</code> x <code>maxConnections</code> x 2 (due to the
+      implementation). For the defaults that is <code>512 x 50 x 8192 x 
2</code>
+      which is 400MB. If running on Java 8, this is increased by a further
+      factor of 2 due to the way Java stores Strings internally which increases
+      the default memory requirements to 800MB.</p>
     </attribute>
 
     <attribute name="maxPartHeaderSize" required="false">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to