This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 8057c98f85 More doc improvements for maxPartCount
8057c98f85 is described below
commit 8057c98f85699891e5a59d2b93f795020c393164
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 24 10:12:57 2025 +0100
More doc improvements for maxPartCount
---
webapps/docs/config/ajp.xml | 11 +++++++----
webapps/docs/config/http.xml | 11 +++++++----
webapps/docs/security-howto.xml | 11 ++++++++++-
3 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 69140c419c..8c8a1f58bf 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -183,7 +183,7 @@
<code>application/x-www-form-urlencoded</code> or
<code>multipart/form-data</code>. Request parameters beyond this limit
will be ignored. A value of less than 0 means no limit. If not specified,
- a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ a default of 10000 is used. The <code>FailedRequestFilter</code>
<a href="filter.html">filter</a> can be used to reject requests that
exceed the limit.</p>
</attribute>
@@ -191,9 +191,12 @@
<attribute name="maxPartCount" required="false">
<p>The maximum total number of parts permitted in a request where the
content type is <code>multipart/form-data</code>. This limit is in
- addition to <code>maxParameterCount</code>. Requests that exceed this
- limit will be rejected. A value of less than 0 means no limit. If not
- specified, a default of 50 is used.</p>
+ addition to <code>maxParameterCount</code>. A value of less than 0 means
+ no limit. If not specified, a default of 50 is used. Requests that exceed
+ this limit may be ignored depending on how the application processes the
+ request. The <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to always reject requests
+ that exceed the limit.</p>
<p>The nature of multipart requests and the associated Servlet API
requirements for processing them is such that they can place a
significant
demand on memory. Applications utilising multipart requests need to
ensure
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 09a1c858bd..8d2e6a7395 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -179,7 +179,7 @@
<code>application/x-www-form-urlencoded</code> or
<code>multipart/form-data</code>. Request parameters beyond this limit
will be ignored. A value of less than 0 means no limit. If not specified,
- a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ a default of 10000 is used. The <code>FailedRequestFilter</code>
<a href="filter.html">filter</a> can be used to reject requests that
exceed the limit.</p>
</attribute>
@@ -187,9 +187,12 @@
<attribute name="maxPartCount" required="false">
<p>The maximum total number of parts permitted in a request where the
content type is <code>multipart/form-data</code>. This limit is in
- addition to <code>maxParameterCount</code>. Requests that exceed this
- limit will be rejected. A value of less than 0 means no limit. If not
- specified, a default of 50 is used.</p>
+ addition to <code>maxParameterCount</code>. A value of less than 0 means
+ no limit. If not specified, a default of 50 is used. Requests that exceed
+ this limit may be ignored depending on how the application processes the
+ request. The <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to always reject requests
+ that exceed the limit.</p>
<p>The nature of multipart requests and the associated Servlet API
requirements for processing them is such that they can place a
significant
demand on memory. Applications utilising multipart requests need to
ensure
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 049e2a73a1..575ac1adcd 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -304,10 +304,19 @@
will interpret as UTF-7 a response containing characters that are safe
for
ISO-8859-1 but trigger an XSS vulnerability if interpreted as UTF-7.</p>
+ <p>The <strong>maxPartCount</strong> attribute controls the maximum
number
+ of parts supported for a multipart request. This is limited to 50 by
+ default to reduce exposure to a DoS attack. The documentation for
+ <strong>maxPartCount</strong> provides more details on the memory
+ requirements for processing multipart requests. Excessive parts mmay be
+ ignored depending on how the application processes the request. If you
+ want to always reject such requests, configure a
+ <a href="config/filter.html">FailedRequestFilter</a>.</p>
+
<p>The <strong>maxPostSize</strong> attribute controls the maximum size
of a POST request that will be parsed for parameters. The parameters are
cached for the duration of the request so this is limited to 2 MiB by
- default to reduce exposure to a DOS attack.</p>
+ default to reduce exposure to a DoS attack.</p>
<p>The <strong>maxSavePostSize</strong> attribute controls the saving of
the request body during FORM and CLIENT-CERT authentication and HTTP/1.1
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
