This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 9ad0d9ce0d More doc improvements for maxPartCount
9ad0d9ce0d is described below
commit 9ad0d9ce0d1365b40270ff9ddfda3e5b3210fee8
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 24 10:12:57 2025 +0100
More doc improvements for maxPartCount
---
webapps/docs/config/ajp.xml | 11 +++++++----
webapps/docs/config/http.xml | 11 +++++++----
webapps/docs/security-howto.xml | 11 ++++++++++-
3 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index c1224836f3..8686dd2a68 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -170,7 +170,7 @@
<code>application/x-www-form-urlencoded</code> or
<code>multipart/form-data</code>. Request parameters beyond this limit
will be ignored. A value of less than 0 means no limit. If not specified,
- a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ a default of 10000 is used. The <code>FailedRequestFilter</code>
<a href="filter.html">filter</a> can be used to reject requests that
exceed the limit.</p>
</attribute>
@@ -178,9 +178,12 @@
<attribute name="maxPartCount" required="false">
<p>The maximum total number of parts permitted in a request where the
content type is <code>multipart/form-data</code>. This limit is in
- addition to <code>maxParameterCount</code>. Requests that exceed this
- limit will be rejected. A value of less than 0 means no limit. If not
- specified, a default of 50 is used.</p>
+ addition to <code>maxParameterCount</code>. A value of less than 0 means
+ no limit. If not specified, a default of 50 is used. Requests that exceed
+ this limit may be ignored depending on how the application processes the
+ request. The <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to always reject requests
+ that exceed the limit.</p>
<p>The nature of multipart requests and the associated Servlet API
requirements for processing them is such that they can place a
significant
demand on memory. Applications utilising multipart requests need to
ensure
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index ad3eb9234c..5b1246046c 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -168,7 +168,7 @@
<code>application/x-www-form-urlencoded</code> or
<code>multipart/form-data</code>. Request parameters beyond this limit
will be ignored. A value of less than 0 means no limit. If not specified,
- a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ a default of 10000 is used. The <code>FailedRequestFilter</code>
<a href="filter.html">filter</a> can be used to reject requests that
exceed the limit.</p>
</attribute>
@@ -176,9 +176,12 @@
<attribute name="maxPartCount" required="false">
<p>The maximum total number of parts permitted in a request where the
content type is <code>multipart/form-data</code>. This limit is in
- addition to <code>maxParameterCount</code>. Requests that exceed this
- limit will be rejected. A value of less than 0 means no limit. If not
- specified, a default of 50 is used.</p>
+ addition to <code>maxParameterCount</code>. A value of less than 0 means
+ no limit. If not specified, a default of 50 is used. Requests that exceed
+ this limit may be ignored depending on how the application processes the
+ request. The <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to always reject requests
+ that exceed the limit.</p>
<p>The nature of multipart requests and the associated Servlet API
requirements for processing them is such that they can place a
significant
demand on memory. Applications utilising multipart requests need to
ensure
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 7839cd6aa6..a56ad7bc29 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -292,10 +292,19 @@
non-default value when behind a reverse proxy may enable an attacker to
bypass any security constraints enforced by the proxy.</p>
+ <p>The <strong>maxPartCount</strong> attribute controls the maximum
number
+ of parts supported for a multipart request. This is limited to 50 by
+ default to reduce exposure to a DoS attack. The documentation for
+ <strong>maxPartCount</strong> provides more details on the memory
+ requirements for processing multipart requests. Excessive parts mmay be
+ ignored depending on how the application processes the request. If you
+ want to always reject such requests, configure a
+ <a href="config/filter.html">FailedRequestFilter</a>.</p>
+
<p>The <strong>maxPostSize</strong> attribute controls the maximum size
of a POST request that will be parsed for parameters. The parameters are
cached for the duration of the request so this is limited to 2 MiB by
- default to reduce exposure to a DOS attack.</p>
+ default to reduce exposure to a DoS attack.</p>
<p>The <strong>maxSavePostSize</strong> attribute controls the saving of
the request body during FORM and CLIENT-CERT authentication and HTTP/1.1
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
