HwangRock opened a new pull request, #1027: URL: https://github.com/apache/tomcat/pull/1027
HTTP/2 has a `maxTrailerCount` attribute (default 100) that limits the number of trailing headers in a request, but HTTP/1.1 has no equivalent. On HTTP/1.1 the chunked trailers are bounded only by `maxTrailerSize` (bytes), so the number of trailer fields is effectively unlimited within that byte budget. Regular HTTP/1.1 headers already have a count limit through `maxHeaderCount`, and the commit message of 2aa5f6bbb4 noted that `maxHeaderCount` and `maxTrailerCount` could be added to HTTP/1.1 "at some point". `maxHeaderCount` was added since; `maxTrailerCount` was not. This adds `maxTrailerCount` to the HTTP/1.1 connector, mirroring the HTTP/2 attribute. The value is threaded from `AbstractHttp11Protocol` through `Http11Processor` into `ChunkedInputFilter`, which counts the trailer fields as they are parsed and fails the request with a 400 once the limit is exceeded. It reuses the same parse loop that already enforces `maxTrailerSize`, so the enforcement and error path match the existing trailer handling. The default is 100, matching `maxHeaderCount` and the HTTP/2 equivalent. This does change behaviour: a request with more than 100 trailers that previously passed (within the `maxTrailerSize` byte limit) is now rejected. A value less than 0 disables the limit. I went with 100 for consistency, but I'm happy to default it to -1 if leaving the existing behaviour unchanged is preferred. Tests in `TestChunkedInputFilter` cover below/at/above the limit, the disabled (-1) case, the zero case, and a check that trailers under the limit are still parsed. A changelog entry is included. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
