On 23/03/2023 20:20, Christopher Schultz wrote:
Mark,
On 3/22/23 07:38, Mark Thomas wrote:
Any more thoughts on this?
There hasn't been much movement from the spec EG on this, so my
current thinking is to revert this change for 10.1.x and earlier to
wait and see what the Servlet EG decides.
I'd like to leave our changes in, but I understand that Konstantin has a
good point about silently discarding parameters.
There is no particular reason not to implement option (c) (throw
RuntimeException if the maximum number of parameters is exceeded).
Anyone affected by it can change the setting, and an appropriate error
message can direct operators to that setting to make it easy.
The problem with option c) is that there would be no way for someone to
get back to the current behaviour of accepting the first 10,000
parameters and then silently swallowing the rest. I agree that seems
unlikely but with such a wide user-base I wouldn't be surprised if that
was a problem for a few users.
Which brings us back to Konstantin's point that this really needs to be
configurable. I hope that is the direction the Servlet EG is going to
head in but wherever the EG ends up, it isn't going to get there in time
for the April releases.
I did think of another possible interim option this morning:
- leave 11.0.x as is with a hard-coded limit of 1,000
- for 10.1.x and earlier
- revert the change to the hard-coded limit
- configure a lower limit of 1,000 in server.xml
- review next steps once the Servlet EG has decided on a plan for
Servlet 6.1
This effectively introduces the lower limit for "new" users. Upgrading
users will retain their current limit but should see the entry in the
change log, the note in the migration guide and the diff in server.xml.
We can also call it out as one of the key changes in the release
announcement.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
