https://bz.apache.org/bugzilla/show_bug.cgi?id=69710
--- Comment #25 from Paolo B. <pi...@tiscali.it> --- Hello to everybody, I'm very much in agreement with those who commented before me. I understand the discussion around CVEs, and I too want to thank everyone for the effort in maintaining Tomcat, such a long-standing project that I’ve also been using for many years as my only application server. I just wanted to add that, perhaps, to mitigate this situation, it might be better to reformulate all the parameters in a way that achieves the same result while breaking as few webapps as possible. Here’s my first consideration: a real workd webapp or rest service cannot handle 8192 *concurrent* requests with just a few MBs of dedicated memory. Surely, before hitting the memory limit, there will be issues with CPU, networking, and I/O depending on the type of application. A real-world webapp typically does several things, so after processing each request, various other system resources will be used (DB, filesystem, etc.), unless you're in a multi-tier environment. And if a webapp needs to handle 8k "real concurrent requests", it surely has a development team that will have already customized all the parameters manually. So, my proposal is as follows: maxConnections: 1000 maxPartHeaderSize: 1024 maxPartCount: 100 Based on your previous formula, we get: 1k x 100 x 1000 x 2 =~ 200Mb If you're really sure that 512 byte are enough for multipart request headers the following value could do the math: maxConnections: 2500 maxPartHeaderSize: 512 maxPartCount: 100 Based on your previous formula, we get: 0.5k x 100 x 2500 x 2 =~ 250Mb Bonus tips: 1) explain that this new parameters will limits all multipart parameters and not only the uploaded files 2) rename the FileCountLimitExceededException to MultipartParametersExceededException 3) be sure that it will logged by Tomcat (for example JSF hides this exception at the moment) Cheers to everyone -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
