(tomcat) branch 9.0.x updated: Clarify the docs for maxPostSize

Wed, 10 Sep 2025 04:50:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 7580f58d99 Clarify the docs for maxPostSize
7580f58d99 is described below

commit 7580f58d9938c3249264dcb533aeeb719bc7971e
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Sep 10 12:18:02 2025 +0100

    Clarify the docs for maxPostSize
---
 webapps/docs/changelog.xml      |  8 ++++++++
 webapps/docs/config/ajp.xml     | 17 +++++++++++++----
 webapps/docs/config/context.xml |  7 ++++---
 webapps/docs/config/http.xml    | 17 +++++++++++++----
 webapps/docs/security-howto.xml |  6 +++---
 5 files changed, 41 insertions(+), 14 deletions(-)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 33176a8af0..38736cde37 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -129,6 +129,14 @@
       </update>
     </changelog>
   </subsection>
+  <subsection name="Web applications">
+    <changelog>
+      <fix>
+        Documentation. Clarify the purpose of the <code>maxPostSize</code>
+        attribute of the <code>Connector</code> element. (markt)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 9.0.109 (remm)" rtext="release in progress">
   <subsection name="Catalina">
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 8686dd2a68..84a73dadce 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -204,10 +204,19 @@
     </attribute>
 
     <attribute name="maxPostSize" required="false">
-      <p>The maximum size in bytes of the POST which will be handled by
-      the container FORM URL parameter parsing. The limit can be disabled by
-      setting this attribute to a value less than zero. If not specified, this
-      attribute is set to 2097152 (2 MiB). Note that the
+      <p>This is the maximum number of request body bytes that will be 
converted
+      into request parameters by Tomcat. This limit only applies in specific
+      circumstances and is <strong>not</strong> a general limit on request body
+      size for POST requests. The limit only applies when Tomcat is processing
+      the request body for parameters as per section 3.1.1
+      (<code>application/x-www-form-urlencoded</code>) or section 3.2
+      (<code>multipart/form-data</code>) of the Servlet specification. In the
+      <code>multipart/form-data</code> case, the limit only applies to the data
+      used to generate the parameters that are made available through the
+      <code>getParameter()</code> family of methods.</p>
+      <p>The limit can be disabled by setting this attribute to a value less
+      than zero. If not specified, this attribute is set to 2097152 (2 MiB).
+      Note that the
       <a 
href="filter.html#Failed_Request_Filter"><code>FailedRequestFilter</code></a>
       can be used to reject requests that exceed this limit.</p>
     </attribute>
diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
index 70709db019..0503b552e5 100644
--- a/webapps/docs/config/context.xml
+++ b/webapps/docs/config/context.xml
@@ -626,9 +626,10 @@
         client connection. This setting is used in the following situations:
         </p>
         <ul>
-        <li>the size of the request body is larger than the
-            <code>maxPostSize</code> configured in the connector</li>
-        <li>the size limit of a MultiPart upload is reached</li>
+        <li>Tomcat is automatically processing the request body for parameters
+            and size of the request body data converted to parameters is larger
+            than the <code>maxPostSize</code> configured in the connector</li>
+        <li>a size limit of a MultiPart upload is reached</li>
         <li>the servlet sets the response status to 413 (Request Entity Too
             Large) </li>
         </ul>
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 5b1246046c..35019594b7 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -202,10 +202,19 @@
     </attribute>
 
     <attribute name="maxPostSize" required="false">
-      <p>The maximum size in bytes of the POST which will be handled by
-      the container FORM URL parameter parsing. The limit can be disabled by
-      setting this attribute to a value less than zero. If not specified, this
-      attribute is set to 2097152 (2 MiB). Note that the
+      <p>This is the maximum number of request body bytes that will be 
converted
+      into request parameters by Tomcat. This limit only applies in specific
+      circumstances and is <strong>not</strong> a general limit on request body
+      size for POST requests. The limit only applies when Tomcat is processing
+      the request body for parameters as per section 3.1.1
+      (<code>application/x-www-form-urlencoded</code>) or section 3.2
+      (<code>multipart/form-data</code>) of the Servlet specification. In the
+      <code>multipart/form-data</code> case, the limit only applies to the data
+      used to generate the parameters that are made available through the
+      <code>getParameter()</code> family of methods.</p>
+      <p>The limit can be disabled by setting this attribute to a value less
+      than zero. If not specified, this attribute is set to 2097152 (2 MiB).
+      Note that the
       <a 
href="filter.html#Failed_Request_Filter"><code>FailedRequestFilter</code></a>
       can be used to reject requests that exceed this limit.</p>
     </attribute>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 4cd7375228..7ea2f4bf9c 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -310,9 +310,9 @@
       <a href="config/filter.html">FailedRequestFilter</a>.</p>
 
       <p>The <strong>maxPostSize</strong> attribute controls the maximum size
-      of a POST request that will be parsed for parameters. The parameters are
-      cached for the duration of the request so this is limited to 2 MiB by
-      default to reduce exposure to a DoS attack.</p>
+      of data from a POST request that will be parsed for request parameters.
+      The parameters are cached for the duration of the request so this is
+      limited to 2 MiB by default to reduce exposure to a DoS attack.</p>
 
       <p>The <strong>maxSavePostSize</strong> attribute controls the saving of
       the request body during FORM and CLIENT-CERT authentication and HTTP/1.1


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to