markt-asf commented on PR #753: URL: https://github.com/apache/tomcat/pull/753#issuecomment-2352850075
> The parameter count limit is there to protect Tomcat from a DoS caused by hash collisions (right?). Hash collisions was why the 10k limit was put in place - [CVE-2012-0022](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0022). That was chosen as the largest round number that was low enough to avoid the hash collision issue. The further reduction to 1k was on the basis that very few apps need the limit that high and there is a memory cost to handling parameters. The aim was to reduce the minimum amount of RAM Tomcat needed to have and still be able to handle default maximum concurrent requests with default maximum parameters each. Like all the Tomcat defaults, it is a trade-off. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
