markt-asf commented on PR #203: URL: https://github.com/apache/commons-fileupload/pull/203#issuecomment-1438293083
Both file parts and field parts trigger the DoS (with minor variations in the details) so both need to be limited. The application developer should have a sense for how may fields+files are required so it should be possible to pick an appropriate limit for the application. There is plenty of headroom so it should be possible to set the limit high enough that normal users are not affected but low enough that a malicious user can't trigger the DoS. Tomcat, for example, integrated this with the maxParameterCount attribute (default 10,000) so the total number of query string parameters + field parts + file parts is limited to 10,000. That should should be more than sufficient for nearly all applications while still being several orders of magnitude below the point where DoS effects will be observed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
