2012/9/28 Andrew Todd <andrew.todd...@gmail.com>: > I have a question about maxHttpHeaderSize [0]. In Apache httpd, there > are two different parameters that affect the maximum size of an HTTP > header, limitRequestFieldSize and limitRequestLine. [1] These > configuration values specify about 8 kilobytes per _line_ in the > incoming request. However, in Tomcat, maxHttpHeaderSize seems to > specify the maximum length of the entire incoming header, also at > around 8 kilobytes. So httpd will, by default, accept a much bigger > header than Tomcat will. > > Is that an accurate understanding of the configuration? If I want to > expand the maximum URL and header lengths that I can accept in Tomcat, > should I change the value of maxHttpHeaderSize? Thanks. >
Yes. In Tomcat each request processor has a byte buffer and all the headers must fit into that buffer. The size of the buffer is essentially specified by the maxHttpHeaderSize attribute. (The actual buffer is larger due to some additional margins being taken into account). The bytes in the buffer are passed by reference (see ByteChunk). Conversion from bytes to Strings for headers is performed lazily. So the buffer cannot be reused for subsequent headers and thus is the limitation. The configuration reference [0] does not say it, but IIRC the request line is placed into the same buffer and is subjected to the same limit together with the headers. > > [0] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html > [1] https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org