Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-88259

Multipart requests are subject to a limit of 256 parts


      UPDATE 2024-01-16: We have shipped a follow-up fix in Confluence 8.5.5 and 8.7.2 which raises this limit to 10,000 parts for authenticated users. Additionally, we have introduced the system property multipart.authenticated.max.parts which can be used to override the limit for authenticated users. We highly discourage using the previous workaround listed below as this changes the global limit (includes unauthenticated users) and will heighten the risk of DDoS attacks. If you have previously applied this workaround, please remove it as soon as practical.

      Issue Summary

      As per title. Multipart request is rejected if its request part count exceeds 256.

      Steps to Reproduce

      1. Make a multipart request to any endpoint* - request should have a count of parts (either files or fields) that exceed 256

      *In 7.13/7.19, these are only requests that are served by the WebWork servlet. In 8.x, these are requests that are subject to filtering by Struts. REST resources and custom servlets are not subject to this same limit in all versions of Confluence.

      Expected Results

      Request is processed/successful

      Actual Results

      The below warning is logged:

      Request exceeded allowed number of files! Max allowed files number is: 256 


      For Confluence 8.0 and above:

      • Set struts.multipart.maxFiles in confluence.cfg.xml  to a custom value.
        Do this by adding the following line within the properties element:
        <property name="struts.multipart.maxFiles">1000</property>

      For Confluence 7.13 and 7.19:

      • Set the system property webwork.multipart.maxFiles to a custom value.
        Learn how to configure system properties here and then verify it has been applied correctly after system restart here.

      DISCLAIMER: Please set this conservatively or you may be vulnerable to DoS. See CVE-2023-24998.

            854eef6f5746 Kusal Kithul-Godage
            854eef6f5746 Kusal Kithul-Godage
            14 Vote for this issue
            13 Start watching this issue