From 118199cb2c1b34f2f511d7ac2d26a0a9ad72d66f Mon Sep 17 00:00:00 2001
From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 8 Apr 2026 14:28:33 +0100
Subject: [PATCH] JCR-5233: commons-fileupload (1.6) restricts header size in
 upload parts

---
 .../org/apache/jackrabbit/server/util/HttpMultipartPost.java    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
index 26b1cb7c54e..556b0b09573 100644
--- a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
+++ b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
@@ -65,6 +65,8 @@ private void extractMultipart(HttpServletRequest request, File tmpDir)
         }
 
         ServletFileUpload upload = new ServletFileUpload(getFileItemFactory(tmpDir));
+        upload.setPartHeaderSizeMax(10 * 1024);
+        upload.setFileCountMax(1024);
         // make sure the content disposition headers are read with the charset
         // specified in the request content type (or UTF-8 if no charset is specified).
         // see JCR