Index: src/share/classes/org/apache/tomcat/util/http/MimeHeaders.java
===================================================================
--- src/share/classes/org/apache/tomcat/util/http/MimeHeaders.java	(revision 1900)
+++ src/share/classes/org/apache/tomcat/util/http/MimeHeaders.java	(revision 1908)
@@ -23,9 +23,6 @@
 
 import org.apache.tomcat.util.buf.MessageBytes;
 
-/* XXX XXX XXX Need a major rewrite  !!!!
- */
-
 /**
  * This class is used to contain standard internet message headers,
  * used for SMTP (RFC822) and HTTP (RFC2068) messages as well as for
@@ -79,12 +76,6 @@
  *  to avoid inside tomcat. The goal is to use _only_ MessageByte-based Fields,
  *  and reduce to 0 the memory overhead of tomcat.
  *
- *  TODO:
- *  XXX one-buffer parsing - for http ( other protocols don't need that )
- *  XXX remove unused methods
- *  XXX External enumerations, with 0 GC.
- *  XXX use HeaderName ID
- *  
  * 
  * @author dac@eng.sun.com
  * @author James Todd [gonzo@eng.sun.com]
@@ -93,9 +84,11 @@
  */
 public class MimeHeaders {
     /** Initial size - should be == average number of headers per request
-     *  XXX  make it configurable ( fine-tuning of web-apps )
      */
     public static final int DEFAULT_HEADER_SIZE=8;
+    protected static final int MAX_COUNT = 
+        Integer.valueOf(System.getProperty("org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT", "128")).intValue();
+
     
     /**
      * The header fields.
@@ -216,6 +209,9 @@
         MimeHeaderField mh;
         int len = headers.length;
         if (count >= len) {
+            if (count >= MAX_COUNT) {
+                throw new IllegalStateException("Header count exceeded allowed maximum: " + MAX_COUNT);
+            }
             // expand header list array
             MimeHeaderField tmp[] = new MimeHeaderField[count * 2];
             System.arraycopy(headers, 0, tmp, 0, len);
@@ -326,9 +322,7 @@
      * @param name the name of the header field to be removed
      */
     public void removeHeader(String name) {
-        // XXX
         // warning: rather sticky code; heavily tuned
-
         for (int i = 0; i < count; i++) {
             if (headers[i].getName().equalsIgnoreCase(name)) {
                 removeHeader(i--);
Index: src/share/classes/org/apache/tomcat/util/http/Parameters.java
===================================================================
--- src/share/classes/org/apache/tomcat/util/http/Parameters.java	(revision 1900)
+++ src/share/classes/org/apache/tomcat/util/http/Parameters.java	(revision 1908)
@@ -51,6 +51,8 @@
     MessageBytes decodedQuery=MessageBytes.newInstance();
     
     public static final int INITIAL_SIZE=4;
+    protected static final int MAX_COUNT = 
+        Integer.valueOf(System.getProperty("org.apache.tomcat.util.http.Parameters.MAX_COUNT", "512")).intValue();
 
     // Garbage-less parameter merging.
     // In a sub-request with parameters, the new parameters
@@ -175,6 +177,8 @@
                 values[i+ oldValues.length] = newValues[i];
             }
         } else {
+            if (paramHashStringArray.size() >=MAX_COUNT)
+                throw new IllegalStateException("Parameter count exceeded allowed maximum: " + MAX_COUNT);
             values = newValues;
         }
 
@@ -316,6 +320,8 @@
             }
             values[oldValues.length] = value;
         } else {
+            if (paramHashStringArray.size() >=MAX_COUNT)
+                throw new IllegalStateException("Parameter count exceeded allowed maximum: " + MAX_COUNT);
             values = new String[1];
             values[0] = value;
         }