[jira] [Commented] (WICKET-7169) Make partHeaderSizeMax in AbstractFileUpload configurable

Mon, 23 Feb 2026 12:47:40 -0800 


    [ 
https://issues.apache.org/jira/browse/WICKET-7169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18060468#comment-18060468
 ] 

ASF GitHub Bot commented on WICKET-7169:
----------------------------------------

renoth commented on code in PR #1383:
URL: https://github.com/apache/wicket/pull/1383#discussion_r2843015075


##########
wicket-core/src/main/java/org/apache/wicket/protocol/http/servlet/MultipartServletWebRequestImpl.java:
##########
@@ -286,14 +286,19 @@ protected AbstractFileUpload newFileUpload(String 
encoding) {
                        fileUpload.setHeaderCharset(charset);
                }
 
-               fileUpload.setSizeMax(getMaxSize().bytes());
+               fileUpload.setMaxSize(getMaxSize().bytes());
 
                Bytes fileMaxSize = getFileMaxSize();
-               if (fileMaxSize != null) {
-                       fileUpload.setFileSizeMax(fileMaxSize.bytes());
+
+               if (fileMaxSize != null)
+               {
+                       fileUpload.setMaxFileSize(fileMaxSize.bytes());
                }
 
-               fileUpload.setFileCountMax(getFileCountMax());
+               fileUpload.setMaxFileCount(getFileCountMax());
+
+               fileUpload.setMaxPartHeaderSize(
+                       
Application.get().getApplicationSettings().getDefaultMaximumPartHeaderSize());

Review Comment:
   done :)





> Make partHeaderSizeMax in AbstractFileUpload configurable
> ---------------------------------------------------------
>
>                 Key: WICKET-7169
>                 URL: https://issues.apache.org/jira/browse/WICKET-7169
>             Project: Wicket
>          Issue Type: New Feature
>          Components: wicket-core
>    Affects Versions: 10.6.0
>            Reporter: Johannes Renoth
>            Priority: Major
>
> Commons Fileupload introduced a setting for partHeaderSizeMax in 2.0.0-M4 but 
> failed to make the default Value configurable by callers, the PR 
> [https://github.com/apache/commons-fileupload/pull/429] fixes that, but is 
> not yet released.
> We had to revert Wicket to Version 10.5.0 even though it is still vulnerable 
> to the CVE commons fileupload was fixing by creating the setting. Most of the 
> time the default value is enough, but when there is a fileupload with a long 
> component path the header size gets too large and there is an error. 
> In order to fix this, Wicket should be able to set the partHeaderSizeMax in 
> {color:#000000}MultipartServletWebRequest{color} or other appropirate 
> Classes. 
>  
> I am not sure how the setting should be configured (Application Settings, 
> just read the connector properties if that is even possible), maybe use an 
> opinionated, higher default value for Wicket?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to