[jira] [Commented] (JCR-5233) commons-fileupload (1.6) restricts header size in upload parts

Wed, 08 Apr 2026 06:18:07 -0700 


    [ 
https://issues.apache.org/jira/browse/JCR-5233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18071966#comment-18071966
 ] 

Julian Reschke commented on JCR-5233:
-------------------------------------

...so the problem is the max. size of headers per part, multiplied with the 
max. number of parts.

1.6 changed the default for headers size per part from 10K zo 512. We got 
reports that this breaks a few use cases (long filenames, for instance), so I 
think we need to go back to 10K.

What should be less dangerous is to limit the number of parts to 1024.

The defense against the DoS scenario is weaker, but still is there (IMHO).



> commons-fileupload (1.6) restricts header size in upload parts
> --------------------------------------------------------------
>
>                 Key: JCR-5233
>                 URL: https://issues.apache.org/jira/browse/JCR-5233
>             Project: Jackrabbit Content Repository
>          Issue Type: Task
>          Components: jackrabbit-jcr-server
>            Reporter: Julian Reschke
>            Assignee: Julian Reschke
>            Priority: Major
>
> With commons-fileupload 1.6, a restriction of header size in upload parts 
> (512 bytes) was implemented due to a DoS CVE.
> This value can be overriden; like that:
>  
> {noformat}
> diff --git 
> a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
>  
> b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
> index 26b1cb7c5..2f49978a8 100644
> --- 
> a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
> +++ 
> b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
> @@ -65,6 +65,7 @@ class HttpMultipartPost {
>          }
>          ServletFileUpload upload = new 
> ServletFileUpload(getFileItemFactory(tmpDir));
> +        upload.setPartHeaderSizeMax(1024);
>          // make sure the content disposition headers are read with the 
> charset
>          // specified in the request content type (or UTF-8 if no charset is 
> specified).
>          // see JCR
> {noformat}
> This apparently causes failures to upload parts with long paths.
> Questions: do we want to change the limit? To what? Does it need to be 
> configurable?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to