[jira] [Commented] (JCR-5233) commons-fileupload (1.6) restricts header size in upload parts

Wed, 03 Jun 2026 03:29:07 -0700 


    [ 
https://issues.apache.org/jira/browse/JCR-5233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085762#comment-18085762
 ] 

Julian Reschke commented on JCR-5233:
-------------------------------------

[~cziegeler] pointed out: an alternative would be to just rely on the Servlet 
API. That would avoid new config options, but may have less knobs to control to 
make it fully compatible (lazily overflowing into files, maybe 
encoding/decoding, error handling).

At the end of the day: we need more tests.



> commons-fileupload (1.6) restricts header size in upload parts
> --------------------------------------------------------------
>
>                 Key: JCR-5233
>                 URL: https://issues.apache.org/jira/browse/JCR-5233
>             Project: Jackrabbit Content Repository
>          Issue Type: Task
>          Components: jackrabbit-jcr-server
>            Reporter: Julian Reschke
>            Assignee: Julian Reschke
>            Priority: Major
>              Labels: candidate_jackrabbit_2.22
>             Fix For: 2.24
>
>
> With commons-fileupload 1.6, a restriction of header size in upload parts 
> (512 bytes) was implemented due to a DoS CVE.
> This value can be overriden; like that:
>  
> {noformat}
> diff --git 
> a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
>  
> b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
> index 26b1cb7c5..2f49978a8 100644
> --- 
> a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
> +++ 
> b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
> @@ -65,6 +65,7 @@ class HttpMultipartPost {
>          }
>          ServletFileUpload upload = new 
> ServletFileUpload(getFileItemFactory(tmpDir));
> +        upload.setPartHeaderSizeMax(1024);
>          // make sure the content disposition headers are read with the 
> charset
>          // specified in the request content type (or UTF-8 if no charset is 
> specified).
>          // see JCR
> {noformat}
> This apparently causes failures to upload parts with long paths.
> Questions: do we want to change the limit? To what? Does it need to be 
> configurable?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to