[ https://issues.apache.org/jira/browse/FILEUPLOAD-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13598596#comment-13598596 ]
Simone Tripodi commented on FILEUPLOAD-212: ------------------------------------------- [~tn] I think you can checkin directly the modifications, no need for patches. Thanks! > Insecure request size checking > ------------------------------ > > Key: FILEUPLOAD-212 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-212 > Project: Commons FileUpload > Issue Type: Bug > Affects Versions: 1.2.2 > Environment: Default configuration default environment. > Reporter: Damian Kolasa > Assignee: Thomas Neidhart > Priority: Critical > Labels: max_upload_size, resource_depletion, security > Fix For: 1.3 > > Attachments: FILEUPLOAD-212_fix.patch, FILEUPLOAD-212.patch > > Original Estimate: 48h > Remaining Estimate: 48h > > In FileUploadBase there is an issue when checking for upload request size, > the check is based on presence of Content-Length header in request and FALSE > assumption that when present it will represent the actual request size. Using > this fact, attacker can supply request with defined Content-Length of 60 and > bypass file upload restrictions, which can lead to successful Resource > Depletion type attack. > IMHO by default file upload should return the LimitedInputStream > implementation for file upload. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira