Author: simonetripodi
Date: Mon Mar 11 07:57:18 2013
New Revision: 1455031
URL: http://svn.apache.org/r1455031
Log:
[FILEUPLOAD-212] - Insecure request size checking - fix provided by (and
credited to) Thomas Neidhart
Modified:
commons/proper/fileupload/trunk/RELEASE-NOTES.txt
commons/proper/fileupload/trunk/src/changes/changes.xml
commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
Modified: commons/proper/fileupload/trunk/RELEASE-NOTES.txt
URL:
http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?rev=1455031&r1=1455030&r2=1455031&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/RELEASE-NOTES.txt (original)
+++ commons/proper/fileupload/trunk/RELEASE-NOTES.txt Mon Mar 11 07:57:18 2013
@@ -63,6 +63,7 @@ Bug
* [FILEUPLOAD-195] - Error reading the file size larger than 2 gb
* [FILEUPLOAD-197] - ServletFileUpload isMultipartContent method does not
support HTTP PUT
* [FILEUPLOAD-204] - FileItem.getHeaders() returns always null.
+ * [FILEUPLOAD-212] - Insecure request size checking
* [FILEUPLOAD-214] - ServletFileUpload only accepts POST requests
Improvement
Modified: commons/proper/fileupload/trunk/src/changes/changes.xml
URL:
http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/changes/changes.xml?rev=1455031&r1=1455030&r2=1455031&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/changes/changes.xml (original)
+++ commons/proper/fileupload/trunk/src/changes/changes.xml Mon Mar 11 07:57:18
2013
@@ -97,6 +97,9 @@ The <action> type attribute can be add,u
<action issue="FILEUPLOAD-204" dev="jochen" type="fix" due-to="Hakju Oh">
FileItem.getHeaders() returns always null.
</action>
+ <action issue="FILEUPLOAD-204" dev="tn" type="fix" due-to="Damian
Kolasa">
+ Insecure request size checking
+ </action>
<action issue="FILEUPLOAD-214" dev="simonetripodi" type="fix"
due-to="Matthew Runo">
ServletFileUpload only accepts POST requests
</action>
Modified:
commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
URL:
http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/FileUploadBase.java?rev=1455031&r1=1455030&r2=1455031&view=diff
==============================================================================
---
commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
(original)
+++
commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
Mon Mar 11 07:57:18 2013
@@ -919,26 +919,25 @@ public abstract class FileUploadBase {
if (sizeMax >= 0) {
long requestSize = ctx.contentLength();
- if (requestSize == -1) {
- input = new LimitedInputStream(input, sizeMax) {
- @Override
- protected void raiseError(long pSizeMax, long pCount)
- throws IOException {
- FileUploadException ex = new
SizeLimitExceededException(
- format("the request was rejected because its size
(%s) exceeds the configured maximum (%s)",
- pCount, pSizeMax),
- pCount, pSizeMax);
- throw new FileUploadIOException(ex);
- }
- };
- } else {
- if (sizeMax >= 0 && requestSize > sizeMax) {
+ if (requestSize != -1) {
+ if (requestSize > sizeMax) {
throw new SizeLimitExceededException(
format("the request was rejected because its size
(%s) exceeds the configured maximum (%s)",
requestSize, sizeMax),
requestSize, sizeMax);
}
}
+ input = new LimitedInputStream(input, sizeMax) {
+ @Override
+ protected void raiseError(long pSizeMax, long pCount)
+ throws IOException {
+ FileUploadException ex = new
SizeLimitExceededException(
+ format("the request was rejected because its size (%s)
exceeds the configured maximum (%s)",
+ pCount, pSizeMax),
+ pCount, pSizeMax);
+ throw new FileUploadIOException(ex);
+ }
+ };
}
String charEncoding = headerEncoding;
