Julian Reschke created JCR-5233:
-----------------------------------
Summary: commons-fileupload (1.6) restricts header size in upload
parts
Key: JCR-5233
URL: https://issues.apache.org/jira/browse/JCR-5233
Project: Jackrabbit Content Repository
Issue Type: Task
Components: jackrabbit-jcr-server
Reporter: Julian Reschke
With commons-fileupload 1.6, a restriction of header size in upload parts (512
bytes) was implemented due to a DoS CVE.
This value can be overriden; like that:
{noformat}
diff --git
a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
index 26b1cb7c5..2f49978a8 100644
---
a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
+++
b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
@@ -65,6 +65,7 @@ class HttpMultipartPost {
}
ServletFileUpload upload = new
ServletFileUpload(getFileItemFactory(tmpDir));
+ upload.setPartHeaderSizeMax(1024);
// make sure the content disposition headers are read with the charset
// specified in the request content type (or UTF-8 if no charset is
specified).
// see JCR
{noformat}
This apparently causes failures to upload parts with long paths.
Questions: do we want to change the limit? To what? Does it need to be
configurable?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
