[struts] branch master updated (bad445ba3 -> 960682ae8)
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git
from bad445ba3 Merge pull request #670 from sdutry/issue/WW-5251
new ff19dfee6 WW-5288 Make excluded package exemption logic more strict
new acf68be1e WW-5288 Export exempt classes as part of ConstantConfig
new b4821330d WW-5288 Reinstate mistakenly deleted test classes and
refactor
new 960682ae8 Merge pull request #664 from
atlassian/WW-5288-exemption-strict
The 6556 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../xwork2/ognl/SecurityMemberAccess.java | 85 ++-
.../java/org/apache/struts2/StrutsConstants.java | 5 +-
.../struts2/config/entities/ConstantConfig.java| 20 +
.../conversion/impl/StringConverterTest.java | 2 -
.../xwork2/ognl/SecurityMemberAccessTest.java | 161 ++---
...cess.java => ExternalSecurityMemberAccess.java} | 8 +-
java => ExternalSecurityMemberAccessTest.java} | 16 +-
.../java/com/test/SecurityMemberAccessTest.java| 651 -
.../config/entities/ConstantConfigTest.java| 28 +-
.../util/SecurityMemberAccessInServletsTest.java | 8 +-
10 files changed, 204 insertions(+), 780 deletions(-)
copy core/src/test/java/com/test/{TestSecurityMemberAccess.java =>
ExternalSecurityMemberAccess.java} (77%)
rename core/src/test/java/com/test/{TestSecurityMemberAccess.java =>
ExternalSecurityMemberAccessTest.java} (67%)
delete mode 100644 core/src/test/java/com/test/SecurityMemberAccessTest.java
[struts] branch master updated (960682ae8 -> 48e57b70b)
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git
from 960682ae8 Merge pull request #664 from
atlassian/WW-5288-exemption-strict
new 6aee0eb20 WW-5293 Update deprecations
new 92ac50c79 WW-5293 Make Struts DTDs static
new 250aeb3e0 WW-5293 Hide documents in XmlConfigurationProvider
new 4f5e0ef49 WW-5293 Split XmlConfigurationProvider into
XmlDocConfigurationProvider Part 1
new 8db9e3943 WW-5293 Split XmlConfigurationProvider into
XmlDocConfigurationProvider Part 2
new f2e2c0595 WW-5293 Split #buildActionConfig from #addAction
new fb03589c7 WW-5293 Split #buildInterceptorConfig from #loadInterceptors
new 3689d3f25 WW-5293 Define protected field addedResultTypes and split
#buildResultConfig from #buildResults
new 7fa67c290 WW-5293 Add protected #loadClass
new c27cf4833 WW-5293 Fix trying to clear immutable list
new 4bc790dd5 WW-5293 Split #buildResultTypeConfig from #addResultTypes
and remove unused field and param
new bd805cd68 WW-5293 Make more methods overridable
new c11334c60 WW-5293 Add JavaDoc for XmlDocConfigurationProvider class
new 48e57b70b Merge pull request #668 from
atlassian/xml-config-provider-versatile
The 6570 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../config/providers/XmlConfigurationProvider.java | 975 ++---
...vider.java => XmlDocConfigurationProvider.java} | 540 +---
.../config/StrutsXmlConfigurationProvider.java | 47 +-
.../org/apache/struts2/dispatcher/Dispatcher.java | 16 +-
.../providers/XmlConfigurationProviderTest.java| 2 +-
5 files changed, 293 insertions(+), 1287 deletions(-)
copy
core/src/main/java/com/opensymphony/xwork2/config/providers/{XmlConfigurationProvider.java
=> XmlDocConfigurationProvider.java} (80%)
[struts-site] branch master updated: WW-5288 Update docs for making excluded package exemption logic more strict
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/master by this push: new 0eced0e73 WW-5288 Update docs for making excluded package exemption logic more strict new 878eedb22 Merge pull request #190 from atlassian-forks/WW-5288-excluded-package-exemption-strict 0eced0e73 is described below commit 0eced0e7358e244ebd8b89f4a30d6a8482c8191a Author: Kusal Kithul-Godage AuthorDate: Wed Mar 22 14:09:02 2023 +1100 WW-5288 Update docs for making excluded package exemption logic more strict --- source/security/index.md | 19 ++- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/source/security/index.md b/source/security/index.md index ec61a3182..1a36b3280 100644 --- a/source/security/index.md +++ b/source/security/index.md @@ -185,8 +185,8 @@ Multiple Struts 2 versions have been vulnerable to OGNL security flaws. Conseque framework with following proactive optional possibilities since OGNL 3.1.24 and Struts 2.5.22. They're disabled by default but via enabling them, you can proactively protect from potential still unknown OGNL Expression Injections flaws: -> **NOTE**: These might break your current app functionality. Before using in production environment, you're recommended to -comprehensively test your app UI and functionalities with these enabled. +> **NOTE**: These might break your current app functionality. Before using in production environment, you're recommended +> to comprehensively test your app UI and functionalities with these enabled. Run OGNL expressions inside sandbox @@ -206,16 +206,17 @@ really only a "style guard" for long OGNL expressions in an application). The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages - it's a OGNL-wide mechanism which means it affects any aspect of the framework ie. incoming parameters, expressions -used in JSPs, etc. +used in JSPs, etc. Matching is done based on both the target and member class of an OGNL expression. There are 4 options that can be used to configure excluded packages and classes: - - `struts.excludedClasses` - comma-separated list of excluded classes - - `struts.excludedPackageNamePatterns` - patterns used to exclude packages based on RegEx - this option is slower than - simple string comparison but it's more flexible - - `struts.excludedPackageNames` - comma-separated list of excluded packages, it is used with simple string comparison - via `startWith` and `equals` - - `struts.excludedPackageExemptClasses` - comma-separated list of classes to exempt from any of the excluded packages or package name patterns +- `struts.excludedClasses`: comma-separated list of excluded classes. Note that superclasses are also matched. +- `struts.excludedPackageNames`: comma-separated list of excluded packages, matched using string + comparison via `startWith`. Note that classes in subpackages are also excluded. +- `struts.excludedPackageNamePatterns` - comma-separated list of RegEx patterns used to exclude packages. Note that this + option is slower than string comparison but more flexible. +- `struts.excludedPackageExemptClasses` - comma-separated list of classes to exempt from any of the excluded packages or + package name patterns. An exact exemption must exist for each exclusion match (target or member or both). The defaults are defined [here](https://github.com/apache/struts/blob/master/core/src/main/resources/struts-excluded-classes.xml).
[struts-site] branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-site by this push: new cfb523c09 Automatic Site Publish by Buildbot cfb523c09 is described below commit cfb523c09be97534a758c34686dbf59863f992c0 Author: buildbot AuthorDate: Wed Mar 22 05:34:02 2023 + Automatic Site Publish by Buildbot --- output/core-developers/default-properties.html | 1 + output/security/index.html | 19 ++- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/output/core-developers/default-properties.html b/output/core-developers/default-properties.html index d22a34275..6bec201b6 100644 --- a/output/core-developers/default-properties.html +++ b/output/core-developers/default-properties.html @@ -214,6 +214,7 @@ struts.multipart.parser=jakarta struts.multipart.saveDir= struts.multipart.maxSize=2097152 struts.multipart.maxFiles=256 +# struts.multipart.maxFileSize= ### Load custom property files (does not override struts.properties!) # struts.custom.properties=application,org/apache/struts2/extension/custom diff --git a/output/security/index.html b/output/security/index.html index a3491fa29..253044b25 100644 --- a/output/security/index.html +++ b/output/security/index.html @@ -333,8 +333,8 @@ framework with following proactive optional possibilities since OGNL 3.1.24 and default but via enabling them, you can proactively protect from potential still unknown OGNL Expression Injections flaws: - NOTE: These might break your current app functionality. Before using in production environment, you’re recommended to -comprehensively test your app UI and functionalities with these enabled. + NOTE: These might break your current app functionality. Before using in production environment, you’re recommended +to comprehensively test your app UI and functionalities with these enabled. Run OGNL expressions inside sandbox @@ -355,17 +355,18 @@ really only a “style guard” for long OGNL expressions in an application).The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages - it’s a OGNL-wide mechanism which means it affects any aspect of the framework ie. incoming parameters, expressions -used in JSPs, etc. +used in JSPs, etc. Matching is done based on both the target and member class of an OGNL expression. There are 4 options that can be used to configure excluded packages and classes: - struts.excludedClasses - comma-separated list of excluded classes - struts.excludedPackageNamePatterns - patterns used to exclude packages based on RegEx - this option is slower than -simple string comparison but it’s more flexible - struts.excludedPackageNames - comma-separated list of excluded packages, it is used with simple string comparison -via startWith and equals - struts.excludedPackageExemptClasses - comma-separated list of classes to exempt from any of the excluded packages or package name patterns + struts.excludedClasses: comma-separated list of excluded classes. Note that superclasses are also matched. + struts.excludedPackageNames: comma-separated list of excluded packages, matched using string +comparison via startWith. Note that classes in subpackages are also excluded. + struts.excludedPackageNamePatterns - comma-separated list of RegEx patterns used to exclude packages. Note that this +option is slower than string comparison but more flexible. + struts.excludedPackageExemptClasses - comma-separated list of classes to exempt from any of the excluded packages or +package name patterns. An exact exemption must exist for each exclusion match (target or member or both). The defaults are defined https://github.com/apache/struts/blob/master/core/src/main/resources/struts-excluded-classes.xml";>here.
[struts-site] branch master updated: WW-5266 Update file upload docs
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/master by this push:
new 0404b108e WW-5266 Update file upload docs
new 1fbdf2de6 Merge pull request #191 from
atlassian-forks/WW-5266-doc-maxfilesize
0404b108e is described below
commit 0404b108e84bd0721810da148d952c1d612df195
Author: Kusal Kithul-Godage
AuthorDate: Wed Mar 22 16:06:05 2023 +1100
WW-5266 Update file upload docs
---
source/core-developers/file-upload.md | 90 ---
1 file changed, 40 insertions(+), 50 deletions(-)
diff --git a/source/core-developers/file-upload.md
b/source/core-developers/file-upload.md
index 9f623dd48..efb67a229 100644
--- a/source/core-developers/file-upload.md
+++ b/source/core-developers/file-upload.md
@@ -239,56 +239,56 @@ public class MultipleFileUploadUsingListAction extends
ActionSupport {
## Advanced Configuration
The Struts 2 `default.properties` file defines several settings that affect
the behavior of file uploading. You may find
-in necessary to change these values. The names and default values are:
+it necessary to change these values. The names and default values are:
```
struts.multipart.parser=jakarta
-struts.multipart.saveDir=
-struts.multipart.maxSize=2097152
-struts.multipart.maxFiles=256
+struts.multipart.saveDir= # Filesystem location to save parsed request data
+struts.multipart.maxSize=2097152 # Max combined size of files per request
+struts.multipart.maxFiles=256 # Max number of files per request
+struts.multipart.maxFileSize= # Max size per file per request
```
-> Please remember that the `struts.multipart.maxSize` is the size limit of the
whole request, which means when you're
-> uploading multiple files, the sum of their size must be below the
`struts.multipart.maxSize`!
+You can also set the max options to unlimited by setting their value to `-1`,
but please see the sections below for
+further details on these options first.
-In order to change these settings you define a constant in your applications
`struts.xml` file like so:
+### Files Number Limit
+
+Since Struts 6.1.2/6.2.0 a new option was added, which uses Commons FileUpload
feature to limit how many files can be
+uploaded at once, in one request. This option requires to use Commons
FileUpload ver. 1.5 at least and by default is set
+to **256**. Please always set this to a finite value to prevent DoS attacks.
+
+To change this value define a constant
+in `struts.xml` as follows:
```xml
-
-...
+
```
-Additionally, the `fileUpload` interceptor has settings that can be put in
place for individual action mappings
-by customizing your interceptor stack.
+### File Size Limits
-```xml
-
-
-
-text/plain
-
-
-
+There are multiple methods to enforce file size limits.
-good_result.jsp
-
-```
+There is `struts.multipart.maxSize` which is loaded from the Struts
configuration. This setting exists for security
+reasons to prohibit a malicious user from uploading extremely large files to
fill up your server's disk space. This
+setting defaults to approximately 2MB and should be adjusted to the maximum
size (2GB) that you expect to parse. If you
+are uploading more than one file in a single request, the
`struts.multipart.maxSize` applies to the combined total, not
+the individual files.
-### File Size Limits
+There is also `struts.multipart.maxFileSize` which is not enforced by default,
but can be enabled to enforce a max size
+on a per-file basis.
-There are two separate file size limits. First is `struts.multipart.maxSize`
which comes from the Struts
-2 `default.properties` file. This setting exists for security reasons to
prohibit a malicious user from uploading
-extremely large files to file up your servers disk space. This setting
defaults to approximately 2 megabytes and should
-be adjusted to the maximum size file (2 gigs max) that your will need the
framework to receive. If you are uploading
-more than one file on a form the `struts.multipart.maxSize` applies to the
combined total, not the individual file
-sizes. The other setting, `maximumSize`, is an interceptor setting that is
used to ensure a particular Action does not
-receive a file that is too large. Notice the locations of both settings in the
following example:
+The other setting, `maximumSize`, is an interceptor setting that is used to
ensure a particular Action does not receive
+a file that is too large. Note that the aforementioned settings are applied at
the request parsing level and take
+precedence over this interceptor setting.
+Notice the locations of these settings in the following example:
```xml
+
@@ -303,18 +303,6 @@ receive a file that is too large. Notice the locations of
both settings in the f
```
-### Files Num
[struts-site] branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-site by this push: new 324b637a2 Automatic Site Publish by Buildbot 324b637a2 is described below commit 324b637a2b89d1504645d1943d86febba3649311 Author: buildbot AuthorDate: Wed Mar 22 05:34:46 2023 + Automatic Site Publish by Buildbot --- output/core-developers/file-upload.html | 82 - 1 file changed, 39 insertions(+), 43 deletions(-) diff --git a/output/core-developers/file-upload.html b/output/core-developers/file-upload.html index ede426e0d..47f375784 100644 --- a/output/core-developers/file-upload.html +++ b/output/core-developers/file-upload.html @@ -145,8 +145,8 @@ Advanced Configuration - File Size Limits Files Number Limit + File Size Limits File Types Error Messages Temporary Directories @@ -397,54 +397,53 @@ see struts-fileupload.xmlAdvanced Configuration The Struts 2 default.properties file defines several settings that affect the behavior of file uploading. You may find -in necessary to change these values. The names and default values are: +it necessary to change these values. The names and default values are: struts.multipart.parser=jakarta -struts.multipart.saveDir= -struts.multipart.maxSize=2097152 -struts.multipart.maxFiles=256 +struts.multipart.saveDir= # Filesystem location to save parsed request data +struts.multipart.maxSize=2097152 # Max combined size of files per request +struts.multipart.maxFiles=256 # Max number of files per request +struts.multipart.maxFileSize= # Max size per file per request - - Please remember that the struts.multipart.maxSize is the size limit of the whole request, which means when you’re -uploading multiple files, the sum of their size must be below the struts.multipart.maxSize! - +You can also set the max options to unlimited by setting their value to -1, but please see the sections below for +further details on these options first. + +Files Number Limit + +Since Struts 6.1.2/6.2.0 a new option was added, which uses Commons FileUpload feature to limit how many files can be +uploaded at once, in one request. This option requires to use Commons FileUpload ver. 1.5 at least and by default is set +to 256. Please always set this to a finite value to prevent DoS attacks. -In order to change these settings you define a constant in your applications struts.xml file like so: +To change this value define a constant +in struts.xml as follows:- -Additionally, the fileUpload interceptor has settings that can be put in place for individual action mappings -by customizing your interceptor stack. +File Size Limits --... + - - +There is struts.multipart.maxSize which is loaded from the Struts configuration. This setting exists for security +reasons to prohibit a malicious user from uploading extremely large files to fill up your server’s disk space. This +setting defaults to approximately 2MB and should be adjusted to the maximum size (2GB) that you expect to parse. If you +are uploading more than one file in a single request, the struts.multipart.maxSize applies to the combined total, not +the individual files. -File Size Limits +There is also struts.multipart.maxFileSize which is not enforced by default, but can be enabled to enforce a max size +on a per-file basis. -There are two separate file size limits. First is struts.multipart.maxSize which comes from the Struts -2 default.properties file. This setting exists for security reasons to prohibit a malicious user from uploading -extremely large files to file up your servers disk space. This setting defaults to approximately 2 megabytes and should -be adjusted to the maximum size file (2 gigs max) that your will need the framework to receive. If you are uploading -more than one file on a form the struts.multipart.maxSize applies to the combined total, not the individual file -sizes. The other setting, maximumSize, is an interceptor setting that is used to ensure a particular Action does not -receive a file that is too large. Notice the locations of both settings in the following example: +The other setting, maximumSize, is an interceptor setting that is used to ensure a- -text/plain - -- +There are multiple methods to enforce file size limits. - good_result.jsp -
[struts-site] branch asf-staging updated: Updates stage by Jenkins
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-staging by this push: new af147b0f9 Updates stage by Jenkins af147b0f9 is described below commit af147b0f9f6d5ce35ab4eda5d32177c7b24ab3ee Author: jenkins AuthorDate: Wed Mar 22 05:37:38 2023 + Updates stage by Jenkins --- content/core-developers/default-properties.html | 1 + content/security/index.html | 19 ++- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/content/core-developers/default-properties.html b/content/core-developers/default-properties.html index d22a34275..6bec201b6 100644 --- a/content/core-developers/default-properties.html +++ b/content/core-developers/default-properties.html @@ -214,6 +214,7 @@ struts.multipart.parser=jakarta struts.multipart.saveDir= struts.multipart.maxSize=2097152 struts.multipart.maxFiles=256 +# struts.multipart.maxFileSize= ### Load custom property files (does not override struts.properties!) # struts.custom.properties=application,org/apache/struts2/extension/custom diff --git a/content/security/index.html b/content/security/index.html index a3491fa29..253044b25 100644 --- a/content/security/index.html +++ b/content/security/index.html @@ -333,8 +333,8 @@ framework with following proactive optional possibilities since OGNL 3.1.24 and default but via enabling them, you can proactively protect from potential still unknown OGNL Expression Injections flaws: - NOTE: These might break your current app functionality. Before using in production environment, you’re recommended to -comprehensively test your app UI and functionalities with these enabled. + NOTE: These might break your current app functionality. Before using in production environment, you’re recommended +to comprehensively test your app UI and functionalities with these enabled. Run OGNL expressions inside sandbox @@ -355,17 +355,18 @@ really only a “style guard” for long OGNL expressions in an application).The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages - it’s a OGNL-wide mechanism which means it affects any aspect of the framework ie. incoming parameters, expressions -used in JSPs, etc. +used in JSPs, etc. Matching is done based on both the target and member class of an OGNL expression. There are 4 options that can be used to configure excluded packages and classes: - struts.excludedClasses - comma-separated list of excluded classes - struts.excludedPackageNamePatterns - patterns used to exclude packages based on RegEx - this option is slower than -simple string comparison but it’s more flexible - struts.excludedPackageNames - comma-separated list of excluded packages, it is used with simple string comparison -via startWith and equals - struts.excludedPackageExemptClasses - comma-separated list of classes to exempt from any of the excluded packages or package name patterns + struts.excludedClasses: comma-separated list of excluded classes. Note that superclasses are also matched. + struts.excludedPackageNames: comma-separated list of excluded packages, matched using string +comparison via startWith. Note that classes in subpackages are also excluded. + struts.excludedPackageNamePatterns - comma-separated list of RegEx patterns used to exclude packages. Note that this +option is slower than string comparison but more flexible. + struts.excludedPackageExemptClasses - comma-separated list of classes to exempt from any of the excluded packages or +package name patterns. An exact exemption must exist for each exclusion match (target or member or both). The defaults are defined https://github.com/apache/struts/blob/master/core/src/main/resources/struts-excluded-classes.xml";>here.
[struts-site] branch asf-staging updated: Updates stage by Jenkins
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-staging by this push: new 9efe5166c Updates stage by Jenkins 9efe5166c is described below commit 9efe5166c7908b52c8faf7b2280ab8c221f31d30 Author: jenkins AuthorDate: Wed Mar 22 05:38:08 2023 + Updates stage by Jenkins --- content/core-developers/file-upload.html | 82 +++- 1 file changed, 39 insertions(+), 43 deletions(-) diff --git a/content/core-developers/file-upload.html b/content/core-developers/file-upload.html index ede426e0d..47f375784 100644 --- a/content/core-developers/file-upload.html +++ b/content/core-developers/file-upload.html @@ -145,8 +145,8 @@ Advanced Configuration - File Size Limits Files Number Limit + File Size Limits File Types Error Messages Temporary Directories @@ -397,54 +397,53 @@ see struts-fileupload.xmlAdvanced Configuration The Struts 2 default.properties file defines several settings that affect the behavior of file uploading. You may find -in necessary to change these values. The names and default values are: +it necessary to change these values. The names and default values are: struts.multipart.parser=jakarta -struts.multipart.saveDir= -struts.multipart.maxSize=2097152 -struts.multipart.maxFiles=256 +struts.multipart.saveDir= # Filesystem location to save parsed request data +struts.multipart.maxSize=2097152 # Max combined size of files per request +struts.multipart.maxFiles=256 # Max number of files per request +struts.multipart.maxFileSize= # Max size per file per request - - Please remember that the struts.multipart.maxSize is the size limit of the whole request, which means when you’re -uploading multiple files, the sum of their size must be below the struts.multipart.maxSize! - +You can also set the max options to unlimited by setting their value to -1, but please see the sections below for +further details on these options first. + +Files Number Limit + +Since Struts 6.1.2/6.2.0 a new option was added, which uses Commons FileUpload feature to limit how many files can be +uploaded at once, in one request. This option requires to use Commons FileUpload ver. 1.5 at least and by default is set +to 256. Please always set this to a finite value to prevent DoS attacks. -In order to change these settings you define a constant in your applications struts.xml file like so: +To change this value define a constant +in struts.xml as follows:- -Additionally, the fileUpload interceptor has settings that can be put in place for individual action mappings -by customizing your interceptor stack. +File Size Limits --... + - - +There is struts.multipart.maxSize which is loaded from the Struts configuration. This setting exists for security +reasons to prohibit a malicious user from uploading extremely large files to fill up your server’s disk space. This +setting defaults to approximately 2MB and should be adjusted to the maximum size (2GB) that you expect to parse. If you +are uploading more than one file in a single request, the struts.multipart.maxSize applies to the combined total, not +the individual files. -File Size Limits +There is also struts.multipart.maxFileSize which is not enforced by default, but can be enabled to enforce a max size +on a per-file basis. -There are two separate file size limits. First is struts.multipart.maxSize which comes from the Struts -2 default.properties file. This setting exists for security reasons to prohibit a malicious user from uploading -extremely large files to file up your servers disk space. This setting defaults to approximately 2 megabytes and should -be adjusted to the maximum size file (2 gigs max) that your will need the framework to receive. If you are uploading -more than one file on a form the struts.multipart.maxSize applies to the combined total, not the individual file -sizes. The other setting, maximumSize, is an interceptor setting that is used to ensure a particular Action does not -receive a file that is too large. Notice the locations of both settings in the following example: +The other setting, maximumSize, is an interceptor setting that is used to ensure a particular- -text/plain - -- +There are multiple methods to enforce file size limits. - good_result.jsp -
