On 25/07/2025 03:42, 加治屋 一輝 wrote:
<snip/>
Specifically, the following point is unclear to us:
The advisory mentions "unlikely configurations of multipart upload." Could you please
specify what types of configurations are considered "unlikely" and would therefore be
affected by this vulnerability? Please provide specific examples or characteristics.
There are various limits that apply to a multi-part upload. The ones
that matter in this scenario are:
- maxPostSize: set on the Connector. Sets the maximum total size for
all non-file parts
- maxFileSize: set on the multi-part configuration. Sets the maximum
size for a single part (file and non-file)
If maxFileSize + maxPostSize > 2^31 then it was possible to bypass
maxPostSize, load large non-file parts into memory and (with enough
non-file parts / requests) trigger a DoS.
The unlikely aspect was that untrusted users would be allowed to upload
files ~2Gb in size.
Kind regards,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
