Repository: commons-fileupload Updated Branches: refs/heads/master 4789a970d -> ea453a7dd
Updates for 1.3.3 release Project: http://git-wip-us.apache.org/repos/asf/commons-fileupload/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-fileupload/commit/45333f96 Tree: http://git-wip-us.apache.org/repos/asf/commons-fileupload/tree/45333f96 Diff: http://git-wip-us.apache.org/repos/asf/commons-fileupload/diff/45333f96 Branch: refs/heads/master Commit: 45333f9697749372bc2f9f57b6700b78270ddb5f Parents: 106ad77 Author: Rob Tompkins <chtom...@gmail.com> Authored: Tue Jun 13 08:24:49 2017 -0400 Committer: Rob Tompkins <chtom...@gmail.com> Committed: Tue Jun 13 08:24:49 2017 -0400 ---------------------------------------------------------------------- README.md | 2 +- RELEASE-NOTES.txt | 18 ++++++++++++-- src/site/fml/faq.fml | 38 ++++++++++++++++++++++++++++++ src/site/xdoc/download_fileupload.xml | 26 ++++++++++---------- src/site/xdoc/index.xml | 8 ++++++- src/site/xdoc/security-reports.xml | 31 ++++++++++++++++++++++++ 6 files changed, 106 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/45333f96/README.md ---------------------------------------------------------------------- diff --git a/README.md b/README.md index 9b830e8..2ff60a9 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Alternatively you can pull it from the central Maven repositories: <dependency> <groupId>commons-fileupload</groupId> <artifactId>commons-fileupload</artifactId> - <version>1.3.2</version> + <version>1.3.3</version> </dependency> ``` http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/45333f96/RELEASE-NOTES.txt ---------------------------------------------------------------------- diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt index 8420977..444f61c 100644 --- a/RELEASE-NOTES.txt +++ b/RELEASE-NOTES.txt @@ -1,11 +1,25 @@ - Apache Commons FileUpload 1.3.2 RELEASE NOTES + Apache Commons FileUpload 1.3.3 RELEASE NOTES -The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.2. +The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.3. The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. Version 1.3 onwards requires Java 5 or later. +No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2, to 1.3.3 + +Changes in version 1.3.3 include: + +o FILEUPLOAD-279: DiskFileItem can no longer be deserialized, unless a particular system property is set. + + +For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports, +patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website: + +http://commons.apache.org/proper/commons-fileupload/ + +------------------------------------------------------------------------------ + No client code changes are required to migrate from version 1.3.1 to 1.3.2. Changes in version 1.3.2 include: http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/45333f96/src/site/fml/faq.fml ---------------------------------------------------------------------- diff --git a/src/site/fml/faq.fml b/src/site/fml/faq.fml index 15bfc76..3b80c77 100644 --- a/src/site/fml/faq.fml +++ b/src/site/fml/faq.fml @@ -174,4 +174,42 @@ try { </faq> </part> + <part id="security"> + <title>FileUpload and Flash</title> + + <faq id="diskfileitem-serializable"> + <question> I have read, that there is a security problem in Commons FileUpload, because there is a class called + DiskFileItem, which can be used for malicious attacks. + </question> + <answer> + <p> + It is true, that this class exists, and can be serialized/deserialized in FileUpload versions, up to, and + including 1.3.2. It is also true, that a malicious attacker can abuse this possibility to create abitraryly + located files (assuming the required permissions) with arbitrary contents, if he gets the opportunity to + provide specially crafted data, which is being deserialized by a Java application, which has either of the + above versions of Commons FileUpload in the classpath, and which puts no limitations on the classes being + deserialized. + </p> + <p> + That being said, we (the Apache Commons team) hold the view, that the actual problem is not the DiskFileItem + class, but the "if" in the previous sentence. A Java application should carefully consider, which classes + can be deserialized. A typical approach would be, for example, to provide a blacklist, or whitelist of + packages, and/or classes, which may, or may not be deserialized. + </p> + <p> + On the other hand, we acknowledge, that the likelyhood of application container vendors taking such a + simple security measure is extremely low. So, in order to support the Commons Fileupload users, we have + decided to choose a different approach: + </p> + <p> + Beginning with 1.3.3, the class DiskFileItem is still implementing the interface java.io.Serializable. + In other words, it still declares itself as serializable, and deserializable to the JVM. In practice, + however, an attempt to deserialize an instance of DiskFileItem will trigger an Exception. In the unlikely + case, that your application depends on the deserialization of DiskFileItems, you can revert to the + previous behaviour by setting the system property "org.apache.commons.fileupload.disk.DiskFileItem.serializable" + to "true". + </p> + </answer> + </faq> + </part> </faqs> http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/45333f96/src/site/xdoc/download_fileupload.xml ---------------------------------------------------------------------- diff --git a/src/site/xdoc/download_fileupload.xml b/src/site/xdoc/download_fileupload.xml index adc3185..72ad616 100644 --- a/src/site/xdoc/download_fileupload.xml +++ b/src/site/xdoc/download_fileupload.xml @@ -95,32 +95,32 @@ limitations under the License. </p> </subsection> </section> - <section name="Apache Commons FileUpload 1.3.2 (requires Java 1.5 or later)"> + <section name="Apache Commons FileUpload 1.3.3 (requires Java 1.5 or later)"> <subsection name="Binaries"> <table> <tr> - <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz">commons-fileupload-1.3.2-bin.tar.gz</a></td> - <td><a href="http://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz.md5">md5</a></td> - <td><a href="http://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz.asc">pgp</a></td> + <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz">commons-fileupload-1.3.3-bin.tar.gz</a></td> + <td><a href="http://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz.md5">md5</a></td> + <td><a href="http://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz.asc">pgp</a></td> </tr> <tr> - <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip">commons-fileupload-1.3.2-bin.zip</a></td> - <td><a href="http://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip.md5">md5</a></td> - <td><a href="http://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip.asc">pgp</a></td> + <td><a href="[preferred]/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip">commons-fileupload-1.3.3-bin.zip</a></td> + <td><a href="http://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip.md5">md5</a></td> + <td><a href="http://www.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip.asc">pgp</a></td> </tr> </table> </subsection> <subsection name="Source"> <table> <tr> - <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz">commons-fileupload-1.3.2-src.tar.gz</a></td> - <td><a href="http://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz.md5">md5</a></td> - <td><a href="http://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz.asc">pgp</a></td> + <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz">commons-fileupload-1.3.3-src.tar.gz</a></td> + <td><a href="http://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz.md5">md5</a></td> + <td><a href="http://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz.asc">pgp</a></td> </tr> <tr> - <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.2-src.zip">commons-fileupload-1.3.2-src.zip</a></td> - <td><a href="http://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.zip.md5">md5</a></td> - <td><a href="http://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.2-src.zip.asc">pgp</a></td> + <td><a href="[preferred]/commons/fileupload/source/commons-fileupload-1.3.3-src.zip">commons-fileupload-1.3.3-src.zip</a></td> + <td><a href="http://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.zip.md5">md5</a></td> + <td><a href="http://www.apache.org/dist/commons/fileupload/source/commons-fileupload-1.3.3-src.zip.asc">pgp</a></td> </tr> </table> </subsection> http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/45333f96/src/site/xdoc/index.xml ---------------------------------------------------------------------- diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml index 824e389..876077d 100644 --- a/src/site/xdoc/index.xml +++ b/src/site/xdoc/index.xml @@ -67,12 +67,18 @@ <section name="Downloading"> <subsection name="Full Releases"> - <p><strong>FileUpload 1.3.2</strong> - 26 May 2016</p> + <p><strong>FileUpload 1.3.3</strong> - 13 June 2017</p> <ul> <li>Download the binary and source distributions from a mirror site <a href="http://commons.apache.org/fileupload/download_fileupload.cgi">here</a> </li> </ul> + <p><strong>FileUpload 1.3.2</strong> - 26 May 2016</p> + <ul> + <li>Download the binary and source distributions from the archive site + <a href="http://archive.apache.org/dist/commons/fileupload/">here</a> + </li> + </ul> <p><strong>FileUpload 1.3.1</strong> - 7 February 2014</p> <ul> <li>Download the binary and source distributions from the archive site http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/45333f96/src/site/xdoc/security-reports.xml ---------------------------------------------------------------------- diff --git a/src/site/xdoc/security-reports.xml b/src/site/xdoc/security-reports.xml index 04333f5..558410a 100644 --- a/src/site/xdoc/security-reports.xml +++ b/src/site/xdoc/security-reports.xml @@ -52,6 +52,37 @@ href="http://commons.apache.org/security.html">security page of the Apache Commons project</a>.</p> + <subsection name="Notes on Apache Commons FileUpload 1.3.3"> + <p> + Regarding potential security problems with the class called DiskFileItem, + it is true, that this class exists, and can be serialized/deserialized in FileUpload versions, up to, and + including 1.3.2. It is also true, that a malicious attacker can abuse this possibility to create abitraryly + located files (assuming the required permissions) with arbitrary contents, if he gets the opportunity to + provide specially crafted data, which is being deserialized by a Java application, which has either of the + above versions of Commons FileUpload in the classpath, and which puts no limitations on the classes being + deserialized. + </p> + <p> + That being said, we (the Apache Commons team) hold the view, that the actual problem is not the DiskFileItem + class, but the "if" in the previous sentence. A Java application should carefully consider, which classes + can be deserialized. A typical approach would be, for example, to provide a blacklist, or whitelist of + packages, and/or classes, which may, or may not be deserialized. + </p> + <p> + On the other hand, we acknowledge, that the likelyhood of application container vendors taking such a + simple security measure is extremely low. So, in order to support the Commons Fileupload users, we have + decided to choose a different approach: + </p> + <p> + Beginning with 1.3.3, the class DiskFileItem is still implementing the interface java.io.Serializable. + In other words, it still declares itself as serializable, and deserializable to the JVM. In practice, + however, an attempt to deserialize an instance of DiskFileItem will trigger an Exception. In the unlikely + case, that your application depends on the deserialization of DiskFileItems, you can revert to the + previous behaviour by setting the system property "org.apache.commons.fileupload.disk.DiskFileItem.serializable" + to "true". + </p> + </subsection> + <subsection name="Fixed in Apache Commons FileUpload 1.3.2"> <p><b>Low: Denial of Service</b> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092">CVE-2016-3092</a></p>