svn commit: r1798605 - /commons/cms-site/trunk/doap/doap_fileupload.rdf
Author: chtompki Date: Tue Jun 13 14:10:38 2017 New Revision: 1798605 URL: http://svn.apache.org/viewvc?rev=1798605=rev Log: Adding fileupload 1.3.3 release Modified: commons/cms-site/trunk/doap/doap_fileupload.rdf Modified: commons/cms-site/trunk/doap/doap_fileupload.rdf URL: http://svn.apache.org/viewvc/commons/cms-site/trunk/doap/doap_fileupload.rdf?rev=1798605=1798604=1798605=diff == --- commons/cms-site/trunk/doap/doap_fileupload.rdf (original) +++ commons/cms-site/trunk/doap/doap_fileupload.rdf Tue Jun 13 14:10:38 2017 @@ -40,6 +40,13 @@ commons-fileupload +2017-06-13 +1.3.3 + + + + +commons-fileupload 2016-05-26 1.3.2
[commons-fileupload] Git Push Summary
Repository: commons-fileupload Updated Tags: refs/tags/commons-fileupload-1.3.3 [created] 834ada101
svn commit: r1798595 - /commons/cms-site/trunk/conf/component_releases.properties
Author: chtompki Date: Tue Jun 13 12:57:21 2017 New Revision: 1798595 URL: http://svn.apache.org/viewvc?rev=1798595=rev Log: Update fileupload release date/version Modified: commons/cms-site/trunk/conf/component_releases.properties Modified: commons/cms-site/trunk/conf/component_releases.properties URL: http://svn.apache.org/viewvc/commons/cms-site/trunk/conf/component_releases.properties?rev=1798595=1798594=1798595=diff == --- commons/cms-site/trunk/conf/component_releases.properties (original) +++ commons/cms-site/trunk/conf/component_releases.properties Tue Jun 13 12:57:21 2017 @@ -34,8 +34,8 @@ emailVersion=1.4 emailReleased=2015-05-23 execVersion=1.3 execReleased=2014-11-06 -fileuploadVersion=1.3.2 -fileuploadReleased=2016-05-26 +fileuploadVersion=1.3.3 +fileuploadReleased=2017-06-13 functorVersion=1.0 functorReleased=2011-??-?? imagingVersion=0.97-incubator
[2/7] commons-fileupload git commit: Replace menu entry SVN repository by Source repository
Replace menu entry SVN repository by Source repository Project: http://git-wip-us.apache.org/repos/asf/commons-fileupload/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-fileupload/commit/5f626e48 Tree: http://git-wip-us.apache.org/repos/asf/commons-fileupload/tree/5f626e48 Diff: http://git-wip-us.apache.org/repos/asf/commons-fileupload/diff/5f626e48 Branch: refs/heads/master Commit: 5f626e48948cbe4ad25cd2463e68d4ef955b5af8 Parents: e0a5ef2 Author: Bruno P. KinoshitaAuthored: Sun Jun 11 16:57:26 2017 +1200 Committer: Rob Tompkins Committed: Tue Jun 13 08:35:22 2017 -0400 -- src/site/site.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/5f626e48/src/site/site.xml -- diff --git a/src/site/site.xml b/src/site/site.xml index b94177b..48a6288 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -36,7 +36,7 @@ - +
[6/7] commons-fileupload git commit: Upgrades to site to have both dev and release javadocs
Upgrades to site to have both dev and release javadocs Project: http://git-wip-us.apache.org/repos/asf/commons-fileupload/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-fileupload/commit/a9b9f11b Tree: http://git-wip-us.apache.org/repos/asf/commons-fileupload/tree/a9b9f11b Diff: http://git-wip-us.apache.org/repos/asf/commons-fileupload/diff/a9b9f11b Branch: refs/heads/master Commit: a9b9f11b27aa5dc203785e20242423c0c3c0f39e Parents: cf75704 Author: Rob TompkinsAuthored: Tue Jun 13 08:49:58 2017 -0400 Committer: Rob Tompkins Committed: Tue Jun 13 08:49:58 2017 -0400 -- src/site/site.xml | 2 +- src/site/xdoc/index.xml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/a9b9f11b/src/site/site.xml -- diff --git a/src/site/site.xml b/src/site/site.xml index 48a6288..7c0b3ce 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -30,7 +30,7 @@ - + http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/a9b9f11b/src/site/xdoc/index.xml -- diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml index 876077d..d74b763 100644 --- a/src/site/xdoc/index.xml +++ b/src/site/xdoc/index.xml @@ -59,7 +59,8 @@ User Guide Streaming API Frequently Asked Questions -JavaDoc API +JavaDoc API (Latest release) +JavaDoc API (Latest development) Project Reports You can also browse the Subversion repository.
[1/7] commons-fileupload git commit: Updates for 1.3.3 release
Repository: commons-fileupload Updated Branches: refs/heads/master 4789a970d -> ea453a7dd Updates for 1.3.3 release Project: http://git-wip-us.apache.org/repos/asf/commons-fileupload/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-fileupload/commit/45333f96 Tree: http://git-wip-us.apache.org/repos/asf/commons-fileupload/tree/45333f96 Diff: http://git-wip-us.apache.org/repos/asf/commons-fileupload/diff/45333f96 Branch: refs/heads/master Commit: 45333f9697749372bc2f9f57b6700b78270ddb5f Parents: 106ad77 Author: Rob TompkinsAuthored: Tue Jun 13 08:24:49 2017 -0400 Committer: Rob Tompkins Committed: Tue Jun 13 08:24:49 2017 -0400 -- README.md | 2 +- RELEASE-NOTES.txt | 18 -- src/site/fml/faq.fml | 38 ++ src/site/xdoc/download_fileupload.xml | 26 ++-- src/site/xdoc/index.xml | 8 ++- src/site/xdoc/security-reports.xml| 31 6 files changed, 106 insertions(+), 17 deletions(-) -- http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/45333f96/README.md -- diff --git a/README.md b/README.md index 9b830e8..2ff60a9 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Alternatively you can pull it from the central Maven repositories: commons-fileupload commons-fileupload - 1.3.2 + 1.3.3 ``` http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/45333f96/RELEASE-NOTES.txt -- diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt index 8420977..444f61c 100644 --- a/RELEASE-NOTES.txt +++ b/RELEASE-NOTES.txt @@ -1,11 +1,25 @@ - Apache Commons FileUpload 1.3.2 RELEASE NOTES + Apache Commons FileUpload 1.3.3 RELEASE NOTES -The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.2. +The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.3. The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. Version 1.3 onwards requires Java 5 or later. +No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2, to 1.3.3 + +Changes in version 1.3.3 include: + +o FILEUPLOAD-279: DiskFileItem can no longer be deserialized, unless a particular system property is set. + + +For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports, +patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website: + +http://commons.apache.org/proper/commons-fileupload/ + +-- + No client code changes are required to migrate from version 1.3.1 to 1.3.2. Changes in version 1.3.2 include: http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/45333f96/src/site/fml/faq.fml -- diff --git a/src/site/fml/faq.fml b/src/site/fml/faq.fml index 15bfc76..3b80c77 100644 --- a/src/site/fml/faq.fml +++ b/src/site/fml/faq.fml @@ -174,4 +174,42 @@ try { + + FileUpload and Flash + + + I have read, that there is a security problem in Commons FileUpload, because there is a class called + DiskFileItem, which can be used for malicious attacks. + + + +It is true, that this class exists, and can be serialized/deserialized in FileUpload versions, up to, and +including 1.3.2. It is also true, that a malicious attacker can abuse this possibility to create abitraryly +located files (assuming the required permissions) with arbitrary contents, if he gets the opportunity to +provide specially crafted data, which is being deserialized by a Java application, which has either of the +above versions of Commons FileUpload in the classpath, and which puts no limitations on the classes being +deserialized. + + +That being said, we (the Apache Commons team) hold the view, that the actual problem is not the DiskFileItem +class, but the "if" in the previous sentence. A Java application should carefully consider, which classes +can be deserialized. A typical approach would be, for example, to provide a blacklist, or whitelist of +packages, and/or classes, which may, or may not be deserialized. + + +On the other hand, we
[3/7] commons-fileupload git commit: Fix indentation
Fix indentation Project: http://git-wip-us.apache.org/repos/asf/commons-fileupload/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-fileupload/commit/1ac37093 Tree: http://git-wip-us.apache.org/repos/asf/commons-fileupload/tree/1ac37093 Diff: http://git-wip-us.apache.org/repos/asf/commons-fileupload/diff/1ac37093 Branch: refs/heads/master Commit: 1ac37093bd8ca26438e962e7f51576c6244a1bc5 Parents: 45333f9 Author: Bruno P. KinoshitaAuthored: Sun Jun 11 16:17:32 2017 +1200 Committer: Rob Tompkins Committed: Tue Jun 13 08:35:22 2017 -0400 -- .../java/org/apache/commons/fileupload/portlet/package-info.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/1ac37093/src/main/java/org/apache/commons/fileupload/portlet/package-info.java -- diff --git a/src/main/java/org/apache/commons/fileupload/portlet/package-info.java b/src/main/java/org/apache/commons/fileupload/portlet/package-info.java index 7251b60..e39b6ca 100644 --- a/src/main/java/org/apache/commons/fileupload/portlet/package-info.java +++ b/src/main/java/org/apache/commons/fileupload/portlet/package-info.java @@ -30,7 +30,7 @@ * The following code fragment demonstrates typical usage. * * - * DiskFileItemFactory factory = new DiskFileItemFactory(); + *DiskFileItemFactory factory = new DiskFileItemFactory(); *// Configure the factory here, if desired. *PortletFileUpload upload = new PortletFileUpload(factory); *// Configure the uploader here, if desired.
[5/7] commons-fileupload git commit: Merging 1.3.3 changes.xml into master, code seems already fixed
Merging 1.3.3 changes.xml into master, code seems already fixed Project: http://git-wip-us.apache.org/repos/asf/commons-fileupload/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-fileupload/commit/cf75704e Tree: http://git-wip-us.apache.org/repos/asf/commons-fileupload/tree/cf75704e Diff: http://git-wip-us.apache.org/repos/asf/commons-fileupload/diff/cf75704e Branch: refs/heads/master Commit: cf75704e4dabb979a92b35b6a68a3cc59aa53bd5 Parents: 5f626e4 Author: Jochen WiedmannAuthored: Wed Nov 23 02:42:13 2016 +0100 Committer: Rob Tompkins Committed: Tue Jun 13 08:38:56 2017 -0400 -- src/changes/changes.xml | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/cf75704e/src/changes/changes.xml -- diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 7a1c7a1..8b2391c 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -62,7 +62,13 @@ The type attribute can be add,update,fix,remove. Improve performance for large multi-part boundaries - + + +DiskDileItem can actually no longer be deserialized, unless a system property is set to true. + + + + SECURITY - CVE-2016-3092. Performance Improvement in MultipartStream.
[7/7] commons-fileupload git commit: Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/commons-fileupload
Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/commons-fileupload Project: http://git-wip-us.apache.org/repos/asf/commons-fileupload/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-fileupload/commit/ea453a7d Tree: http://git-wip-us.apache.org/repos/asf/commons-fileupload/tree/ea453a7d Diff: http://git-wip-us.apache.org/repos/asf/commons-fileupload/diff/ea453a7d Branch: refs/heads/master Commit: ea453a7dd1420c185ab29598563375b4d06cfc80 Parents: a9b9f11 4789a97 Author: Rob TompkinsAuthored: Tue Jun 13 08:53:03 2017 -0400 Committer: Rob Tompkins Committed: Tue Jun 13 08:53:03 2017 -0400 -- --
[4/7] commons-fileupload git commit: Minor changes to streaming docs (commas), and remove duplicate 'and'
Minor changes to streaming docs (commas), and remove duplicate 'and' Project: http://git-wip-us.apache.org/repos/asf/commons-fileupload/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-fileupload/commit/e0a5ef2a Tree: http://git-wip-us.apache.org/repos/asf/commons-fileupload/tree/e0a5ef2a Diff: http://git-wip-us.apache.org/repos/asf/commons-fileupload/diff/e0a5ef2a Branch: refs/heads/master Commit: e0a5ef2a27fcbaa63bf97da8442096b5183a7961 Parents: 1ac3709 Author: Bruno P. KinoshitaAuthored: Sun Jun 11 16:43:39 2017 +1200 Committer: Rob Tompkins Committed: Tue Jun 13 08:35:22 2017 -0400 -- src/site/xdoc/streaming.xml | 8 1 file changed, 4 insertions(+), 4 deletions(-) -- http://git-wip-us.apache.org/repos/asf/commons-fileupload/blob/e0a5ef2a/src/site/xdoc/streaming.xml -- diff --git a/src/site/xdoc/streaming.xml b/src/site/xdoc/streaming.xml index 5f2dd86..a765975 100644 --- a/src/site/xdoc/streaming.xml +++ b/src/site/xdoc/streaming.xml @@ -27,14 +27,14 @@ The traditional API, which is described in the User -Guide, assumes, that file items must be stored somewhere, before +Guide, assumes that file items must be stored somewhere before they are actually accessable by the user. This approach is convenient, because it allows easy access to an items contents. On the other hand, it is memory and time consuming. The streaming API allows you to trade a little bit of convenience for -optimal performance and and a low memory profile. Additionally, the +optimal performance and a low memory profile. Additionally, the API is more lightweight, thus easier to understand. @@ -42,7 +42,7 @@ Again, the FileUpload class is used for accessing the -form fields and fields in the order, in which they have been sent +form fields and fields in the order in which they have been sent by the client. However, the FileItemFactory is completely ignored. @@ -50,7 +50,7 @@ -First of all, do not forget to ensure, that a request actually is a +First of all, do not forget to ensure that a request actually is a a file upload request. This is typically done using the same static method, which you already know from the traditional API.
svn commit: r20017 - in /release/commons/fileupload: ./ binaries/ source/
Author: chtompki Date: Tue Jun 13 12:08:48 2017 New Revision: 20017 Log: Releasing commons-fileupload-1.3.3-RC6 Added: release/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz (with props) release/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz.asc release/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz.md5 release/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz.sha1 release/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip (with props) release/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip.asc release/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip.md5 release/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip.sha1 release/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz (with props) release/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz.asc release/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz.md5 release/commons/fileupload/source/commons-fileupload-1.3.3-src.tar.gz.sha1 release/commons/fileupload/source/commons-fileupload-1.3.3-src.zip (with props) release/commons/fileupload/source/commons-fileupload-1.3.3-src.zip.asc release/commons/fileupload/source/commons-fileupload-1.3.3-src.zip.md5 release/commons/fileupload/source/commons-fileupload-1.3.3-src.zip.sha1 Removed: release/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz release/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz.asc release/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz.md5 release/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.tar.gz.sha1 release/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip release/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip.asc release/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip.md5 release/commons/fileupload/binaries/commons-fileupload-1.3.2-bin.zip.sha1 release/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz release/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz.asc release/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz.md5 release/commons/fileupload/source/commons-fileupload-1.3.2-src.tar.gz.sha1 release/commons/fileupload/source/commons-fileupload-1.3.2-src.zip release/commons/fileupload/source/commons-fileupload-1.3.2-src.zip.asc release/commons/fileupload/source/commons-fileupload-1.3.2-src.zip.md5 release/commons/fileupload/source/commons-fileupload-1.3.2-src.zip.sha1 Modified: release/commons/fileupload/README.html release/commons/fileupload/RELEASE-NOTES.txt Modified: release/commons/fileupload/README.html == --- release/commons/fileupload/README.html (original) +++ release/commons/fileupload/README.html Tue Jun 13 12:08:48 2017 @@ -1,7 +1,7 @@ -Commons FileUpload 1.3.2 +Commons FileUpload 1.3.3 - This is the most current released version of Commons FileUpload, version 1.3.2. + This is the most current released version of Commons FileUpload, version 1.3.3. This release is available in both binary and source distributions. @@ -65,21 +65,21 @@ $ pgpk -a KEYS - $ pgpv commons-fileupload-1.3.2.tar.gz.asc + $ pgpv commons-fileupload-1.3.3.tar.gz.asc PGP command line (some versions): $ pgp -ka KEYS - $ pgp commons-fileupload-1.3.2.tar.gz.asc + $ pgp commons-fileupload-1.3.3.tar.gz.asc GnuPG: $ gpg --import KEYS - $ gpg --verify commons-fileupload-1.3.2.tar.gz.asc + $ gpg --verify commons-fileupload-1.3.3.tar.gz.asc Modified: release/commons/fileupload/RELEASE-NOTES.txt == --- release/commons/fileupload/RELEASE-NOTES.txt (original) +++ release/commons/fileupload/RELEASE-NOTES.txt Tue Jun 13 12:08:48 2017 @@ -1,16 +1,16 @@ - Apache Commons FileUpload 1.3.2 RELEASE NOTES + Apache Commons FileUpload 1.3.3 RELEASE NOTES -The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.2. +The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.3. The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. Version 1.3 onwards requires Java 5 or later. -No client code changes are required to migrate from version 1.3.1 to 1.3.2. +No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2, to 1.3.3 -Changes in version 1.3.2 include: +Changes in version 1.3.3 include: -o FILEUPLOAD-272: Performance
Nexus: Promotion Completed
Message from: https://repository.apache.orgDescription:Release Apache Commons Fileupload 1.3.3 RC6Deployer properties:"userAgent" = "Apache-Maven/3.5.0 (Java 1.8.0_131; Mac OS X 10.12.5)""userId" = "chtompki""ip" = "73.171.40.122"Details:The following artifacts have been promoted to the "Releases" [id=releases] repository/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3-sources.jar(SHA1: 34c8608c461e2c832a364ec1a9e70f360f47d9f7)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.jar.asc(SHA1: cfaca51c8ac03d2d12c9804fbcb3ab5b506ad733)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3-tests.jar.asc(SHA1: a1c764c455513fc151a169003085576ac50dd75b)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3-test-sources.jar(SHA1: fec543dc748908577513ba39c550e59abc29875b)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3-tests.jar(SHA1: a7be58ed6dd0b3759a563c41ff4957fa5c8afcfb)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.pom.asc(SHA1: 87283309c4e589b4d3de870b2eecb86fd12c37a4)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3-javadoc.jar(SHA1: d44ff01a7e0217b5c849c5375a3a8ad13a338375)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.pom(SHA1: 3dcfa2e705e8822b80c14949ba624f290cdfd04e)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3-test-sources.jar.asc(SHA1: 0b88831d4f606bd634263786b1a615af976d66ea)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3-sources.jar.asc(SHA1: 6de5163ac83c55c650224ccce96ccc8d128c299f)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.jar(SHA1: 04ff14d809195b711fd6bcc87e6777f886730ca1)/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3-javadoc.jar.asc(SHA1: 9c3afc34ae8205c2fc55dfdc01b48b33a2c6d27c)Action performed by Rob Tompkins (chtompki)