[jira] [Assigned] (JCR-5233) commons-fileupload (1.6) restricts header size in upload parts

Julian Reschke (Jira) Tue, 07 Apr 2026 06:34:11 -0700


     [ 
https://issues.apache.org/jira/browse/JCR-5233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Julian Reschke reassigned JCR-5233:
-----------------------------------

    Assignee: Julian Reschke

> commons-fileupload (1.6) restricts header size in upload parts
> --------------------------------------------------------------
>
>                 Key: JCR-5233
>                 URL: https://issues.apache.org/jira/browse/JCR-5233
>             Project: Jackrabbit Content Repository
>          Issue Type: Task
>          Components: jackrabbit-jcr-server
>            Reporter: Julian Reschke
>            Assignee: Julian Reschke
>            Priority: Major
>
> With commons-fileupload 1.6, a restriction of header size in upload parts 
> (512 bytes) was implemented due to a DoS CVE.
> This value can be overriden; like that:
>  
> {noformat}
> diff --git 
> a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
>  
> b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
> index 26b1cb7c5..2f49978a8 100644
> --- 
> a/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
> +++ 
> b/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/util/HttpMultipartPost.java
> @@ -65,6 +65,7 @@ class HttpMultipartPost {
>          }
>          ServletFileUpload upload = new 
> ServletFileUpload(getFileItemFactory(tmpDir));
> +        upload.setPartHeaderSizeMax(1024);
>          // make sure the content disposition headers are read with the 
> charset
>          // specified in the request content type (or UTF-8 if no charset is 
> specified).
>          // see JCR
> {noformat}
> This apparently causes failures to upload parts with long paths.
> Questions: do we want to change the limit? To what? Does it need to be 
> configurable?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (JCR-5233) commons-fileupload (1.6) restricts header size in upload parts

Reply via email to