[jira] [Updated] (FILEUPLOAD-212) Insecure request size checking

Sun, 15 Jul 2012 02:01:42 -0700 

     [ 
https://issues.apache.org/jira/browse/FILEUPLOAD-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Damian Kolasa updated FILEUPLOAD-212:
-------------------------------------

    Description: 
In FileUploadBase there is an issue when checking for upload request size, the 
check is based on presence of Content-Length header in request and FALSE 
assumption that when present it will represent the actual request size. Using 
this fact, attacker can supply request with defined Content-Length of 60 and 
bypass file upload restrictions, which can lead to successful Resource 
Depletion type attack. 

IMHO by default file upload should return the LimitedInputStream implementation 
for file upload.

  was:
In FileUploadBase there is an issue when checking for upload request size, the 
check is based on presence of Content-Length header in request and FALSE 
assumption than when present it will represent the actual request size. Using 
this attacker can supply request with Content-Length of 60 and bypass file 
upload restrictions, which can lead to successful Resource Depletion type 
attack. 

IMHO by default file upload should return the LimitedInputStream implementation 
for file upload.

    
> Insecure request size checking
> ------------------------------
>
>                 Key: FILEUPLOAD-212
>                 URL: https://issues.apache.org/jira/browse/FILEUPLOAD-212
>             Project: Commons FileUpload
>          Issue Type: Bug
>    Affects Versions: 1.2.2
>         Environment: Default configuration default environment.
>            Reporter: Damian Kolasa
>            Priority: Critical
>              Labels: max_upload_size, resource_depletion, security
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> In FileUploadBase there is an issue when checking for upload request size, 
> the check is based on presence of Content-Length header in request and FALSE 
> assumption that when present it will represent the actual request size. Using 
> this fact, attacker can supply request with defined Content-Length of 60 and 
> bypass file upload restrictions, which can lead to successful Resource 
> Depletion type attack. 
> IMHO by default file upload should return the LimitedInputStream 
> implementation for file upload.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to