[
https://issues.apache.org/jira/browse/FILEUPLOAD-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Neidhart updated FILEUPLOAD-212:
---------------------------------------
Attachment: FILEUPLOAD-212.patch
The attached patch adds some more unit tests with a Content-Length header
provided in the request.
The tests also show that the described problem does not exist, as always a
LimitedInputStream is used, regardless if the Content-Length is provided or not.
So I would mark this as invalid.
> Insecure request size checking
> ------------------------------
>
> Key: FILEUPLOAD-212
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-212
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 1.2.2
> Environment: Default configuration default environment.
> Reporter: Damian Kolasa
> Priority: Critical
> Labels: max_upload_size, resource_depletion, security
> Attachments: FILEUPLOAD-212.patch
>
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> In FileUploadBase there is an issue when checking for upload request size,
> the check is based on presence of Content-Length header in request and FALSE
> assumption that when present it will represent the actual request size. Using
> this fact, attacker can supply request with defined Content-Length of 60 and
> bypass file upload restrictions, which can lead to successful Resource
> Depletion type attack.
> IMHO by default file upload should return the LimitedInputStream
> implementation for file upload.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
