[ https://issues.apache.org/jira/browse/FILEUPLOAD-297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jochen Wiedmann resolved FILEUPLOAD-297. ---------------------------------------- Resolution: Won't Fix Rejected for reasons of upwards compatibility. > Default maximum sizes for requests and files > -------------------------------------------- > > Key: FILEUPLOAD-297 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-297 > Project: Commons FileUpload > Issue Type: Improvement > Reporter: Artem Smotrakov > Assignee: Jochen Wiedmann > Priority: Major > Attachments: default_upload_size_limits_v1.patch > > > Currently FileUpload allows setting the maximum allowed size of a complete > request and the maximum allowed size of a file to be uploaded. However the > library doesn't set any default limitations. Introducing default values may > be a little defense-in-depth measure to reduce a risk of (D)DoS attacks for > applications which forgot to set such limits. > Here is how other libraries/servers set such default values: > # nginx sets the maximum allowed size of the client request body to 1MB > ## > [http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size] > # By default, the IIS 7 upload limit is 30MB > ## [https://docs.microsoft.com/en-us/windows/desktop/bits/upload-limits] > # PHP sets max size of post data allowed to 8MB. PHP also sets the maximum > size of an uploaded file to 2MB > ## [https://www.php.net/manual/en/ini.core.php#ini.post-max-size] > ## [https://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize] > # Spring Boot specifies the maximum size permitted for uploaded files. The > default is 1MB. It also specifies the maximum size allowed for > multipart/form-data requests. The default is 10MB. > ## > [https://docs.spring.io/spring-boot/docs/current/api/org/springframework/boot/autoconfigure/web/servlet/MultipartProperties.html] > As you can see, default values look pretty different. I am attaching a patch > which sets the maximum file size to 2MB and the maximum size of a request to > 10MB. Adding such limits by default introduces a risk that some applications > may break, so maybe the numbers should be higher. Please let me know if such > an update is okay, and I'll create a pull request. -- This message was sent by Atlassian Jira (v8.3.4#803005)