[jira] [Commented] (WW-5474) struts.multipart.maxFiles does not work as described/expected

Thu, 09 Jan 2025 04:04:43 -0800 


    [ 
https://issues.apache.org/jira/browse/WW-5474?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17911454#comment-17911454
 ] 

Kusal Kithul-Godage commented on WW-5474:
-----------------------------------------

I think WW-5413 is a separate issue.

As far as this issue is concerned, it seems this behaviour is intended as per 
the discussion in [https://github.com/apache/commons-fileupload/pull/203] - it 
is a required measure to protect against DoS. Although yes, the configuration 
property name is very misleading.

I think the best course of action here would be to update the Struts 
documentation to reflect this.

> struts.multipart.maxFiles does not work as described/expected
> -------------------------------------------------------------
>
>                 Key: WW-5474
>                 URL: https://issues.apache.org/jira/browse/WW-5474
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 6.3.0
>            Reporter: nikos dimitrakas
>            Priority: Major
>             Fix For: 7.1.0
>
>
> According to the documentation the property struts.multipart.maxFiles (which 
> defaults to 256) is supposed to set a limit to how many files a multi-part 
> form submission may include. But in reality, the specified value sets a limit 
> to how many parameter values the form may submit, including strings, 
> integers, booleans (from all input fields, checkboxes, hiddens, etc).
> The problem is in the method JakartaMultiPartRequest.parsePrequest (part of 
> struts) when in the last line it calls upload.parseRequest which is in 
> FileUploadBase (part of commons-fileupload). That methods tries to find the 
> FileItems from the provided RequestContext, but considers every parameter 
> value to be a FileItem and then throws a new FileCountLimitExceededException 
> when the number of parameter values (of any type) reaches the fileCountMax.
> I am not sure if the problem is in struts or in fileupload. Maybe the 
> provided RequestContext should somehow only include the file parameters so 
> that only they get counted. Or perhaps the documentation should be changed to 
> clarify that struts.multipart.maxFiles specifies the maximum number of 
> parameter values a multipart form may include.
> I also found the issue 
> [FILEUPLOAD-351|https://issues.apache.org/jira/browse/FILEUPLOAD-351] that 
> seems to point out the confusing behaviour. But until the issue has been 
> resolved in fileupload, struts behaves contrary to its own documentation at 
> [https://struts.apache.org/core-developers/file-upload]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to