[ http://issues.apache.org/jira/browse/MODPYTHON-40?page=all ] Graham Dumpleton closed MODPYTHON-40: -------------------------------------
> FieldStorage : don't stream file uploads to memory > -------------------------------------------------- > > Key: MODPYTHON-40 > URL: http://issues.apache.org/jira/browse/MODPYTHON-40 > Project: mod_python > Type: Bug > Versions: 3.1.4 > Reporter: Nicolas Lehuen > Fix For: 3.2.7 > > In mod_python.py/util.py, line 169, we stream a file upload to disk only if > its Content-Disposition header features a filename attribute. Otherwise, the > file is streamed to memory, thus opening a potential DoS attack by uploading > very large files. > We should : > 1) Always stream file upload to disk > 2) Define a default maximum file size which could be overridable. > 3) Allow for the user to specify in which directory file uploads should be > made, with a default to a temporary directory / file. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira