Re: Unforking Commons FileUpload

2021-01-13 Thread Jeff Thompson
On 1/13/21 6:27 AM, Jesse Glick wrote: On Wed, Jan 13, 2021 at 12:09 AM Basil Crow > wrote: Can you see a flaw in my reasoning? Sounds right from a five-second read. Just asking that anyone proposing an unfork do the work of checking that `FileParameterDefinit

Re: Unforking Commons FileUpload

2021-01-13 Thread Jesse Glick
On Wed, Jan 13, 2021 at 12:09 AM Basil Crow wrote: > Can you see a flaw in my reasoning? > Sounds right from a five-second read. Just asking that anyone proposing an unfork do the work of checking that `FileParameterDefinition` is not affected (I am not sure that automated tests cover the form u

Re: Unforking Commons FileUpload

2021-01-13 Thread raihaan...@gmail.com
Turns out dependabot seems to want the unforking https://github.com/jenkinsci/jenkins/pull/5171 The comment regarding DiskFileItem in FileParameterValue dates back 13 years. Regarding JEP-200 there might be some rogue plugin that perhaps attempts to serialize this apparently unserializable objec

Re: Unforking Commons FileUpload

2021-01-12 Thread Basil Crow
On Tue, Jan 12, 2021 at 7:33 PM Jesse Glick wrote: > > sounds like it would break normal usage from Jenkins The status quo is Commons FileUpload 1.3.1-jenkins-2 (patch in my previous message), which _already_ removed serialization from DiskFileItem. Here is the timeline of events upstream: Feb

Re: Unforking Commons FileUpload

2021-01-12 Thread Jesse Glick
https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt says The 1.4 release removes serialization from DiskFileItem for security > reasons, which could be a > breaking change depending upon one's mechanism of consumption of > commons-fileupload. which sounds like it woul

Re: Unforking Commons FileUpload

2021-01-12 Thread Jeff Thompson
ot; The security advisory for SECURITY-159 states: "Security vulnerability in commons fileupload allows unauthenticated attacker to upload arbitrary files to the Jenkins controller." Is this "extra precaution" necessary? Do we want to consider unforking Commons FileUpload?

Unforking Commons FileUpload

2021-01-11 Thread Basil Crow
we want to consider unforking Commons FileUpload? diff --git a/pom.xml b/pom.xml index 5228423..b046e78 100644 --- a/pom.xml +++ b/pom.xml @@ -26,7 +26,7 @@ commons-fileupload commons-fileupload - 1.3.1 + 1.3.1-jenkins-2 Apache Commons FileUpload @@ -166,11 +166,6 @@