Re: FileUpload 1.5 question
Please note that Apache Tomcat has a default behavior (contrary to Apache Commone FileUpload), and already limits the maximum parameter/files to 1. On 28/02/2023 17:40, A Name wrote: Thanks Oliver. I do use Apache Tomcat and was just unclear on how the settings are applied. I was really hoping not to have to submit a code change to address this fix. Upgrading Tomcat and adding the parameter to the connector is a much more efficient solution. On Tue, Feb 28, 2023 at 11:33 AM Olivier Jaquemet < olivier.jaque...@jalios.com> wrote: Hi, If you are a user of the Apache Common FileUpload library, you must set them manually, there are no limits in the default values for all those settings : https://github.com/apache/commons-fileupload/blob/commons-fileupload-1.5/src/main/java/org/apache/commons/fileupload/FileUploadBase.java#L156 If you are a user of Apache Tomcat, which uses a fork of Apache Common FileUpload library, you can configure the maximum number of parameters and files through "maxParameterCount". https://tomcat.apache.org/tomcat-9.0-doc/config/http.html Make sure you use the latest Tomcat version to benefit from CVE-2023-24998 fix. Olivier On 28/02/2023 17:22, A Name wrote: Just to confirm the various individual settings (individual file size, total upload size, number of files) are to be set programmatically or is there a configuration setting for them in an xml file? Thanks! Abt EXTERNAL SENDER: Do not click any links or open any attachments unless you trust the sender and know the content is safe. EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre. - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org EXTERNAL SENDER: Do not click any links or open any attachments unless you trust the sender and know the content is safe. EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre. - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
Re: FileUpload 1.5 question
Thanks Oliver. I do use Apache Tomcat and was just unclear on how the settings are applied. I was really hoping not to have to submit a code change to address this fix. Upgrading Tomcat and adding the parameter to the connector is a much more efficient solution. On Tue, Feb 28, 2023 at 11:33 AM Olivier Jaquemet < olivier.jaque...@jalios.com> wrote: > Hi, > > If you are a user of the Apache Common FileUpload library, you must set > them manually, there are no limits in the default values for all those > settings : > > https://github.com/apache/commons-fileupload/blob/commons-fileupload-1.5/src/main/java/org/apache/commons/fileupload/FileUploadBase.java#L156 > > If you are a user of Apache Tomcat, which uses a fork of Apache Common > FileUpload library, you can configure the maximum number of parameters > and files through "maxParameterCount". > https://tomcat.apache.org/tomcat-9.0-doc/config/http.html > Make sure you use the latest Tomcat version to benefit from > CVE-2023-24998 fix. > > Olivier > > On 28/02/2023 17:22, A Name wrote: > > Just to confirm the various individual settings (individual file size, > > total upload size, number of files) are to be set programmatically or is > > there a configuration setting for them in an xml file? > > > > Thanks! > > > > Abt > > EXTERNAL SENDER: Do not click any links or open any attachments unless > you trust the sender and know the content is safe. > > EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce > jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous > ayez l'assurance que le contenu provient d'une source sûre. > > > > - > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org > For additional commands, e-mail: user-h...@commons.apache.org > >
Re: FileUpload 1.5 question
Hi, If you are a user of the Apache Common FileUpload library, you must set them manually, there are no limits in the default values for all those settings : https://github.com/apache/commons-fileupload/blob/commons-fileupload-1.5/src/main/java/org/apache/commons/fileupload/FileUploadBase.java#L156 If you are a user of Apache Tomcat, which uses a fork of Apache Common FileUpload library, you can configure the maximum number of parameters and files through "maxParameterCount". https://tomcat.apache.org/tomcat-9.0-doc/config/http.html Make sure you use the latest Tomcat version to benefit from CVE-2023-24998 fix. Olivier On 28/02/2023 17:22, A Name wrote: Just to confirm the various individual settings (individual file size, total upload size, number of files) are to be set programmatically or is there a configuration setting for them in an xml file? Thanks! Abt EXTERNAL SENDER: Do not click any links or open any attachments unless you trust the sender and know the content is safe. EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre. - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org