Re: Unforking Commons FileUpload

2021-01-13 Thread Jeff Thompson
On 1/13/21 6:27 AM, Jesse Glick wrote: On Wed, Jan 13, 2021 at 12:09 AM Basil Crow > wrote: Can you see a flaw in my reasoning? Sounds right from a five-second read. Just asking that anyone proposing an unfork do the work of checking that

Re: Unforking Commons FileUpload

2021-01-13 Thread Jesse Glick
On Wed, Jan 13, 2021 at 12:09 AM Basil Crow wrote: > Can you see a flaw in my reasoning? > Sounds right from a five-second read. Just asking that anyone proposing an unfork do the work of checking that `FileParameterDefinition` is not affected (I am not sure that automated tests cover the form

Re: Unforking Commons FileUpload

2021-01-13 Thread raihaan...@gmail.com
Turns out dependabot seems to want the unforking https://github.com/jenkinsci/jenkins/pull/5171 The comment regarding DiskFileItem in FileParameterValue dates back 13 years. Regarding JEP-200 there might be some rogue plugin that perhaps attempts to serialize this apparently unserializable

Re: Unforking Commons FileUpload

2021-01-12 Thread Basil Crow
On Tue, Jan 12, 2021 at 7:33 PM Jesse Glick wrote: > > sounds like it would break normal usage from Jenkins The status quo is Commons FileUpload 1.3.1-jenkins-2 (patch in my previous message), which _already_ removed serialization from DiskFileItem. Here is the timeline of events upstream: Feb

Re: Unforking Commons FileUpload

2021-01-12 Thread Jesse Glick
https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt says The 1.4 release removes serialization from DiskFileItem for security > reasons, which could be a > breaking change depending upon one's mechanism of consumption of > commons-fileupload. which sounds like it

Re: Unforking Commons FileUpload

2021-01-12 Thread Jeff Thompson
y advisory for SECURITY-159 states: "Security vulnerability in commons fileupload allows unauthenticated attacker to upload arbitrary files to the Jenkins controller." Is this "extra precaution" necessary? Do we want to consider unforking Commons FileUpload? diff --git a/p

Unforking Commons FileUpload

2021-01-11 Thread Basil Crow
we want to consider unforking Commons FileUpload? diff --git a/pom.xml b/pom.xml index 5228423..b046e78 100644 --- a/pom.xml +++ b/pom.xml @@ -26,7 +26,7 @@ commons-fileupload commons-fileupload - 1.3.1 + 1.3.1-jenkins-2 Apache Commons FileUpload @@ -166,11 +166,6 @@