On 20/02/2023 17:01, Olivier Jaquemet wrote:
On 20/02/2023 17:52, Mark Thomas wrote:
On 20/02/2023 16:40, Olivier Jaquemet wrote:
Does it mean that the 1.5 is not secured by default against
CVE-2023-24998, and require explicit configuration to be secured ?
Correct.
Commons FileUpload does not enable any of the limits (individual file
size, total upload size, number of files) by default. Each must be
configured explicitly.
So It should probably be specified in the online advisory that an
upgrade to version 1.5 is required but not enough to fix the issue.
Users of Commons FileUpload must also invoke setFileCountMax(long) to
configure the maximum number of files allowed per request.
Fair point. Updated.
Mark
Note that when Commons FileUpload is integrated into other products,
those products typically provide appropriate defaults for their use of
the library.
Indeed. But developpers of those products must be informed of such
features ;) You did in the changelog.
Thanks
[1]
https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileUploadBase.html#setFileCountMax-long-
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
