commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Neidhart (JIRA)" <>
Subject [jira] [Reopened] (FILEUPLOAD-212) Insecure request size checking
Date Sun, 10 Mar 2013 21:49:12 GMT


Thomas Neidhart reopened FILEUPLOAD-212:

Indeed you are right, using the Streaming API this can happen.
When looking at the issue, I did not see the second occurrence of the size check.
> Insecure request size checking
> ------------------------------
>                 Key: FILEUPLOAD-212
>                 URL:
>             Project: Commons FileUpload
>          Issue Type: Bug
>    Affects Versions: 1.2.2
>         Environment: Default configuration default environment.
>            Reporter: Damian Kolasa
>            Assignee: Thomas Neidhart
>            Priority: Critical
>              Labels: max_upload_size, resource_depletion, security
>             Fix For: 1.3
>         Attachments: FILEUPLOAD-212.patch
>   Original Estimate: 48h
>  Remaining Estimate: 48h
> In FileUploadBase there is an issue when checking for upload request size, the check
is based on presence of Content-Length header in request and FALSE assumption that when present
it will represent the actual request size. Using this fact, attacker can supply request with
defined Content-Length of 60 and bypass file upload restrictions, which can lead to successful
Resource Depletion type attack. 
> IMHO by default file upload should return the LimitedInputStream implementation for file

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message