You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Don Brown (JIRA)" <ji...@apache.org> on 2007/09/03 03:51:34 UTC
[jira] Commented: (WW-2073) File upload - maximum size validation
does not work; (JakartaMultiPartRequest with struts.multipart.maxSize
overrides fileInterceptor.maxsize)
[ https://issues.apache.org/struts/browse/WW-2073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42103 ]
Don Brown commented on WW-2073:
-------------------------------
Hmm...I'm not sure we would want to do that. By checking the max size in the parser, we ensure that we don't parse and download a huge (probably malicious) file. This is important because it prevents a malicious user from submitting a 100 GB file that fills up our disk and brings the server down. The FileUploadIntereptor max size validator, on the other hand, only kicks in once the file is parsed and stored on disk.
I do agree we need to erase this confusion. As I said the parser max size check is a security feature, while the other is more of an application validation. Any suggestions?
> File upload - maximum size validation does not work; (JakartaMultiPartRequest with struts.multipart.maxSize overrides fileInterceptor.maxsize)
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: WW-2073
> URL: https://issues.apache.org/struts/browse/WW-2073
> Project: Struts 2
> Issue Type: Bug
> Components: Interceptors
> Affects Versions: 2.0.9
> Reporter: Lukasz Racon
> Fix For: 2.1.0
>
>
> By adding upload.setSizeMax to JakartaMultiPartRequest (@see https://issues.apache.org/struts/browse/WW-1549), the file upload interceptor max size validation has been disabled. Furthermore, whenever there is a single file above the allowed size none of the request parameters are set on the action This happens due to upload.parseRequest(createRequestContext(servletRequest)) which throws exception (o.a.c.fileupload.FileItemIteratorImpl checks max size).
> If the application requires the parameters it will fail.
> There is also slight confusion and disconnect between:
> struts.multipart.maxSize and fileInterceptor.maxsize
> If you upload file that exceeds allowed struts.multipart.maxSize fileInterceptor will never kick in.
> IMHO file upload interceptor should be responsible for max size validation (esp. that it reports errors as field errors and not as action errors).
> Furthermore, we should drop 'struts.multipart.maxSize' since is confusing along with fileInterceptor.maxsize, also fileInterceptor.maxsize should get a new default max size. The other option is to use struts.multipart.maxSize to set fileInterceptor.maxsize.
> This line should be removed so file interceptor can validate files:
> ------
> Index: src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java
> ===================================================================
> --- src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java (revision 560614)
> +++ src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java (working copy)
> @@ -86,7 +86,6 @@
> // Parse the request
> try {
> ServletFileUpload upload = new ServletFileUpload(fac);
> - upload.setSizeMax(maxSize);
> List items = upload.parseRequest(createRequestContext(servletRequest));
> --------------
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.