You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ma...@apache.org on 2023/02/20 17:12:49 UTC
[commons-fileupload] branch master updated: Note new limit is not enabled by default
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-fileupload.git
The following commit(s) were added to refs/heads/master by this push:
new f86a96d Note new limit is not enabled by default
f86a96d is described below
commit f86a96d96ef4ce9507f91ea02ea243c12b6eb02c
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Feb 20 17:08:55 2023 +0000
Note new limit is not enabled by default
---
src/site/xdoc/security-reports.xml | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/site/xdoc/security-reports.xml b/src/site/xdoc/security-reports.xml
index d60c5ac..22ec4a8 100644
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@@ -56,10 +56,12 @@
<p><b>Important: Denial of Service</b> <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24998">CVE-2023-24998</a></p>
- <p>Apache Commons FileUpload before 1.5 does not limit the number of
- request parts to be processed resulting in the possibility of an
- attacker triggering a DoS with a malicious upload or series of
- uploads.</p>
+ <p>Apache Commons FileUpload before 1.5 does not provide an option to
+ limit the number of request parts to be processed resulting in the
+ possibility of an attacker triggering a DoS with a malicious upload or
+ series of uploads. Note that, like all of the file upload limits, the
+ new configuration option (FileUploadBase#setFileCountMax) is not
+ enabled by default and must be explicitly configured.</p>
<p>This was fixed in commit
<a href="https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17"