You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Damian Kolasa (JIRA)" <ji...@apache.org> on 2012/07/15 10:56:33 UTC
[jira] [Created] (FILEUPLOAD-212) Insecure request size checking
Damian Kolasa created FILEUPLOAD-212:
----------------------------------------
Summary: Insecure request size checking
Key: FILEUPLOAD-212
URL: https://issues.apache.org/jira/browse/FILEUPLOAD-212
Project: Commons FileUpload
Issue Type: Bug
Affects Versions: 1.2.2
Environment: Default configuration default environment.
Reporter: Damian Kolasa
Priority: Critical
In FileUploadBase there is an issue when checking for upload request size, the check is based on presence of Content-Length header in request and FALSE assumption than when present it will represent the actual request size. Using this attacker can supply request with Content-Length of 60 and bypass file upload restrictions, which can lead to successful Resource Depletion type attack.
IMHO by default file upload should return the LimitedInputStream implementation for file upload.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (FILEUPLOAD-212) Insecure request size checking
Posted by "Damian Kolasa (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FILEUPLOAD-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Damian Kolasa updated FILEUPLOAD-212:
-------------------------------------
Description:
In FileUploadBase there is an issue when checking for upload request size, the check is based on presence of Content-Length header in request and FALSE assumption that when present it will represent the actual request size. Using this fact, attacker can supply request with defined Content-Length of 60 and bypass file upload restrictions, which can lead to successful Resource Depletion type attack.
IMHO by default file upload should return the LimitedInputStream implementation for file upload.
was:
In FileUploadBase there is an issue when checking for upload request size, the check is based on presence of Content-Length header in request and FALSE assumption than when present it will represent the actual request size. Using this attacker can supply request with Content-Length of 60 and bypass file upload restrictions, which can lead to successful Resource Depletion type attack.
IMHO by default file upload should return the LimitedInputStream implementation for file upload.
> Insecure request size checking
> ------------------------------
>
> Key: FILEUPLOAD-212
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-212
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 1.2.2
> Environment: Default configuration default environment.
> Reporter: Damian Kolasa
> Priority: Critical
> Labels: max_upload_size, resource_depletion, security
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> In FileUploadBase there is an issue when checking for upload request size, the check is based on presence of Content-Length header in request and FALSE assumption that when present it will represent the actual request size. Using this fact, attacker can supply request with defined Content-Length of 60 and bypass file upload restrictions, which can lead to successful Resource Depletion type attack.
> IMHO by default file upload should return the LimitedInputStream implementation for file upload.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira