You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "OlivierJaquemet (via GitHub)" <gi...@apache.org> on 2023/02/21 09:55:53 UTC
[GitHub] [commons-fileupload] OlivierJaquemet opened a new pull request, #203: FileCountMax limit incorrectly count both simple form fields and files
OlivierJaquemet opened a new pull request, #203:
URL: https://github.com/apache/commons-fileupload/pull/203
The set FileCountMax limit introduced in 1.5 incorrectly count both simple form fields and files
As described in the javadoc, the setFileCountMax is "the maximum number of files allowed per request."
Bug : current implementation throws an exception when the number of fields reaches the limit, thus including both file and simple field.
Expected behavior :
Exception should only be thrown when number of *file* reaches the limit. To prevent DoS in a practical manner, only files should be limited, as number of simple form fields can be very large and should not be limited.
Fix :
1. Add unittest in SizesTest to check expected behavior
2. Change implementation in FileUploadBase to count and check only real file items, not simple form field
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-fileupload] OlivierJaquemet commented on pull request #203: FileCountMax limit incorrectly count both simple form fields and files
Posted by "OlivierJaquemet (via GitHub)" <gi...@apache.org>.
OlivierJaquemet commented on PR #203:
URL: https://github.com/apache/commons-fileupload/pull/203#issuecomment-1438270289
Thank you mark for your answer and time on this matter.
This behavior makes the limit difficult to configure, because while I think it's easy to set an arbitrary limit on the number of files that can be uploaded in a request, it's much more difficult to include the number of fields that can be included in the same form. The smallest checkbox, radiobutton or other field is counted in this limit, which doesn't seem to have much relevance for limiting a denial of service attack.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-fileupload] OlivierJaquemet closed pull request #203: FileCountMax limit incorrectly count both simple form fields and files
Posted by "OlivierJaquemet (via GitHub)" <gi...@apache.org>.
OlivierJaquemet closed pull request #203: FileCountMax limit incorrectly count both simple form fields and files
URL: https://github.com/apache/commons-fileupload/pull/203
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-fileupload] markt-asf commented on pull request #203: FileCountMax limit incorrectly count both simple form fields and files
Posted by "markt-asf (via GitHub)" <gi...@apache.org>.
markt-asf commented on PR #203:
URL: https://github.com/apache/commons-fileupload/pull/203#issuecomment-1438293083
Both file parts and field parts trigger the DoS (with minor variations in the details) so both need to be limited.
The application developer should have a sense for how may fields+files are required so it should be possible to pick an appropriate limit for the application.
There is plenty of headroom so it should be possible to set the limit high enough that normal users are not affected but low enough that a malicious user can't trigger the DoS.
Tomcat, for example, integrated this with the maxParameterCount attribute (default 10,000) so the total number of query string parameters + field parts + file parts is limited to 10,000. That should should be more than sufficient for nearly all applications while still being several orders of magnitude below the point where DoS effects will be observed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-fileupload] OlivierJaquemet commented on pull request #203: FileCountMax limit incorrectly count both simple form fields and files
Posted by "OlivierJaquemet (via GitHub)" <gi...@apache.org>.
OlivierJaquemet commented on PR #203:
URL: https://github.com/apache/commons-fileupload/pull/203#issuecomment-1438299635
Thank you for this helpful clarification.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-fileupload] markt-asf commented on pull request #203: FileCountMax limit incorrectly count both simple form fields and files
Posted by "markt-asf (via GitHub)" <gi...@apache.org>.
markt-asf commented on PR #203:
URL: https://github.com/apache/commons-fileupload/pull/203#issuecomment-1438228060
'fileCountMax' may be poorly named and the Javadoc may benefit from some clarification, but the limit is correctly implemented. It is intended to apply to all parts - both files and simple fields.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org