You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Artem Smotrakov (JIRA)" <ji...@apache.org> on 2019/04/05 16:17:00 UTC

[jira] [Updated] (FILEUPLOAD-297) Default maximum sizes for requests and files

     [ https://issues.apache.org/jira/browse/FILEUPLOAD-297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Artem Smotrakov updated FILEUPLOAD-297:
---------------------------------------
    Attachment: default_upload_size_limits_v1.patch

> Default maximum sizes for requests and files
> --------------------------------------------
>
>                 Key: FILEUPLOAD-297
>                 URL: https://issues.apache.org/jira/browse/FILEUPLOAD-297
>             Project: Commons FileUpload
>          Issue Type: Improvement
>            Reporter: Artem Smotrakov
>            Priority: Major
>         Attachments: default_upload_size_limits_v1.patch
>
>
> Currently FileUpload allows setting the maximum allowed size of a complete request and the maximum allowed size of a file to be uploaded. However the library doesn't set any default limitations. Introducing default values may be a little defense-in-depth measure to reduce a risk of (D)DoS attacks for applications which forgot to set such limits.
> Here is how other libraries/servers set such default values:
>  # nginx sets the maximum allowed size of the client request body to 1MB
>  ## [http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size]
>  # By default, the IIS 7 upload limit is 30MB
>  ## [https://docs.microsoft.com/en-us/windows/desktop/bits/upload-limits]
>  # PHP sets max size of post data allowed to 8MB. PHP also sets the maximum size of an uploaded file to 2MB
>  ## [https://www.php.net/manual/en/ini.core.php#ini.post-max-size]
>  ## [https://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize]
>  # Spring Boot specifies the maximum size permitted for uploaded files. The default is 1MB. It also specifies the maximum size allowed for multipart/form-data requests. The default is 10MB.
>  ## [https://docs.spring.io/spring-boot/docs/current/api/org/springframework/boot/autoconfigure/web/servlet/MultipartProperties.html]
> As you can see, default values look pretty different. I am attaching a patch which sets the maximum file size to 2MB and the maximum size of a request to 10MB. Adding such limits by default introduces a risk that some applications may break, so maybe the numbers should be higher. Please let me know if such an update is okay, and I'll create a pull request.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)