On 03/09/2013 02:32 PM, Simone Tripodi wrote: > Hi all, > > I've prepared the RC1 of Apache Commons-FileUpload 1.3 so I am here > to call for a vote: > > Release Notes: > > http://people.apache.org/builds/commons/fileupload/1.3/RC1/RELEASE-NOTES.txt > > Tag: > > https://svn.apache.org/repos/asf/commons/proper/fileupload/tags/FILEUPLOAD_1_3_RC1 > > Site: > > http://people.apache.org/builds/commons/fileupload/1.3/RC1/site/index.html > (possible broken links will be fixed once site will be properly > deployed) > > Binaries: > > http://people.apache.org/builds/commons/fileupload/1.3/RC1/binaries > > Staging Maven Artifacts: > > https://repository.apache.org/content/repositories/orgapachecommons-008/ > > [ ] +1 release it > [ ] +0 go ahead I don't care > [ ] -1 no, do not release it because
there is a critical bug (FILEUPLOAD-212) which an attacker can exploit (especially as the bug is open and visible to everybody). The fix would be quite easy as the author already outlined: always use a LimitedInputStream by default and do not blindly trust the content-length value provided by the user. Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
