Hi Thomas, The user proposed a solution - without a patch - that, in his opinion, should work. We do not have a testcase which proves the reported issue, which would affect all past FileUpload releases.
So, my question (to everybody) is: could the resolution of that issue postponed to 1.3.1 or it is a blocker for 1.3? TIA, -Simo http://people.apache.org/~simonetripodi/ http://simonetripodi.livejournal.com/ http://twitter.com/simonetripodi http://www.99soft.org/ On Sat, Mar 9, 2013 at 2:51 PM, Thomas Neidhart <thomas.neidh...@gmail.com> wrote: > On 03/09/2013 02:32 PM, Simone Tripodi wrote: >> Hi all, >> >> I've prepared the RC1 of Apache Commons-FileUpload 1.3 so I am here >> to call for a vote: >> >> Release Notes: >> >> http://people.apache.org/builds/commons/fileupload/1.3/RC1/RELEASE-NOTES.txt >> >> Tag: >> >> https://svn.apache.org/repos/asf/commons/proper/fileupload/tags/FILEUPLOAD_1_3_RC1 >> >> Site: >> >> http://people.apache.org/builds/commons/fileupload/1.3/RC1/site/index.html >> (possible broken links will be fixed once site will be properly >> deployed) >> >> Binaries: >> >> http://people.apache.org/builds/commons/fileupload/1.3/RC1/binaries >> >> Staging Maven Artifacts: >> >> https://repository.apache.org/content/repositories/orgapachecommons-008/ >> >> [ ] +1 release it >> [ ] +0 go ahead I don't care >> [ ] -1 no, do not release it because > > there is a critical bug (FILEUPLOAD-212) which an attacker can exploit > (especially as the bug is open and visible to everybody). > > The fix would be quite easy as the author already outlined: always use a > LimitedInputStream by default and do not blindly trust the > content-length value provided by the user. > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
