CVE-2023-24998

(cherry picked from commit ad7ffd5d835d008cf7a4e80a7fa14931fd5a46b8)

CVE-2023-24998.patch

@@ -0,0 +1,117 @@
+Description: CVE-2023-24998
+ Apache Commons FileUpload before 1.5 does not limit the number of
+ request parts to be processed resulting in the possibility of an
+ attacker triggering a DoS with a malicious upload or series of uploads.
+Origin: https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
+Author: Mark Thomas <markt@apache.org>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031733
+Forwarded: not-needed
+
+--- /dev/null
++++ b/src/main/java/org/apache/commons/fileupload/FileCountLimitExceededException.java
+@@ -0,0 +1,51 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.commons.fileupload;
++
++/**
++ * This exception is thrown if a request contains more files than the specified
++ * limit.
++ */
++public class FileCountLimitExceededException extends FileUploadException {
++
++    private static final long serialVersionUID = 6904179610227521789L;
++
++	/**
++     * The limit that was exceeded.
++     */
++    private final long limit;
++
++    /**
++     * Creates a new instance.
++     *
++     * @param message The detail message
++     * @param limit The limit that was exceeded
++     */
++    public FileCountLimitExceededException(final String message, final long limit) {
++        super(message);
++        this.limit = limit;
++    }
++
++    /**
++     * Retrieves the limit that was exceeded.
++     *
++     * @return The limit that was exceeded by the request
++     */
++    public long getLimit() {
++        return limit;
++    }
++}
+--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
++++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+@@ -166,6 +166,12 @@
+     private long fileSizeMax = -1;
+ 
+     /**
++     * The maximum permitted number of files that may be uploaded in a single
++     * request. A value of -1 indicates no maximum.
++     */
++    private long fileCountMax = -1;
++
++    /**
+      * The content encoding to use when reading part headers.
+      */
+     private String headerEncoding;
+@@ -242,6 +248,25 @@
+     }
+ 
+     /**
++     * Returns the maximum number of files allowed in a single request.
++     *
++     * @return The maximum number of files allowed in a single request.
++     */
++    public long getFileCountMax() {
++        return fileCountMax;
++    }
++
++    /**
++     * Sets the maximum number of files allowed per request.
++     *
++     * @param fileCountMax The new limit. {@code -1} means no limit.
++     */
++    public void setFileCountMax(final long fileCountMax) {
++        this.fileCountMax = fileCountMax;
++    }
++
++
++    /**
+      * Retrieves the character encoding used when reading the headers of an
+      * individual part. When not specified, or <code>null</code>, the request
+      * encoding is used. If that is also not specified, or <code>null</code>,
+@@ -336,7 +361,11 @@
+                 throw new NullPointerException("No FileItemFactory has been set.");
+             }
+             while (iter.hasNext()) {
+-                final FileItemStream item = iter.next();
++                if (items.size() == fileCountMax) {
++                    // The next item will exceed the limit.
++                    throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax());
++                }
++            	final FileItemStream item = iter.next();
+                 // Don't use getName() here to prevent an InvalidFileNameException.
+                 final String fileName = ((FileItemIteratorImpl.FileItemStreamImpl) item).name;
+                 FileItem fileItem = fac.createItem(item.getFieldName(), item.getContentType(),

apache-commons-fileupload.spec

@@ -1,12 +1,14 @@
 %bcond_without  portlet
 Name:                apache-commons-fileupload
 Version:             1.4
-Release:             1
+Release:             2
 Summary:             API to work with HTML file upload
 License:             ASL 2.0
 URL:                 http://commons.apache.org/fileupload/
 BuildArch:           noarch
 Source0:             http://archive.apache.org/dist/commons/fileupload/source/commons-fileupload-%{version}-src.tar.gz
+
+Patch0:	   	     CVE-2023-24998.patch
 BuildRequires:       maven-local mvn(commons-io:commons-io) mvn(javax.servlet:servlet-api)
 BuildRequires:       mvn(junit:junit) mvn(org.apache.commons:commons-parent:pom:)
 %if %{with portlet}
@@ -29,6 +31,7 @@ This package contains the API documentation for %{name}.
 
 %prep
 %setup -q -n commons-fileupload-%{version}-src
+%patch0 -p1
 sed -i 's/\r//' LICENSE.txt
 sed -i 's/\r//' NOTICE.txt
 %if %{with portlet}
@@ -55,5 +58,8 @@ rm -r src/main/java/org/apache/commons/fileupload/portlet
 %license LICENSE.txt NOTICE.txt
 
 %changelog
+* Mon Mar 06 2023 liyuxiang<liyuxiang@ncti-gba.cn> - 1.4-2
+- fix CVE-2023-24998
+
 * Tue Aug 4 2020 yanan li <liyanan032@huawei.com> - 1.4-1
 - Package init