packages/apache-commons-fileupload
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
apache-commons-fileupload/CVE-2023-24998.patch
liyuxiang 5251c7d70a CVE-2023-24998 
(cherry picked from commit ad7ffd5d835d008cf7a4e80a7fa14931fd5a46b8)
2023-03-06 11:24:52 +08:00

118 lines
4.3 KiB
Diff
Raw Permalink Blame History

Description: CVE-2023-24998
Apache Commons FileUpload before 1.5 does not limit the number of
request parts to be processed resulting in the possibility of an
attacker triggering a DoS with a malicious upload or series of uploads.
Origin: https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
Author: Mark Thomas <markt@apache.org>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031733
Forwarded: not-needed
--- /dev/null
+++ b/src/main/java/org/apache/commons/fileupload/FileCountLimitExceededException.java
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.fileupload;
+
+/**
+ * This exception is thrown if a request contains more files than the specified
+ * limit.
+ */
+public class FileCountLimitExceededException extends FileUploadException {
+
+ private static final long serialVersionUID = 6904179610227521789L;
+
+ /**
+ * The limit that was exceeded.
+ */
+ private final long limit;
+
+ /**
+ * Creates a new instance.
+ *
+ * @param message The detail message
+ * @param limit The limit that was exceeded
+ */
+ public FileCountLimitExceededException(final String message, final long limit) {
+ super(message);
+ this.limit = limit;
+ }
+
+ /**
+ * Retrieves the limit that was exceeded.
+ *
+ * @return The limit that was exceeded by the request
+ */
+ public long getLimit() {
+ return limit;
+ }
+}
--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
@@ -166,6 +166,12 @@
private long fileSizeMax = -1;
/**
+ * The maximum permitted number of files that may be uploaded in a single
+ * request. A value of -1 indicates no maximum.
+ */
+ private long fileCountMax = -1;
+
+ /**
* The content encoding to use when reading part headers.
*/
private String headerEncoding;
@@ -242,6 +248,25 @@
}
/**
+ * Returns the maximum number of files allowed in a single request.
+ *
+ * @return The maximum number of files allowed in a single request.
+ */
+ public long getFileCountMax() {
+ return fileCountMax;
+ }
+
+ /**
+ * Sets the maximum number of files allowed per request.
+ *
+ * @param fileCountMax The new limit. {@code -1} means no limit.
+ */
+ public void setFileCountMax(final long fileCountMax) {
+ this.fileCountMax = fileCountMax;
+ }
+
+
+ /**
* Retrieves the character encoding used when reading the headers of an
* individual part. When not specified, or <code>null</code>, the request
* encoding is used. If that is also not specified, or <code>null</code>,
@@ -336,7 +361,11 @@
throw new NullPointerException("No FileItemFactory has been set.");
}
while (iter.hasNext()) {
- final FileItemStream item = iter.next();
+ if (items.size() == fileCountMax) {
+ // The next item will exceed the limit.
+ throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax());
+ }
+ final FileItemStream item = iter.next();
// Don't use getName() here to prevent an InvalidFileNameException.
final String fileName = ((FileItemIteratorImpl.FileItemStreamImpl) item).name;
FileItem fileItem = fac.createItem(item.getFieldName(), item.getContentType(),
Reference in New Issue View Git Blame Copy Permalink