commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Artem Smotrakov (JIRA)" <>
Subject [jira] [Created] (FILEUPLOAD-297) Default maximum sizes for requests and files
Date Fri, 05 Apr 2019 16:17:00 GMT
Artem Smotrakov created FILEUPLOAD-297:

             Summary: Default maximum sizes for requests and files
                 Key: FILEUPLOAD-297
             Project: Commons FileUpload
          Issue Type: Improvement
            Reporter: Artem Smotrakov
         Attachments: default_upload_size_limits_v1.patch

Currently FileUpload allows setting the maximum allowed size of a complete request and the
maximum allowed size of a file to be uploaded. However the library doesn't set any default
limitations. Introducing default values may be a little defense-in-depth measure to reduce
a risk of (D)DoS attacks for applications which forgot to set such limits.

Here is how other libraries/servers set such default values:
 # nginx sets the maximum allowed size of the client request body to 1MB
 ## []
 # By default, the IIS 7 upload limit is 30MB
 ## []
 # PHP sets max size of post data allowed to 8MB. PHP also sets the maximum size of an uploaded
file to 2MB
 ## []
 ## []
 # Spring Boot specifies the maximum size permitted for uploaded files. The default is 1MB.
It also specifies the maximum size allowed for multipart/form-data requests. The default is
 ## []

As you can see, default values look pretty different. I am attaching a patch which sets the
maximum file size to 2MB and the maximum size of a request to 10MB. Adding such limits by
default introduces a risk that some applications may break, so maybe the numbers should be
higher. Please let me know if such an update is okay, and I'll create a pull request.

This message was sent by Atlassian JIRA

View raw message