Bugzilla – Full Text Bug Listing
| Summary: | Upgrade org.apache.commons.fileupload to latest version (1.3.3) | ||
|---|---|---|---|
| Product: | [RT] RAP | Reporter: | Georg Breitschopf <georg.breitschopf> |
| Component: | Other | Assignee: | Project Inbox <rap-inbox> |
| Status: | RESOLVED MOVED | QA Contact: | |
| Severity: | normal | ||
| Priority: | P3 | CC: | mknauer |
| Version: | 3.7 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | https://github.com/eclipse-rap/org.eclipse.rap/issues/41 | ||
| Whiteboard: | github | ||
|
Description
Georg Breitschopf
RAP (org.eclipse.rap.fileupload bundle) is not using DiskFileItem. We are processing the input streem directly using FileItemStream (see FileUploadProcessor#handleFileUpload). That's why I believe that we are not affected by the above vulnerability. Nevertheless, once the updated org.apache.commons.fileupload 1.3.3 is available in Eclipse Orbit we will include it in RAP runtime. As of now the latest version of Apache Commons FileUpload is 1.4. The Orbit version is still on 1.3.2. More info about the issue and the "fix" from Apache Commons FileUpload Security report. Now I'm confident that it does not affect RAP. [1] https://commons.apache.org/proper/commons-fileupload/security-reports.html Thank you for further analysis and clarification. Because we switched to GitHub with the RAP version 3.21 that includes the implementation for this issue, and because we'd like to have all release relevant tickets in one place, I am copying the basic details to GitHub issues https://github.com/eclipse-rap/org.eclipse.rap/issues/41. Any kind of future enhancement should be discussed there. |