Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
None
-
None
-
None
-
Patch
Description
Currently FileUpload allows setting the maximum allowed size of a complete request and the maximum allowed size of a file to be uploaded. However the library doesn't set any default limitations. Introducing default values may be a little defense-in-depth measure to reduce a risk of (D)DoS attacks for applications which forgot to set such limits.
Here is how other libraries/servers set such default values:
- nginx sets the maximum allowed size of the client request body to 1MB
- By default, the IIS 7 upload limit is 30MB
- PHP sets max size of post data allowed to 8MB. PHP also sets the maximum size of an uploaded file to 2MB
- Spring Boot specifies the maximum size permitted for uploaded files. The default is 1MB. It also specifies the maximum size allowed for multipart/form-data requests. The default is 10MB.
As you can see, default values look pretty different. I am attaching a patch which sets the maximum file size to 2MB and the maximum size of a request to 10MB. Adding such limits by default introduces a risk that some applications may break, so maybe the numbers should be higher. Please let me know if such an update is okay, and I'll create a pull request.