Skip to content

Commit

Permalink
Upgrade to commons-fileupload2
Browse files Browse the repository at this point in the history 
This indirectly addresses a CVE in commons-io that does not affect
S3Proxy.
  • Loading branch information
@gaul
gaul committed Dec 27, 2024
1 parent 62fd4b0 commit a06ddeb
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 6 deletions.
6 changes: 3 additions & 3 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -465,9 +465,9 @@
<version>3.0.2</version>
</dependency>
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.5</version>
<groupId>org.apache.commons</groupId>
<artifactId>commons-fileupload2-javax</artifactId>
<version>2.0.0-M2</version>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
Expand Down
8 changes: 5 additions & 3 deletions src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import org.apache.commons.fileupload.MultipartStream;
import org.apache.commons.fileupload2.core.MultipartInput;
import org.jclouds.blobstore.BlobStore;
import org.jclouds.blobstore.KeyNotFoundException;
import org.jclouds.blobstore.domain.Blob;
Expand Down Expand Up @@ -2051,8 +2051,10 @@ private void handlePostBlob(HttpServletRequest request,
String signature = null;
String algorithm = null;
byte[] payload = null;
var multipartStream = new MultipartStream(is,
boundary.getBytes(StandardCharsets.UTF_8), 4096, null);
var multipartStream = MultipartInput.builder()
.setBoundary(boundary.getBytes(StandardCharsets.UTF_8))
.setInputStream(is)
.get();
boolean nextPart = multipartStream.skipPreamble();
while (nextPart) {
String header = multipartStream.readHeaders();
Expand Down

0 comments on commit a06ddeb

Please sign in to comment.