FileUpload – Release Notes

Release Notes

Release History

Version	Date	Description
1.4	2018-12-23	1.4 Release
1.3.3	2017-06-13	Bugfix release for 1.3.3
1.3.2	2016.05-26	Bugfix release for 1.3.1
1.3.2	2014-02-07	This is a security and maintenance release that includes an important security fix as well. Compared to 1.3.1, no other changes have been made.
1.3.1	2014-02-07	This is a security and maintenance release that includes an important security fix as well as a small number of bugfixes.
1.3	2013-03-27	maintenance release, JDK1.5 update
1.2.2	2010-07-29
1.2.1	2008-01-18
1.2	2007-02-13
1.1.1	2006-06-08	Bugfix release
1.1	2005-12-24	Portlet support, substantial refactoring and numerous bug fixes

Release 1.4 – 2018-12-23

Type	Changes	By
	Don't create un-needed resources in FileUploadBase.java. Fixes FILEUPLOAD-292.	chtompki
	Upversion complier.source, compiler.target to 1.6. Fixes FILEUPLOAD-282.	chtompki
	DiskFileItem#write() could lose original IO exception. Fixes FILEUPLOAD-252.	tn
	DiskFileItem#getStoreLocation() wrongly returned a File object for items stored in memory. Fixes FILEUPLOAD-258.	tn
	FileUploadBase - should not silently catch and ignore all Throwables. Fixes FILEUPLOAD-242.	tn
	Fix Javadoc 1.8.0 errors. Fixes FILEUPLOAD-257.	tn
	Fix section "Resource cleanup" of the user guide. Fixes FILEUPLOAD-234.	tn
	Fix streaming example: use FileItem.getInputStream() instead of openStream(). Fixes FILEUPLOAD-237.	tn
	DiskFileItem might suppress critical IOExceptions on rename - use FileUtil.move instead. Fixes FILEUPLOAD-248.	ecki
	DiskFileItem#getTempFile() is broken. Fixes FILEUPLOAD-251.	sebb
	FileUploadBase - potential resource leak - InputStream not closed on exception. Fixes FILEUPLOAD-250.	sebb
	DiskFileItem.readObject fails to close FileInputStream. Fixes FILEUPLOAD-244.	sebb
	FileUpload should use IOUtils.closeQuietly where relevant. Fixes FILEUPLOAD-246.	sebb
	DiskFileItem.get() may not fully read the data. Fixes FILEUPLOAD-245.	sebb
	Make some MultipartStream private fields final. Fixes FILEUPLOAD-243. Thanks to Ville Skyttä.	sebb
	Site: added security report	ecki
	Improve performance for large multi-part boundaries Thanks to Felix Schumacher.	markt
	Added the default character set to the DiskFileItem. Fixes FILEUPLOAD-286. Thanks to maxxedev.	jochen
	Avoid using File.exists() on temporary files, if we know that the file has been created. Fixes FILEUPLOAD-288. Thanks to fangwentong.	jochen
	Added .travis.yml, to fix build issues on Github. Thanks to Pascal Schumacher.	jochen

Release 1.3.3 – 2017-06-13

Type	Changes	By
	DiskDileItem can actually no longer be deserialized, unless a system property is set to true. Fixes FILEUPLOAD-279.	jochen

Release 1.3.2 – 2016.05-26

Type	Changes	By
	SECURITY - CVE-2016-3092. Performance Improvement in MultipartStream. Fixes FILEUPLOAD-272.	jochen

Release 1.3.2 – 2014-02-07

Type	Changes	By
	SECURITY - CVE-2016-3092. Specially crafted input can trigger a DoS, if the size of the MIME boundard is close to the size of the buffer in MultipartStream. (Similar to CVE-2014-0050.)	jochen

Release 1.3.1 – 2014-02-07

Type	Changes	By
	SECURITY - CVE-2014-0050. Specially crafted input can trigger a DoS if the buffer used by the MultipartStream is not big enough. When constructing MultipartStream enforce the requirements for buffer size by throwing an IllegalArgumentException if the requested buffer size is too small. This prevents the DoS.	markt
	When deserializing DiskFileItems ensure that the repository location, if any, is a valid one. Thanks to Arun Babu Neelicattu.	markt
	Correct example in usage documentation so it compiles.	markt

Release 1.3 – 2013-03-27

Type	Changes	By
	SECURITY - CVE-2013-0248. Update the Javadoc and documentation to make it clear that setting a repository is required for a secure configuration if there are local, untrusted users.	markt
	Update the project tree dirs according to default Maven conventions. Fixes FILEUPLOAD-216.	simonetripodi
	drop JDK1.3 support and update to Java5. Fixes FILEUPLOAD-217.	simonetripodi
	Update version in POM. Fixes FILEUPLOAD-218.	simonetripodi
	upgrade tests to JUnit 4. Fixes FILEUPLOAD-219.	simonetripodi
	replace package.html with package-info.java. Fixes FILEUPLOAD-220.	simonetripodi
	FileItemHeadersImpl can now use LinkedHashMap. Fixes FILEUPLOAD-221.	simonetripodi
	Mark @deprecated classes/methods with @Deprecated annotation. Fixes FILEUPLOAD-222.	simonetripodi
	Base64Decoder doesn't correctly implement RFC 4648. Fixes FILEUPLOAD-233. Thanks to Simone Tripodi.	sebb
	"Stream ended unexpectedly" when posting from a Flash client. Fixes FILEUPLOAD-143. Thanks to Luke Scott.	jochen
	Manifest for OSGi has invalid syntax. Fixes FILEUPLOAD-173. Thanks to Bjorn Harvold.	simonetripodi
	commons-io dependency does not get loaded by maven if only dependency to commons-fileupload is specified. Fixes FILEUPLOAD-183. Thanks to Roman Arkadijovych Muntyanu.	simonetripodi
	http://commons.apache.org/fileupload/index.html is out of date. Fixes FILEUPLOAD-185. Thanks to Sebb.	simonetripodi
	http://commons.apache.org/fileupload/index.html should not mention nightly builds. Fixes FILEUPLOAD-186. Thanks to Sebb.	simonetripodi
	DiskFileItemFactory use of FileCleaningTracker is documented or coded wrong - proposal submitted by Jan Novotný. Fixes FILEUPLOAD-189. Thanks to Gregor K.	simonetripodi
	Error reading the file size larger than 2 gb - pull request from Gergely. Fixes FILEUPLOAD-195. Thanks to Juliano Alves.	simonetripodi
	ServletFileUpload isMultipartContent method does not support HTTP PUT - thanks Roy T. Fielding and Jochen Wiedmann. Fixes FILEUPLOAD-197. Thanks to David Wolverton.	simonetripodi
	Uploads have unexpected results for files with non-ASCII names - support RFC2047 - thanks Thomas Neidhart. Fixes FILEUPLOAD-199. Thanks to Mark Thomas.	simonetripodi
	Exceptions resulting from upload size limitations (fileSizeMax, sizeMax) are now correctly propagated to the caller (these could be encountered formerly as MalformedStreamException: "Stream ended unexpectedly"). Fixes FILEUPLOAD-202. Thanks to tina.	tn
	FileItem.getHeaders() returns always null. Fixes FILEUPLOAD-204. Thanks to Hakju Oh.	jochen
	The sizeMax parameter within FileUpload is now correctly enforced if no content length header is provided. Fixes FILEUPLOAD-212. Thanks to Damian Kolasa.	tn
	ServletFileUpload only accepts POST requests. Fixes FILEUPLOAD-214. Thanks to Matthew Runo.	simonetripodi
	(Servlet\|Portlet)RequestContext#contentLength() must return request.getContentLength() if Content-length header is not available. Fixes FILEUPLOAD-228. Thanks to Thomas Neidhart.	simonetripodi
	toLowerCase() is Locale-dependent; should use toLowerCase(Locale.ENGLISH) instead. Fixes FILEUPLOAD-229. Thanks to seb.	simonetripodi
	There are no unit tests for the new utils.mime classes. Fixes FILEUPLOAD-229. Thanks to seb.	sebb,simonetripodi
	Documentation: add simple HTML form example to fileupload user guide. Fixes FILEUPLOAD-182. Thanks to Chris Lott.	simonetripodi
	enhance file read/write performance - patch provided by frank. Fixes FILEUPLOAD-207. Thanks to frank.	simonetripodi
	Add Support for Generic Types. Fixes FILEUPLOAD-209. Thanks to Fernando Ribeiro.	simonetripodi
	Process HTTP Requests Into Maps. Fixes FILEUPLOAD-210. Thanks to Fernando Ribeiro.	simonetripodi
	Update commons-io dependency to latest version that supports JDK1.5. Fixes FILEUPLOAD-223.	simonetripodi
	Avoid string concatenations while parsing headers, use buffers instead. Fixes FILEUPLOAD-224.	simonetripodi
	Replace java.rmi.server.UID() with java.util.UUID. Fixes FILEUPLOAD-225.	simonetripodi
	DiskFileItem.counter could be converted to AtomicInteger (or AtomicLong?). Fixes FILEUPLOAD-226.	sebb
	Private immutable fields which could be final. Fixes FILEUPLOAD-227.	sebb
	Update to JDK 1.5 and bump IO dependency to 2.0.1. Fixes FILEUPLOAD-201.	simonetripodi
	version 1.3 improvement tasks. Fixes FILEUPLOAD-215.	simonetripodi

Release 1.2.2 – 2010-07-29

Type	Changes	By
	Added a check for file names containing a NULL characters. Such file names are now triggering an InvalidFileNameException since the file name cannot be used as provided to create the file since it will be truncated at the NUL character on most (all?) operating systems. E.g. a file name like "test.foo0.bar" would result in "test.foo" being created. Thanks to Daniel Fabian.	jochen
	Temporary files have not been deleted, if an error occurred in FileUploadBase.parseRequest();. Fixes FILEUPLOAD-160. Thanks to Stepan Koltsov.	jochen
	Fixed example in MultipartStream Javadocs. Fixes FILEUPLOAD-158. Thanks to Stepan Koltsov.	jochen
	Ensured, that the ProgressListener is called for all items. Fixes FILEUPLOAD-157. Thanks to Paul Spurr.	jochen
	Made the ProgressNotifier public. Fixes FILEUPLOAD-156.	jochen
	Multiple documentation fixes. Fixes FILEUPLOAD-155. Thanks to Jörg Heinicke.	jochen
	Fixed the error message for FileSizeLimitExceededException from "too many characters" to "too many bytes". Fixes FILEUPLOAD-152. Thanks to Duzakropka.	jochen
	A FileSizeLimitExceededException does now contain the file and field name of the item, which caused the problem. Fixes FILEUPLOAD-154.	jochen
	The FileItemHeader stuff hasn't been actually working. Fixes FILEUPLOAD-130. Thanks to Guillaume Cottenceau.	jochen

Release 1.2.1 – 2008-01-18

Type	Changes	By
	Upgrade to commons-io-1.4-SNAPSHOT, in order to use the new FileCleaningTracker and fix issues with FileCleaner.	jochen
	Made the MockHttpServletRequest comply to the servlet 2.4 specification by applying http://www.sourcelabs.com/dashboards/sash-1.2/patches/commons-fileupload-1.1-1/SUP-520.diff. Fixes FILEUPLOAD-129.	jochen
	Added support for accessing the file item headers. Fixes FILEUPLOAD-130. Thanks to Michael Macaluso.	jochen
	A MalformedStreamException is now thrown, if the size of an items headers exceeds HEADER_PART_SIZE_MAX;. Fixes FILEUPLOAD-116. Thanks to Amichai Rothman.	jochen
	DiskFileItem.toString() could throw an NPE. Fixes FILEUPLOAD-134. Thanks to Thomas Vandahl.	jochen
	Short files could cause an unexpected end of the item stream. Fixes FILEUPLOAD-135. Thanks to Alexander Sova.	jochen
	A FileSizeLimitExceededException was deferred until the complete file has been uploaded. Additionally, the FileSizeLimitException is now thrown immediately, if the attachments headers contain a content-length value, which exceeds the configured limit. Fixes FILEUPLOAD-145.	jochen
	Fixed a classpath problem when building with Sun JDK 1.3.1 and Ant. Fixes FILEUPLOAD-153. Thanks to Gary Gregory.	jochen

Release 1.2 – 2007-02-13

Type	Changes	By
	Made Streams.asString static. Thanks to Aaron Freeman.	jochen
	Eliminated duplicate code. Fixes FILEUPLOAD-109.	jochen
	Added a streaming API. Fixes FILEUPLOAD-112.	jochen
	Eliminated the necessity of a content-length header. Fixes FILEUPLOAD-93.	jochen
	Eliminated the limitation of a maximum size for a single header line. (The total size of all headers is already limited, so there's no need for another limit.). Fixes FILEUPLOAD-108. Thanks to Amichai Rothman.	jochen
	Added the ProgressListener, which allows to implement a progress bar. Fixes FILEUPLOAD-87.	jochen
	Added support for header continuation lines. Fixes FILEUPLOAD-111. Thanks to Amichai Rothman.	jochen
	It is now possible to limit the actual file size and not the request size. Fixes FILEUPLOAD-88. Thanks to Andrey Aristarkhov.	jochen
	Added the FileCleanerCleanup as an example for how to close down the FileCleaner's reaper thread nicely. Fixes FILEUPLOAD-120. Thanks to Henry Yandell.	jochen
	A descriptive NPE is now thrown, if the FileItemFactory has not been set. Fixes FILEUPLOAD-123.	jochen

Release 1.1.1 – 2006-06-08

Type	Changes	By
	Cache disk file item size when it is moved to a new location. Fixes FILEUPLOAD-20.	martinc
	File names were being inadvertently converted to lower case. Fixes FILEUPLOAD-30.	martinc

Release 1.1 – 2005-12-24

Type	Changes	By
	Updates for FileUpload 1.1-RC1.	martinc
	Added release notes for FileUpload 1.1.	martinc
	Update the User Guide to document the "right" way of using FileUpload 1.1, rather than the older, and thus deprecated, ways that are compatible with FileUpload 1.0.	martinc
	Add this change log, including all changes since the Commons FileUpload 1.0 release.	martinc
	Update Commons IO dependency to version 1.1.	martinc
	Add custom PMD configuration.	martinc
	Make inner exception classes static, which they should have been all along.	martinc
	Fix Checkstyle warnings.	martinc
	Remove Javadoc warnings. Fixes FILEUPLOAD-29. Thanks to Rahul Akolkar.	martinc
	Build updates:	martinc