-
Notifications
You must be signed in to change notification settings - Fork 173
/
RELEASE-NOTES.txt
271 lines (185 loc) · 14 KB
/
RELEASE-NOTES.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
Apache Commons FileUpload 2.0.0-M2 RELEASE NOTES
The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 2.0.0-M2.
The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to Servlets and web
applications. This version requires Java 11 or above.
2.0.0-M2 Release
Changes in version 2.0.0-M2 include:
New features:
o Fix off-by-one error when checking fileSizeMax in FileItemInputImpl #235. Thanks to James Reeves.
o FILEUPLOAD-352: NullPointerException in DiskFileItem#toString. Thanks to Bj�rn Kautler, Gary Gregory.
o Fail fast on null inputs to org.apache.commons.fileupload2.core.AbstractRequestContext.AbstractRequestContext(Function, LongSupplier, T). Thanks to Gary Gregory.
o Complete refactoring in JakartaServletRequestContext. Thanks to Gary Gregory.
o Fix "Implicit narrowing conversion in compound assignment" from https://github.com/apache/commons-fileupload/security/code-scanning/118. Thanks to Gary Gregory.
o Refactor to support Jakarta Servlet 5 and 6. Thanks to Gary Gregory.
o Generate some OSGi metadata. Thanks to Michal H Siemaszko, Gary Gregory.
Fixed Bugs:
o Pick up Maven Moditect plugin version from parent POM. Thanks to Gary Gregory.
Changes:
o Bump Java from 8 to 11. Thanks to Dependabot.
o Bump commons-parent from 58 to 65. Thanks to Gary Gregory.
o Bump commons-lang3 from 3.12.0 to 3.14.0. Thanks to Gary Gregory.
o Bump commons-io from 2.13.0 to 2.15.1. Thanks to Gary Gregory.
For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons FileUpload website:
https://commons.apache.org/proper/commons-fileupload/
Download it from https://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi
------------------------------------------------------------------------------
Apache Commons FileUpload Parent 2.0.0-M1 RELEASE NOTES
The Apache Commons FileUpload Parent team is pleased to announce the release of Apache Commons FileUpload Parent 2.0.0-M1.
The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications.
This version requires Java 11 or later.
Note also that the base package name has changed to org.apache.commons.fileupload2,
so source changes will be required.
The Maven coordinates have also changed to:
<groupId>org.apache.commons</groupId>
<artifactId>commons-fileupload2</artifactId>
They were previously:
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
2.0.0-M1 Release
Changes in version 2.0.0-M1 include:
New features:
o Add github/codeql-action from #144. Thanks to Gary Gregory.
o Add the package org.apache.fileupload2.jaksrvlt, for compliance with Jakarta Servlet API 5.0.
o Making FileUploadException a subclass of IOException. (Mibor API simplification.)
o Add a configurable limit (disabled by default) for the number of files to upload per request.
Fixed Bugs:
o Changing Maven coordinates, and package name, due to binary incompatible changes.
o FILEUPLOAD-293: DiskFileItem.write(File) had been changed to use FileUtils.moveFile internally, preventing an existing file as the target.
o FILEUPLOAD-296: Performance gains by reusing an internal buffer. Thanks to David Georg Reochelt.
o FILEUPLOAD-274: RFC 5987 compliance Thanks to Merbin J Anselm.
o Slight optim: resuse the index position instead of recomputing it #49. Thanks to Emmanuel L�charny.
o FILEUPLOAD-340: Make commons-fileupload2 a JPMS module by adding module-info.class.
o FILEUPLOAD-341: Move Exception classes out of the impl package. Thanks to Martin Grigorov.
o Rework exceptions to use propagated exception causes (introduced in Java 1.4). Thanks to Gary Gregory.
o All custom exception extend FileUploadException. Thanks to Gary Gregory.
o All custom exceptions serialVersionUID value is now 2. Thanks to Gary Gregory.
o FILEUPLOAD-350: FileUploadByteCountLimitException ctor switches fileName and fieldName parameters #216. Thanks to Ernesto Reinaldo Barreiro.
o [StepSecurity] ci: Harden GitHub Actions #224. Thanks to step-security-bot, Gary Gregory.
Changes:
o Bump actions/cache from 2.1.6 to 3.0.8 #128, #140. Thanks to Dependabot, Gary Gregory.
o Bump actions/checkout from 2.3.4 to 3.0.2 #125. Thanks to Dependabot, Gary Gregory.
o Bump build actions/setup-java from 1.4.3 to 3.8.0 #142, #175, #180, #182. Thanks to Gary Gregory.
o Bump Java compiler level to 1.8.
o Bump commons-io:commons-io 2.6 to 2.13.0, #104, #221. Thanks to Gary Gregory, Dependabot.
o Bump junit-jupiter from 5.5.2 to 5.9.1 #31, #130, #156, #166. Thanks to Dependabot.
o Bump maven-pmd-plugin from 3.13.0 to 3.19.0 #48, #162. Thanks to Dependabot.
o Bump commons.japicmp.version from 0.13.0 to 0.16.0. Thanks to Gary Gregory.
o Bump spotbugs-maven-plugin from 4.2.3 to 4.7.3.0 #103, #133, #141, #146, #155, #163, #179. Thanks to Dependabot.
o Bump spotbugs from 4.2.3 to 4.7.3, ignore EI_EXPOSE_REP, and EI_EXPOSE_REP2, #152, #161, #174. Thanks to Dependabot.
o Bump biz.aQute.bndlib from 6.0.0 to 6.4.0 #129, #181. Thanks to Dependabot.
o Bump commons-parent from 52 to 58, #167, #183, #194. Thanks to Gary Gregory, Dependabot.
o Bump maven-checkstyle-plugin from 3.1.2 to 3.2.0 #160. Thanks to Dependabot.
Removed:
o Remove deprecated constructors in MultipartStream. Thanks to Gary Gregory.
o Remove deprecated RequestContext.getContentLength(). Thanks to Gary Gregory.
o Remove deprecated JakSrvltRequestContext.getContentLength(). Thanks to Gary Gregory.
o Remove deprecated PortletRequestContext.getContentLength(). Thanks to Gary Gregory.
o Remove deprecated ServletRequestContext.getContentLength(). Thanks to Gary Gregory.
o Remove deprecated FileUploadBase.MAX_HEADER_SIZE. Thanks to Gary Gregory.
o Remove deprecated FileUploadBase.createItem(Map, boolean). Thanks to Gary Gregory.
o Remove deprecated FileUploadBase.getFieldName(Map). Thanks to Gary Gregory.
o Remove deprecated FileUploadBase.getFileName(Map). Thanks to Gary Gregory.
o Remove deprecated FileUploadBase.getHeader(Map, String). Thanks to Gary Gregory.
o Remove deprecated FileUploadBase.parseHeaders(String). Thanks to Gary Gregory.
o Replace org.apache.commons.fileupload2.util.mime.Base64Decoder with java.util.Base64. Thanks to Gary Gregory.
o Replace LimitedInputStream with BoundedInputStream. Thanks to Gary Gregory.
o FileItemHeadersImpl is no longer Serializable. Thanks to Gary Gregory.
o Reuse Java's InvalidPathException instead of the custom InvalidFileNameException. Thanks to Gary Gregory.
For complete information on Apache Commons FileUpload Parent, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons FileUpload Parent website:
https://commons.apache.org/proper/commons-fileupload/
------------------------------------------------------------------------------
Apache Commons FileUpload 1.5 RELEASE NOTES
The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.5.
The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications. Version 1.3 onwards requires Java 6 or later.
No client code changes are required to migrate from version 1.4 to 1.5.
Changes in version 1.5 include:
New features:
o Add a configurable limit (disabled by default) for the number of files to upload per request.
Fixed Bugs:
o FILEUPLOAD-293: DiskFileItem.write(File) had been changed to use FileUtils.moveFile internally, preventing an existing file as the target.
o Improve parsing speed. Thanks to David Georg Reichelt.
Changes:
o Bump Commons IO to 2.11.0
o FILEUPLOAD-328 Switch from Cobertura code coverage to Jacoco code coverage. Thanks to Arturo Bernal.
o Bump JUnit to 4.13.2
For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons FileUpload website:
https://commons.apache.org/proper/commons-fileupload/
------------------------------------------------------------------------------
Apache Commons FileUpload 1.4 RELEASE NOTES
The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.4.
The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications. Version 1.3 onwards requires Java 6 or later.
1.4 Release
Changes in version 1.4 include:
New features:
o Site: added security report
Fixed Bugs:
o FILEUPLOAD-252: DiskFileItem#write() could lose original IO exception
o FILEUPLOAD-258: DiskFileItem#getStoreLocation() wrongly returned a File object for items stored in memory
o FILEUPLOAD-242: FileUploadBase - should not silently catch and ignore all Throwables
o FILEUPLOAD-257: Fix Javadoc 1.8.0 errors
o FILEUPLOAD-234: Fix section "Resource cleanup" of the user guide
o FILEUPLOAD-237: Fix streaming example: use FileItem.getInputStream() instead of openStream()
o FILEUPLOAD-248: DiskFileItem might suppress critical IOExceptions on rename - use FileUtil.move instead
o FILEUPLOAD-251: DiskFileItem#getTempFile() is broken
o FILEUPLOAD-250: FileUploadBase - potential resource leak - InputStream not closed on exception
o FILEUPLOAD-244: DiskFileItem.readObject fails to close FileInputStream
o FILEUPLOAD-245: DiskFileItem.get() may not fully read the data
Changes:
o FILEUPLOAD-292: Don't create un-needed resources in FileUploadBase.java
o FILEUPLOAD-282: Upversion complier.source, compiler.target to 1.6
o FILEUPLOAD-246: FileUpload should use IOUtils.closeQuietly where relevant
o FILEUPLOAD-243: Make some MultipartStream private fields final Thanks to Ville Skytt�.
For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons FileUpload website:
https://commons.apache.org/proper/commons-fileupload/
------------------------------------------------------------------------------
Apache Commons FileUpload 1.3.3 RELEASE NOTES
The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.3.
The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications. Version 1.3 onwards requires Java 5 or later.
No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2, to 1.3.3
Changes in version 1.3.3 include:
o FILEUPLOAD-279: DiskFileItem can no longer be deserialized, unless a particular system property is set.
For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons FileUpload website:
https://commons.apache.org/proper/commons-fileupload/
------------------------------------------------------------------------------
No client code changes are required to migrate from version 1.3.1 to 1.3.2.
Changes in version 1.3.2 include:
o FILEUPLOAD-272: Performance Improvement in MultipartStream. Prevents a DoS (CVE-2016-3092)
For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons FileUpload website:
https://commons.apache.org/proper/commons-fileupload/
------------------------------------------------------------------------------
Apache Commons FileUpload 1.3.1 RELEASE NOTES
The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.1.
The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications. Version 1.3 onwards requires Java 5 or later.
No client code changes are required to migrate from version 1.3.0 to 1.3.1.
This is a security and maintenance release that includes an important security
fix as well as a small number of bugfixes.
Changes in version 1.3.1 include:
Fixed Bugs:
o SECURITY - CVE-2014-0050. Specially crafted input can trigger a DoS if the
buffer used by the MultipartStream is not big enough. When constructing
MultipartStream enforce the requirements for buffer size by throwing an
IllegalArgumentException if the requested buffer size is too small. This
prevents the DoS.
o When deserializing DiskFileItems ensure that the repository location, if
any, is a valid one. Thanks to Arun Babu Neelicattu.
o Correct example in usage documentation so it compiles.
For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons FileUpload website:
https://commons.apache.org/proper/commons-fileupload/