From 1816565c37dc1a2ccd2822f3e31f50c98bafd8aa Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Mon, 30 Jun 2025 09:50:55 +0800
Subject: [PATCH] Fix CVE-2025-48976

(cherry picked from commit a0af2471fd0a7821d63379b6c45e1cdd06a26c71)
---
 CVE-2025-48976.patch           | 196 +++++++++++++++++++++++++++++++++
 apache-commons-fileupload.spec |   9 +-
 2 files changed, 202 insertions(+), 3 deletions(-)
 create mode 100644 CVE-2025-48976.patch

diff --git a/CVE-2025-48976.patch b/CVE-2025-48976.patch
new file mode 100644
index 0000000..c1fde37
--- /dev/null
+++ b/CVE-2025-48976.patch
@@ -0,0 +1,196 @@
+From 2108495a4775910b8559f18ed5a779d60542ee96 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Thu, 5 Jun 2025 11:21:25 +0100
+Subject: [PATCH] Add new limit partHeaderSizeMax that defaults to 512 bytes
+
+Origin: https://github.com/apache/commons-fileupload/commit/2108495a4775910b8559f18ed5a779d60542ee96
+
+Implements a TODO to allow users to control the maximum permitted size
+of the multipart headers for a single part.
+
+---
+ .../commons/fileupload/FileUploadBase.java    | 39 ++++++++++++++++-
+ .../commons/fileupload/MultipartStream.java   | 42 ++++++++++++++++---
+ 2 files changed, 73 insertions(+), 8 deletions(-)
+
+diff --git a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+index 1d6ac48..77a8e0b 100644
+--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
++++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+@@ -145,12 +145,19 @@ public abstract class FileUploadBase {
+      * The maximum length of a single header line that will be parsed
+      * (1024 bytes).
+      * @deprecated This constant is no longer used. As of commons-fileupload
+-     *   1.2, the only applicable limit is the total size of a parts headers,
+-     *   {@link MultipartStream#HEADER_PART_SIZE_MAX}.
++     *   1.6, the applicable limit is the total size of a single part's headers,
++     *   {@link #getPartHeaderSizeMax()} in bytes.
+      */
+     @Deprecated
+     public static final int MAX_HEADER_SIZE = 1024;
+ 
++    /**
++     * Default per part header size limit in bytes.
++     *
++     * @since 1.6
++     */
++    public static final int DEFAULT_PART_HEADER_SIZE_MAX = 512;
++
+     // ----------------------------------------------------------- Data members
+ 
+     /**
+@@ -171,6 +178,11 @@ public abstract class FileUploadBase {
+      */
+     private long fileCountMax = -1;
+ 
++    /**
++     * The maximum permitted size of the headers provided with a single part in bytes.
++     */
++    private int partHeaderSizeMax = DEFAULT_PART_HEADER_SIZE_MAX;
++
+     /**
+      * The content encoding to use when reading part headers.
+      */
+@@ -290,6 +302,17 @@ public abstract class FileUploadBase {
+         headerEncoding = encoding;
+     }
+ 
++    /**
++     * Sets the per part size limit for headers.
++     *
++     * @param partHeaderSizeMax The maximum size of the headers in bytes.
++     *
++     * @since 1.6
++     */
++    public void setPartHeaderSizeMax(final int partHeaderSizeMax) {
++        this.partHeaderSizeMax = partHeaderSizeMax;
++    }
++
+     // --------------------------------------------------------- Public methods
+ 
+     /**
+@@ -338,6 +361,17 @@ public abstract class FileUploadBase {
+         }
+     }
+ 
++    /**
++     * Obtain the per part size limit for headers.
++     *
++     * @return The maximum size of the headers for a single part in bytes.
++     *
++     * @since 1.6
++     */
++    public int getPartHeaderSizeMax() {
++        return partHeaderSizeMax;
++    }
++
+     /**
+      * Processes an <a href="http://www.ietf.org/rfc/rfc1867.txt">RFC 1867</a>
+      * compliant <code>multipart/form-data</code> stream.
+@@ -1041,6 +1075,7 @@ public abstract class FileUploadBase {
+                         format("The boundary specified in the %s header is too long", CONTENT_TYPE), iae);
+             }
+             multi.setHeaderEncoding(charEncoding);
++	    multi.setPartHeaderSizeMax(getPartHeaderSizeMax());
+ 
+             skipPreamble = true;
+             findNextItem();
+diff --git a/src/main/java/org/apache/commons/fileupload/MultipartStream.java b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
+index 2c58e7e..3976918 100644
+--- a/src/main/java/org/apache/commons/fileupload/MultipartStream.java
++++ b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
+@@ -25,6 +25,7 @@ import java.io.OutputStream;
+ import java.io.UnsupportedEncodingException;
+ 
+ import org.apache.commons.fileupload.FileUploadBase.FileUploadIOException;
++import org.apache.commons.fileupload.FileUploadBase.SizeLimitExceededException;
+ import org.apache.commons.fileupload.util.Closeable;
+ import org.apache.commons.fileupload.util.Streams;
+ 
+@@ -173,7 +174,10 @@ public class MultipartStream {
+     /**
+      * The maximum length of <code>header-part</code> that will be
+      * processed (10 kilobytes = 10240 bytes.).
++     *
++     * @deprecated Unused. Replaced by {@link #getPartHeaderSizeMax()}.
+      */
++    @Deprecated
+     public static final int HEADER_PART_SIZE_MAX = 10240;
+ 
+     /**
+@@ -266,6 +270,11 @@ public class MultipartStream {
+      */
+     private final ProgressNotifier notifier;
+ 
++    /**
++     * The maximum permitted size of the headers provided with a single part in bytes.
++     */
++    private int partHeaderSizeMax = FileUploadBase.DEFAULT_PART_HEADER_SIZE_MAX;
++
+     // ----------------------------------------------------------- Constructors
+ 
+     /**
+@@ -401,6 +410,17 @@ public class MultipartStream {
+         return headerEncoding;
+     }
+ 
++    /**
++     * Obtain the per part size limit for headers.
++     *
++     * @return The maximum size of the headers for a single part in bytes.
++     *
++     * @since 1.6
++     */
++    public int getPartHeaderSizeMax() {
++        return partHeaderSizeMax;
++    }
++
+     /**
+      * Specifies the character encoding to be used when reading the headers of
+      * individual parts. When not specified, or <code>null</code>, the platform
+@@ -546,8 +566,6 @@ public class MultipartStream {
+      * trailing <code>CRLF</code> marker. Parsing is left to the
+      * application.
+      *
+-     * <p><strong>TODO</strong> allow limiting maximum header size to
+-     * protect against abuse.
+      *
+      * @return The <code>header-part</code> of the current encapsulation.
+      *
+@@ -569,10 +587,11 @@ public class MultipartStream {
+             } catch (IOException e) {
+                 throw new MalformedStreamException("Stream ended unexpectedly");
+             }
+-            if (++size > HEADER_PART_SIZE_MAX) {
+-                throw new MalformedStreamException(
+-                        format("Header section has more than %s bytes (maybe it is not properly terminated)",
+-                               Integer.valueOf(HEADER_PART_SIZE_MAX)));
++	    size++;
++            if (getPartHeaderSizeMax() != -1 && size > getPartHeaderSizeMax()) {
++                throw new FileUploadIOException(new SizeLimitExceededException(
++                        String.format("Header section has more than %s bytes (maybe it is not properly terminated)", Integer.valueOf(getPartHeaderSizeMax())),
++                                size, getPartHeaderSizeMax()));
+             }
+             if (b == HEADER_SEPARATOR[i]) {
+                 i++;
+@@ -646,6 +665,17 @@ public class MultipartStream {
+         return readBodyData(null);
+     }
+ 
++    /**
++     * Sets the per part size limit for headers.
++     *
++     * @param partHeaderSizeMax The maximum size of the headers in bytes.
++     *
++     * @since 1.6
++     */
++    public void setPartHeaderSizeMax(final int partHeaderSizeMax) {
++        this.partHeaderSizeMax = partHeaderSizeMax;
++    }
++
+     /**
+      * Finds the beginning of the first <code>encapsulation</code>.
+      *
+-- 
+2.49.0
+
diff --git a/apache-commons-fileupload.spec b/apache-commons-fileupload.spec
index 508bab8..2465dbe 100644
--- a/apache-commons-fileupload.spec
+++ b/apache-commons-fileupload.spec
@@ -1,7 +1,7 @@
 %bcond_without  portlet
 Name:                apache-commons-fileupload
 Version:             1.4
-Release:             2
+Release:             3
 Summary:             API to work with HTML file upload
 License:             ASL 2.0
 URL:                 http://commons.apache.org/fileupload/
@@ -9,6 +9,7 @@ BuildArch:           noarch
 Source0:             http://archive.apache.org/dist/commons/fileupload/source/commons-fileupload-%{version}-src.tar.gz
 
 Patch0:	   	     CVE-2023-24998.patch
+Patch1:	   	     CVE-2025-48976.patch
 BuildRequires:       maven-local mvn(commons-io:commons-io) mvn(javax.servlet:servlet-api)
 BuildRequires:       mvn(junit:junit) mvn(org.apache.commons:commons-parent:pom:)
 %if %{with portlet}
@@ -30,8 +31,7 @@ Obsoletes:           %{name}-javadoc < %{version}-%{release}
 This package contains the API documentation for %{name}.
 
 %prep
-%setup -q -n commons-fileupload-%{version}-src
-%patch0 -p1
+%autosetup -n commons-fileupload-%{version}-src -p1
 sed -i 's/\r//' LICENSE.txt
 sed -i 's/\r//' NOTICE.txt
 %if %{with portlet}
@@ -58,6 +58,9 @@ rm -r src/main/java/org/apache/commons/fileupload/portlet
 %license LICENSE.txt NOTICE.txt
 
 %changelog
+* Mon Jun 30 2025 wangkai <13474090681@163.com> - 1.4-3
+- Fix CVE-2025-48976
+
 * Mon Mar 06 2023 liyuxiang<liyuxiang@ncti-gba.cn> - 1.4-2
 - fix CVE-2023-24998
 
-- 
Gitee