Add option to limit maxParts in multipart payloads #4425
Labels
breaking changes
Change that can breaking existing code
feature
New functionality or improvement
security
Issue with security impact
Milestone
Comments
devinivy
added
feature
devinivy
changed the title
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
We have added the option
route.option.payload.maxParts, in order to mitigate a DoS vector caused by an unbounded number of parts permitted in multipart payloads. The value ofmaxPartscontrols the maximum number of parts permitted in multipart payloads. The latest version of subtext also makes efforts to clean-up any files written during payload processing in the case of a payload processing error. The breaking change here is that the default value formaxPartsis1000, whereas before it was effectively unbounded.This has been released in 21.3.0 and backported to 20.3.0.
Credit to @das7pad for the thorough report and disclosure.
The text was updated successfully, but these errors were encountered: