              Apache Commons FileUpload 1.4 RELEASE NOTES

The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.4.

The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications. Version 1.3 onwards requires Java 6 or later.

No client code changes are required to migrate from version 1.3.0 to 1.3.1.


1.4 Release

Changes in version 1.4 include:

New features:
o                  Site: added security report

Fixed Bugs:
o FILEUPLOAD-252:  DiskFileItem#write() could lose original IO exception
o FILEUPLOAD-258:  DiskFileItem#getStoreLocation() wrongly returned a File object for items stored in memory
o FILEUPLOAD-242:  FileUploadBase - should not silently catch and ignore all Throwables
o FILEUPLOAD-257:  Fix Javadoc 1.8.0 errors
o FILEUPLOAD-234:  Fix section "Resource cleanup" of the user guide
o FILEUPLOAD-237:  Fix streaming example: use FileItem.getInputStream() instead of openStream()
o FILEUPLOAD-248:  DiskFileItem might suppress critical IOExceptions on rename - use FileUtil.move instead
o FILEUPLOAD-251:  DiskFileItem#getTempFile() is broken
o FILEUPLOAD-250:  FileUploadBase - potential resource leak - InputStream not closed on exception
o FILEUPLOAD-244:  DiskFileItem.readObject fails to close FileInputStream
o FILEUPLOAD-245:  DiskFileItem.get() may not fully read the data

Changes:
o FILEUPLOAD-292:  Don't create un-needed resources in FileUploadBase.java
o FILEUPLOAD-282:  Upversion complier.source, compiler.target to 1.6
o FILEUPLOAD-246:  FileUpload should use IOUtils.closeQuietly where relevant
o FILEUPLOAD-243:  Make some MultipartStream private fields final Thanks to Ville Skytt.


For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website:

http://commons.apache.org/proper/commons-fileupload/

------------------------------------------------------------------------------

              Apache Commons FileUpload 1.3.3 RELEASE NOTES

The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.3.

The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications. Version 1.3 onwards requires Java 5 or later.

No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2, to 1.3.3

Changes in version 1.3.3 include:

o FILEUPLOAD-279:  DiskFileItem can no longer be deserialized, unless a particular system property is set.


For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website:

http://commons.apache.org/proper/commons-fileupload/

------------------------------------------------------------------------------

No client code changes are required to migrate from version 1.3.1 to 1.3.2.

Changes in version 1.3.2 include:

o FILEUPLOAD-272:  Performance Improvement in MultipartStream. Prevents a DoS (CVE-2016-3092)


For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website:

http://commons.apache.org/proper/commons-fileupload/

------------------------------------------------------------------------------

              Apache Commons FileUpload 1.3.1 RELEASE NOTES

The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.1.

The Apache Commons FileUpload component provides a simple yet flexible means of
adding support for multipart file upload functionality to servlets and web
applications. Version 1.3 onwards requires Java 5 or later.

No client code changes are required to migrate from version 1.3.0 to 1.3.1.


This is a security and maintenance release that includes an important security
fix as well as a small number of bugfixes.

Changes in version 1.3.1 include:


Fixed Bugs:
o                  SECURITY - CVE-2014-0050. Specially crafted input can trigger a DoS if the
                   buffer used by the MultipartStream is not big enough. When constructing
                   MultipartStream enforce the requirements for buffer size by throwing an
                   IllegalArgumentException if the requested buffer size is too small. This
                   prevents the DoS.
o                  When deserializing DiskFileItems ensure that the repository location, if
                   any, is a valid one. Thanks to Arun Babu Neelicattu.
o                  Correct example in usage documentation so it compiles.



For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website:

http://commons.apache.org/proper/commons-fileupload/

