Apache Commons logo Commons FileUpload

Release Notes

Release History

Version Date Description
1.4 2018-12-23 1.4 Release
1.3.3 2017-06-13 Bugfix release for 1.3.3
1.3.2 2016.05-26 Bugfix release for 1.3.1
1.3.2 2014-02-07 This is a security and maintenance release that includes an important security fix as well. Compared to 1.3.1, no other changes have been made.
1.3.1 2014-02-07 This is a security and maintenance release that includes an important security fix as well as a small number of bugfixes.
1.3 2013-03-27 maintenance release, JDK1.5 update
1.2.2 2010-07-29  
1.2.1 2008-01-18  
1.2 2007-02-13  
1.1.1 2006-06-08 Bugfix release
1.1 2005-12-24 Portlet support, substantial refactoring and numerous bug fixes

Release 1.4 – 2018-12-23

Type Changes By
Update Don't create un-needed resources in FileUploadBase.java. Fixes FILEUPLOAD-292. chtompki
Update Upversion complier.source, compiler.target to 1.6. Fixes FILEUPLOAD-282. chtompki
Fix DiskFileItem#write() could lose original IO exception. Fixes FILEUPLOAD-252. tn
Fix DiskFileItem#getStoreLocation() wrongly returned a File object for items stored in memory. Fixes FILEUPLOAD-258. tn
Fix FileUploadBase - should not silently catch and ignore all Throwables. Fixes FILEUPLOAD-242. tn
Fix Fix Javadoc 1.8.0 errors. Fixes FILEUPLOAD-257. tn
Fix Fix section "Resource cleanup" of the user guide. Fixes FILEUPLOAD-234. tn
Fix Fix streaming example: use FileItem.getInputStream() instead of openStream(). Fixes FILEUPLOAD-237. tn
Fix DiskFileItem might suppress critical IOExceptions on rename - use FileUtil.move instead. Fixes FILEUPLOAD-248. ecki
Fix DiskFileItem#getTempFile() is broken. Fixes FILEUPLOAD-251. sebb
Fix FileUploadBase - potential resource leak - InputStream not closed on exception. Fixes FILEUPLOAD-250. sebb
Fix DiskFileItem.readObject fails to close FileInputStream. Fixes FILEUPLOAD-244. sebb
Update FileUpload should use IOUtils.closeQuietly where relevant. Fixes FILEUPLOAD-246. sebb
Fix DiskFileItem.get() may not fully read the data. Fixes FILEUPLOAD-245. sebb
Update Make some MultipartStream private fields final. Fixes FILEUPLOAD-243. Thanks to Ville Skyttä. sebb
Add Site: added security report ecki
Unknown Improve performance for large multi-part boundaries Thanks to Felix Schumacher. markt
Unknown Added the default character set to the DiskFileItem. Fixes FILEUPLOAD-286. Thanks to maxxedev. jochen
Unknown Avoid using File.exists() on temporary files, if we know that the file has been created. Fixes FILEUPLOAD-288. Thanks to fangwentong. jochen
Unknown Added .travis.yml, to fix build issues on Github. Thanks to Pascal Schumacher. jochen

Release 1.3.3 – 2017-06-13

Type Changes By
Fix DiskDileItem can actually no longer be deserialized, unless a system property is set to true. Fixes FILEUPLOAD-279. jochen

Release 1.3.2 – 2016.05-26

Type Changes By
Update SECURITY - CVE-2016-3092. Performance Improvement in MultipartStream. Fixes FILEUPLOAD-272. jochen

Release 1.3.2 – 2014-02-07

Type Changes By
Fix SECURITY - CVE-2016-3092. Specially crafted input can trigger a DoS, if the size of the MIME boundard is close to the size of the buffer in MultipartStream. (Similar to CVE-2014-0050.) jochen

Release 1.3.1 – 2014-02-07

Type Changes By
Fix SECURITY - CVE-2014-0050. Specially crafted input can trigger a DoS if the buffer used by the MultipartStream is not big enough. When constructing MultipartStream enforce the requirements for buffer size by throwing an IllegalArgumentException if the requested buffer size is too small. This prevents the DoS. markt
Fix When deserializing DiskFileItems ensure that the repository location, if any, is a valid one. Thanks to Arun Babu Neelicattu. markt
Fix Correct example in usage documentation so it compiles. markt

Release 1.3 – 2013-03-27

Type Changes By
Fix SECURITY - CVE-2013-0248. Update the Javadoc and documentation to make it clear that setting a repository is required for a secure configuration if there are local, untrusted users. markt
Update Update the project tree dirs according to default Maven conventions. Fixes FILEUPLOAD-216. simonetripodi
Update drop JDK1.3 support and update to Java5. Fixes FILEUPLOAD-217. simonetripodi
Update Update version in POM. Fixes FILEUPLOAD-218. simonetripodi
Update upgrade tests to JUnit 4. Fixes FILEUPLOAD-219. simonetripodi
Update replace package.html with package-info.java. Fixes FILEUPLOAD-220. simonetripodi
Update FileItemHeadersImpl can now use LinkedHashMap. Fixes FILEUPLOAD-221. simonetripodi
Update Mark @deprecated classes/methods with @Deprecated annotation. Fixes FILEUPLOAD-222. simonetripodi
Fix Base64Decoder doesn't correctly implement RFC 4648. Fixes FILEUPLOAD-233. Thanks to Simone Tripodi. sebb
Fix "Stream ended unexpectedly" when posting from a Flash client. Fixes FILEUPLOAD-143. Thanks to Luke Scott. jochen
Fix Manifest for OSGi has invalid syntax. Fixes FILEUPLOAD-173. Thanks to Bjorn Harvold. simonetripodi
Fix commons-io dependency does not get loaded by maven if only dependency to commons-fileupload is specified. Fixes FILEUPLOAD-183. Thanks to Roman Arkadijovych Muntyanu. simonetripodi
Fix http://commons.apache.org/fileupload/index.html is out of date. Fixes FILEUPLOAD-185. Thanks to Sebb. simonetripodi
Fix http://commons.apache.org/fileupload/index.html should not mention nightly builds. Fixes FILEUPLOAD-186. Thanks to Sebb. simonetripodi
Fix DiskFileItemFactory use of FileCleaningTracker is documented or coded wrong - proposal submitted by Jan Novotný. Fixes FILEUPLOAD-189. Thanks to Gregor K. simonetripodi
Fix Error reading the file size larger than 2 gb - pull request from Gergely. Fixes FILEUPLOAD-195. Thanks to Juliano Alves. simonetripodi
Fix ServletFileUpload isMultipartContent method does not support HTTP PUT - thanks Roy T. Fielding and Jochen Wiedmann. Fixes FILEUPLOAD-197. Thanks to David Wolverton. simonetripodi
Fix Uploads have unexpected results for files with non-ASCII names - support RFC2047 - thanks Thomas Neidhart. Fixes FILEUPLOAD-199. Thanks to Mark Thomas. simonetripodi
Fix Exceptions resulting from upload size limitations (fileSizeMax, sizeMax) are now correctly propagated to the caller (these could be encountered formerly as MalformedStreamException: "Stream ended unexpectedly"). Fixes FILEUPLOAD-202. Thanks to tina. tn
Fix FileItem.getHeaders() returns always null. Fixes FILEUPLOAD-204. Thanks to Hakju Oh. jochen
Fix The sizeMax parameter within FileUpload is now correctly enforced if no content length header is provided. Fixes FILEUPLOAD-212. Thanks to Damian Kolasa. tn
Fix ServletFileUpload only accepts POST requests. Fixes FILEUPLOAD-214. Thanks to Matthew Runo. simonetripodi
Fix (Servlet|Portlet)RequestContext#contentLength() must return request.getContentLength() if Content-length header is not available. Fixes FILEUPLOAD-228. Thanks to Thomas Neidhart. simonetripodi
Fix toLowerCase() is Locale-dependent; should use toLowerCase(Locale.ENGLISH) instead. Fixes FILEUPLOAD-229. Thanks to seb. simonetripodi
Fix There are no unit tests for the new utils.mime classes. Fixes FILEUPLOAD-229. Thanks to seb. sebb,simonetripodi
Add Documentation: add simple HTML form example to fileupload user guide. Fixes FILEUPLOAD-182. Thanks to Chris Lott. simonetripodi
Add enhance file read/write performance - patch provided by frank. Fixes FILEUPLOAD-207. Thanks to frank. simonetripodi
Add Add Support for Generic Types. Fixes FILEUPLOAD-209. Thanks to Fernando Ribeiro. simonetripodi
Add Process HTTP Requests Into Maps. Fixes FILEUPLOAD-210. Thanks to Fernando Ribeiro. simonetripodi
Update Update commons-io dependency to latest version that supports JDK1.5. Fixes FILEUPLOAD-223. simonetripodi
Update Avoid string concatenations while parsing headers, use buffers instead. Fixes FILEUPLOAD-224. simonetripodi
Update Replace java.rmi.server.UID() with java.util.UUID. Fixes FILEUPLOAD-225. simonetripodi
Update DiskFileItem.counter could be converted to AtomicInteger (or AtomicLong?). Fixes FILEUPLOAD-226. sebb
Update Private immutable fields which could be final. Fixes FILEUPLOAD-227. sebb
Update Update to JDK 1.5 and bump IO dependency to 2.0.1. Fixes FILEUPLOAD-201. simonetripodi
Update version 1.3 improvement tasks. Fixes FILEUPLOAD-215. simonetripodi

Release 1.2.2 – 2010-07-29

Type Changes By
Fix Added a check for file names containing a NULL characters. Such file names are now triggering an InvalidFileNameException since the file name cannot be used as provided to create the file since it will be truncated at the NUL character on most (all?) operating systems. E.g. a file name like "test.foo0.bar" would result in "test.foo" being created. Thanks to Daniel Fabian. jochen
Fix Temporary files have not been deleted, if an error occurred in FileUploadBase.parseRequest();. Fixes FILEUPLOAD-160. Thanks to Stepan Koltsov. jochen
Fix Fixed example in MultipartStream Javadocs. Fixes FILEUPLOAD-158. Thanks to Stepan Koltsov. jochen
Fix Ensured, that the ProgressListener is called for all items. Fixes FILEUPLOAD-157. Thanks to Paul Spurr. jochen
Fix Made the ProgressNotifier public. Fixes FILEUPLOAD-156. jochen
Fix Multiple documentation fixes. Fixes FILEUPLOAD-155. Thanks to Jörg Heinicke. jochen
Fix Fixed the error message for FileSizeLimitExceededException from "too many characters" to "too many bytes". Fixes FILEUPLOAD-152. Thanks to Duzakropka. jochen
Add A FileSizeLimitExceededException does now contain the file and field name of the item, which caused the problem. Fixes FILEUPLOAD-154. jochen
Fix The FileItemHeader stuff hasn't been actually working. Fixes FILEUPLOAD-130. Thanks to Guillaume Cottenceau. jochen

Release 1.2.1 – 2008-01-18

Type Changes By
Fix Upgrade to commons-io-1.4-SNAPSHOT, in order to use the new FileCleaningTracker and fix issues with FileCleaner. jochen
Fix Made the MockHttpServletRequest comply to the servlet 2.4 specification by applying http://www.sourcelabs.com/dashboards/sash-1.2/patches/commons-fileupload-1.1-1/SUP-520.diff. Fixes FILEUPLOAD-129. jochen
Add Added support for accessing the file item headers. Fixes FILEUPLOAD-130. Thanks to Michael Macaluso. jochen
Fix A MalformedStreamException is now thrown, if the size of an items headers exceeds HEADER_PART_SIZE_MAX;. Fixes FILEUPLOAD-116. Thanks to Amichai Rothman. jochen
Fix DiskFileItem.toString() could throw an NPE. Fixes FILEUPLOAD-134. Thanks to Thomas Vandahl. jochen
Fix Short files could cause an unexpected end of the item stream. Fixes FILEUPLOAD-135. Thanks to Alexander Sova. jochen
Fix A FileSizeLimitExceededException was deferred until the complete file has been uploaded. Additionally, the FileSizeLimitException is now thrown immediately, if the attachments headers contain a content-length value, which exceeds the configured limit. Fixes FILEUPLOAD-145. jochen
Fix Fixed a classpath problem when building with Sun JDK 1.3.1 and Ant. Fixes FILEUPLOAD-153. Thanks to Gary Gregory. jochen

Release 1.2 – 2007-02-13

Type Changes By
Fix Made Streams.asString static. Thanks to Aaron Freeman. jochen
Update Eliminated duplicate code. Fixes FILEUPLOAD-109. jochen
Add Added a streaming API. Fixes FILEUPLOAD-112. jochen
Fix Eliminated the necessity of a content-length header. Fixes FILEUPLOAD-93. jochen
Fix Eliminated the limitation of a maximum size for a single header line. (The total size of all headers is already limited, so there's no need for another limit.). Fixes FILEUPLOAD-108. Thanks to Amichai Rothman. jochen
Add Added the ProgressListener, which allows to implement a progress bar. Fixes FILEUPLOAD-87. jochen
Add Added support for header continuation lines. Fixes FILEUPLOAD-111. Thanks to Amichai Rothman. jochen
Add It is now possible to limit the actual file size and not the request size. Fixes FILEUPLOAD-88. Thanks to Andrey Aristarkhov. jochen
Add Added the FileCleanerCleanup as an example for how to close down the FileCleaner's reaper thread nicely. Fixes FILEUPLOAD-120. Thanks to Henry Yandell. jochen
Fix A descriptive NPE is now thrown, if the FileItemFactory has not been set. Fixes FILEUPLOAD-123. jochen

Release 1.1.1 – 2006-06-08

Type Changes By
Fix Cache disk file item size when it is moved to a new location. Fixes FILEUPLOAD-20. martinc
Fix File names were being inadvertently converted to lower case. Fixes FILEUPLOAD-30. martinc

Release 1.1 – 2005-12-24

Type Changes By
Update Updates for FileUpload 1.1-RC1. martinc
Add Added release notes for FileUpload 1.1. martinc
Update Update the User Guide to document the "right" way of using FileUpload 1.1, rather than the older, and thus deprecated, ways that are compatible with FileUpload 1.0. martinc
Add Add this change log, including all changes since the Commons FileUpload 1.0 release. martinc
Update Update Commons IO dependency to version 1.1. martinc
Add Add custom PMD configuration. martinc
Update Make inner exception classes static, which they should have been all along. martinc
Fix Fix Checkstyle warnings. martinc
Fix Remove Javadoc warnings. Fixes FILEUPLOAD-29. Thanks to Rahul Akolkar. martinc
Update Build updates: martinc