There is nothing preventing a badly coded or malicious client from sending a file in chunks of one byte. This could be exploited to flood a server with files and create file management overhead as well. All but the final block should have a minimum chunk size. There should also be a "final chunk" marker of some kind to allow only one final chunk and not several. This avoids a near-identical exploit where the "final" chunk is a single byte, but is kept below an ever-changing filesize.
patch:
- 1.26 - same as master ( )
- 1.25 -
- 1.24 -
- 1.23 -
affected versions:
type: dos
CVE: CVE-2015-8002