diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..cc5036d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/commons-fileupload-1.3-src.tar.gz
diff --git a/.thermostat1-apache-commons-fileupload.metadata b/.thermostat1-apache-commons-fileupload.metadata
new file mode 100644
index 0000000..b8c196d
--- /dev/null
+++ b/.thermostat1-apache-commons-fileupload.metadata
@@ -0,0 +1 @@
+cf8e495fd3b114525ec310fe44f87afbb05c7ea5 SOURCES/commons-fileupload-1.3-src.tar.gz
diff --git a/README.md b/README.md
deleted file mode 100644
index ce46a88..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-\
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/CVE-2013-2186-commons-fileupload.patch b/SOURCES/CVE-2013-2186-commons-fileupload.patch
new file mode 100644
index 0000000..7e8eca9
--- /dev/null
+++ b/SOURCES/CVE-2013-2186-commons-fileupload.patch
@@ -0,0 +1,31 @@
+Index: src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- src/java/org/apache/commons/fileupload/disk/DiskFileItem.java (revision 1516371)
++++ src/java/org/apache/commons/fileupload/disk/DiskFileItem.java (working copy)
+@@ -712,6 +712,26 @@
+ // read values
+ in.defaultReadObject();
+
++ /* One expected use of serialization is to migrate HTTP sessions
++ * containing a DiskFileItem between JVMs. Particularly if the JVMs are
++ * on different machines It is possible that the repository location is
++ * not valid so validate it.
++ */
++ if (repository != null) {
++ if (repository.isDirectory()) {
++ // Check path for nulls
++ if (repository.getPath().contains("\0")) {
++ throw new IOException("The repository [" +
++ repository.getPath()
++ +"] contains a null character");
++ }
++ } else {
++ throw new IOException("The repository [" +
++ repository.getAbsolutePath() +
++ "] is not a directory");
++ }
++ }
++
+ OutputStream output = getOutputStream();
+ if (cachedContent != null) {
+ output.write(cachedContent);
diff --git a/SOURCES/apache-commons-fileupload-CVE-2014-0050.patch b/SOURCES/apache-commons-fileupload-CVE-2014-0050.patch
new file mode 100644
index 0000000..3780736
--- /dev/null
+++ b/SOURCES/apache-commons-fileupload-CVE-2014-0050.patch
@@ -0,0 +1,151 @@
+diff --git a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+index b693744..c8f5ca1 100644
+--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
++++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+@@ -991,7 +991,12 @@ public abstract class FileUploadBase {
+ }
+
+ notifier = new MultipartStream.ProgressNotifier(listener, requestSize);
+- multi = new MultipartStream(input, boundary, notifier);
++ try {
++ multi = new MultipartStream(input, boundary, notifier);
++ } catch (IllegalArgumentException iae) {
++ throw new InvalidContentTypeException(
++ format("The boundary specified in the %s header is too long", CONTENT_TYPE), iae);
++ }
+ multi.setHeaderEncoding(charEncoding);
+
+ skipPreamble = true;
+@@ -1183,7 +1188,7 @@ public abstract class FileUploadBase {
+ * detail message.
+ */
+ public InvalidContentTypeException() {
+- // Nothing to do.
++ super();
+ }
+
+ /**
+@@ -1196,6 +1201,9 @@ public abstract class FileUploadBase {
+ super(message);
+ }
+
++ public InvalidContentTypeException(String msg, Throwable cause) {
++ super(msg, cause);
++ }
+ }
+
+ /**
+diff --git a/src/main/java/org/apache/commons/fileupload/MultipartStream.java b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
+index 9088947..0474ef9 100644
+--- a/src/main/java/org/apache/commons/fileupload/MultipartStream.java
++++ b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
+@@ -268,10 +268,8 @@ public class MultipartStream {
+ /**
+ * Creates a new instance.
+ *
+- * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[],
+- * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)},
+- * or {@link #MultipartStream(InputStream, byte[], int,
+- * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)}
++ * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int,
++ * ProgressNotifier)}
+ */
+ @Deprecated
+ public MultipartStream() {
+@@ -292,10 +290,8 @@ public class MultipartStream {
+ * encapsulations.
+ * @param bufSize The size of the buffer to be used, in bytes.
+ *
+- * @see #MultipartStream(InputStream, byte[],
+- * MultipartStream.ProgressNotifier)
+ * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int,
+- * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)}.
++ * ProgressNotifier)}.
+ */
+ @Deprecated
+ public MultipartStream(InputStream input, byte[] boundary, int bufSize) {
+@@ -317,8 +313,7 @@ public class MultipartStream {
+ * @param pNotifier The notifier, which is used for calling the
+ * progress listener, if any.
+ *
+- * @see #MultipartStream(InputStream, byte[],
+- * MultipartStream.ProgressNotifier)
++ * @throws IllegalArgumentException If the buffer size is too small
+ */
+ MultipartStream(InputStream input,
+ byte[] boundary,
+@@ -331,9 +326,14 @@ public class MultipartStream {
+
+ // We prepend CR/LF to the boundary to chop trailing CR/LF from
+ // body-data tokens.
+- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
+ this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
++ if (bufSize < this.boundaryLength + 1) {
++ throw new IllegalArgumentException(
++ "The buffer size specified for the MultipartStream is too small");
++ }
++ this.boundary = new byte[this.boundaryLength];
+ this.keepRegion = this.boundary.length;
++
+ System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
+ BOUNDARY_PREFIX.length);
+ System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length,
+@@ -352,8 +352,7 @@ public class MultipartStream {
+ * @param pNotifier An object for calling the progress listener, if any.
+ *
+ *
+- * @see #MultipartStream(InputStream, byte[], int,
+- * MultipartStream.ProgressNotifier)
++ * @see #MultipartStream(InputStream, byte[], int, ProgressNotifier)
+ */
+ MultipartStream(InputStream input,
+ byte[] boundary,
+@@ -368,10 +367,8 @@ public class MultipartStream {
+ * @param boundary The token used for dividing the stream into
+ * encapsulations.
+ *
+- * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[],
+- * MultipartStream.ProgressNotifier)}.
+- * @see #MultipartStream(InputStream, byte[], int,
+- * MultipartStream.ProgressNotifier)
++ * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int,
++ * ProgressNotifier)}.
+ */
+ @Deprecated
+ public MultipartStream(InputStream input,
+diff --git a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
+index 7148d81..80871f4 100644
+--- a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
++++ b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
+@@ -38,7 +38,8 @@ public class MultipartStreamTest {
+ final byte[] contents = strData.getBytes();
+ InputStream input = new ByteArrayInputStream(contents);
+ byte[] boundary = BOUNDARY_TEXT.getBytes();
+- int iBufSize = boundary.length;
++ int iBufSize =
++ boundary.length + MultipartStream.BOUNDARY_PREFIX.length + 1;
+ MultipartStream ms = new MultipartStream(
+ input,
+ boundary,
+@@ -47,6 +48,21 @@ public class MultipartStreamTest {
+ assertNotNull(ms);
+ }
+
++ @Test(expected=IllegalArgumentException.class)
++ public void testSmallBuffer() throws Exception {
++ final String strData = "foobar";
++ final byte[] contents = strData.getBytes();
++ InputStream input = new ByteArrayInputStream(contents);
++ byte[] boundary = BOUNDARY_TEXT.getBytes();
++ int iBufSize = 1;
++ @SuppressWarnings("unused")
++ MultipartStream ms = new MultipartStream(
++ input,
++ boundary,
++ iBufSize,
++ new MultipartStream.ProgressNotifier(null, contents.length));
++ }
++
+ @Test
+ public void testTwoParamConstructor() throws Exception {
+ final String strData = "foobar";
diff --git a/SPECS/apache-commons-fileupload.spec b/SPECS/apache-commons-fileupload.spec
new file mode 100644
index 0000000..f76c46e
--- /dev/null
+++ b/SPECS/apache-commons-fileupload.spec
@@ -0,0 +1,265 @@
+%global base_name fileupload
+%global short_name commons-%{base_name}
+
+%{?scl:%scl_package apache-%{short_name}}
+%{!?scl:%global pkg_name %{name}}
+
+# Exclude generation of osgi() style provides, since they are not
+# SCL-namespaced and may conflict with base RHEL packages.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1045442
+%global __provides_exclude ^osgi(.*)$
+
+Name: %{?scl_prefix}apache-%{short_name}
+Version: 1.3
+Release: 12%{?dist}
+Summary: This package provides an api to work with html file upload
+License: ASL 2.0
+Group: Development/Libraries
+URL: http://commons.apache.org/%{base_name}/
+Source0: http://www.apache.org/dist/commons/%{base_name}/source/%{short_name}-%{version}-src.tar.gz
+BuildArch: noarch
+
+Patch1: CVE-2013-2186-commons-fileupload.patch
+# Backported from upstream revision 1565143
+Patch2: %{pkg_name}-CVE-2014-0050.patch
+
+BuildRequires: java-devel >= 1:1.6.0
+BuildRequires: maven-local
+BuildRequires: junit >= 0:3.8.1
+BuildRequires: servlet
+BuildRequires: apache-commons-io
+BuildRequires: maven-antrun-plugin
+BuildRequires: maven-assembly-plugin
+BuildRequires: maven-compiler-plugin
+BuildRequires: maven-doxia-sitetools
+BuildRequires: maven-install-plugin
+BuildRequires: maven-jar-plugin
+BuildRequires: maven-javadoc-plugin
+BuildRequires: maven-plugin-bundle
+BuildRequires: maven-release-plugin
+BuildRequires: maven-resources-plugin
+BuildRequires: buildnumber-maven-plugin
+%if 0%{?fedora}
+BuildRequires: portlet-2.0-api
+%endif
+
+Requires: java >= 1:1.6.0
+Requires: jpackage-utils
+Requires: apache-commons-io
+%if 0%{?fedora}
+Requires: portlet-2.0-api
+%endif
+# Make sure we depend on the scl-runtime package
+%{?scl:Requires: %scl_runtime}
+
+%description
+The javax.servlet package lacks support for rfc 1867, html file
+upload. This package provides a simple to use api for working with
+such data. The scope of this package is to create a package of Java
+utility classes to read multipart/form-data within a
+javax.servlet.http.HttpServletRequest
+
+%package javadoc
+Summary: API documentation for %{name}
+Group: Documentation
+Requires: jpackage-utils
+
+%description javadoc
+This package contains the API documentation for %{name}.
+
+# -----------------------------------------------------------------------------
+
+%prep
+%{?scl:scl enable %{scl} - << "EOF"}
+%setup -q -n %{short_name}-%{version}-src
+%patch2 -p1
+sed -i 's/\r//' LICENSE.txt
+sed -i 's/\r//' NOTICE.txt
+
+%if 0%{?fedora}
+# fix gId
+sed -i "s|portlet-api|javax.portlet|" pom.xml
+%else
+# Non-Fedora: remove portlet stuff
+%pom_remove_dep portlet-api:portlet-api
+%pom_xpath_remove pom:properties/pom:commons.osgi.import
+%pom_xpath_remove pom:properties/pom:commons.osgi.dynamicImport
+rm -r src/main/java/org/apache/commons/fileupload/portlet
+rm src/test/java/org/apache/commons/fileupload/*Portlet*
+%endif
+pushd src/main
+%patch1 -p1
+popd
+%{?scl:EOF}
+
+%build
+%{?scl:scl enable %{scl} - << "EOF"}
+# fix build with generics support
+# tests fail to compile because they use an obsolete version of servlet API (2.4)
+%mvn_build -f
+%{?scl:EOF}
+
+%install
+%{?scl:scl enable %{scl} - << "EOF"}
+%mvn_install
+%{?scl:EOF}
+
+%files -f .mfiles
+%dir %{_javadir}/%{name}
+
+%files javadoc -f .mfiles-javadoc
+
+%changelog
+* Tue Feb 18 2014 Severin Gehwolf - 1.3-12
+- Add backported upstream patch to fix DoS vulnerability
+- Resolves: RHBZ#1064677
+
+* Mon Jan 27 2014 Severin Gehwolf 1.3-11
+- Own scl-ized apache-commons-fileupload directory in javadir.
+- Resolves: RHBZ#1057169
+
+* Mon Jan 20 2014 Severin Gehwolf 1.3-10
+- Apply patch for CVE-2013-2186.
+- Resolves: RHBZ#1055528
+
+* Fri Dec 20 2013 Severin Gehwolf 1.3-9
+- Don't generate osgi() style provides.
+- Fix bogus changelog date.
+- Resolves RHBZ#1045442
+
+* Wed Nov 27 2013 Severin Gehwolf 1.3-8
+- Properly enable SCL.
+
+* Wed Nov 06 2013 Severin Gehwolf 1.3-7
+- Source xmvn configuration prior building/installing.
+
+* Wed Nov 06 2013 Severin Gehwolf 1.3-6
+- Use xmvn.
+
+* Tue Sep 17 2013 Severin Gehwolf 1.3-5
+- Add BR buildnumber-maven-plugin.
+
+* Wed Aug 28 2013 Severin Gehwolf 1.3-4
+- SCL-ize package.
+
+* Mon Apr 29 2013 Mikolaj Izdebski - 1.3-3
+- Remove unneeded BR: maven-idea-plugin
+
+* Thu Apr 18 2013 Severin Gehwolf 1.3-2
+- Use pom macros over patch.
+- Remove surefire maven plugin since tests are skipped anyway.
+
+* Thu Mar 28 2013 Michal Srb - 1.3-1
+- Update to upstream version 1.3
+
+* Mon Mar 11 2013 Mikolaj Izdebski - 1.2.2-11
+- Disable tests (they use obsolete servlet API 2.4)
+- Resolves: rhbz#913878
+
+* Thu Feb 14 2013 Mikolaj Izdebski - 1.2.2-10
+- Add missing BR: maven-local
+
+* Wed Feb 13 2013 Fedora Release Engineering - 1.2.2-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Nov 26 2012 Severin Gehwolf 1.2.2-8
+- Conditionally build portlet-2.0-api support in Fedora only
+
+* Wed Jul 18 2012 Fedora Release Engineering - 1.2.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Jun 04 2012 Stanislav Ochotnicky - 1.2.2-6
+- Fix up patches to apply, cleanup spec old coments
+- Fix surefire plugin dependency to use new name
+
+* Tue May 29 2012 gil cattaneo 1.2.2-5
+- Add portlet-2.0-api support (required by springframework).
+
+* Fri Mar 2 2012 Stanislav Ochotnicky 1.2.2-4
+- Fix build and update to latest guidelines
+
+* Thu Jan 12 2012 Fedora Release Engineering - 1.2.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Mon Feb 07 2011 Fedora Release Engineering - 1.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Oct 20 2010 Chris Spike 1.2.2-1
+- Updated to 1.2.2
+- Fixed License tag
+- tomcat5 -> tomcat6 BRs/Rs
+- Fixed wrong EOL encodings
+
+* Thu Jul 8 2010 Stanislav Ochotnicky - 1.2.1-4
+- Add license to javadoc subpackage
+
+* Thu May 20 2010 Stanislav Ochotnicky - 1.2.1-3
+- Added Requires on jpackage-utils for javadoc
+
+* Thu May 20 2010 Stanislav Ochotnicky - 1.2.1-2
+- Rename package (jakarta-commons-fileupload->apache-commons-fileupload)
+- Re-did whole spec file
+
+* Wed Jan 6 2010 Mary Ellen Foster - 1:1.2.1-1
+- Update to newest version; include Maven metadata
+
+* Fri Jul 24 2009 Fedora Release Engineering - 1:1.0-9.3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Feb 25 2009 Fedora Release Engineering - 1:1.0-8.3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Wed Jul 9 2008 Tom "spot" Callaway - 1:1.0-7.3
+- drop repotag
+- fix license tag
+
+* Tue Feb 19 2008 Fedora Release Engineering - 1:1.0-7jpp.2
+- Autorebuild for GCC 4.3
+
+* Tue Apr 17 2007 Permaine Cheung - 1:1.0-6jpp.2
+- Update spec file as per fedora review
+
+* Thu Aug 10 2006 Deepak Bhole - 1:1.0-6jpp.1
+- Added missing requirements.
+
+* Thu Aug 10 2006 Karsten Hopp 1.0-5jpp_3fc
+- Requires(post/postun): coreutils
+
+* Sat Jul 22 2006 Jakub Jelinek - 1:1.0-5jpp_2fc
+- Rebuilt
+
+* Thu Jul 20 2006 Deepak Bhole - 1:1.0-5jpp_1fc
+- Added conditional native compilation.
+
+* Wed Apr 26 2006 Fernando Nasser - 1:1.0-4jpp
+- First JPP 1.7 build
+
+* Fri Oct 22 2004 Fernando Nasser - 1:1.0-3jpp
+- Patch to build with servletapi5
+- Add missing dependency on ant-junit
+
+* Mon Aug 23 2004 Randy Watler - 1:1.0-2jpp
+- Rebuild with ant-1.6.2
+
+* Sat Jun 28 2003 Ville Skyttä - 1:1.0-1jpp
+- Update to 1.0.
+- Add Epochs to dependencies.
+- Nuke beanutils dependency.
+- Versionless javadoc dir symlinks.
+
+* Tue Mar 25 2003 Nicolas Mailhot - 1:1.0-0.beta1.4jpp
+- for jpackage-utils 1.5
+
+* Mon Mar 10 2003 Henri Gomez - 1:1.0-0.beta1.3jpp
+- rebuild with correct ant (avoid corrupted archive)
+
+* Fri Mar 07 2003 Henri Gomez - 1:1.0-0.beta1.2jpp
+- replace servlet23 requirement by servlet4api
+
+* Wed Feb 26 2003 Ville Skyttä - 1:1.0-0.beta1.1jpp
+- Update to 1.0 beta 1 (no code changes from cvs20030115).
+- Fix requirements.
+
+* Wed Jan 15 2003 Henri Gomez 1.0-1jpp
+- 1.0 (cvs 20030115)
+- first jPackage release