Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure StandardServletMultipartResolver to only support multipart/form-data #26826

Closed
aaronjwhiteside opened this issue Apr 20, 2021 · 3 comments
Closed

Configure StandardServletMultipartResolver to only support multipart/form-data #26826

aaronjwhiteside opened this issue Apr 20, 2021 · 3 comments
Assignees
@jhoeller
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
5.3.9

Comments

@aaronjwhiteside
Copy link

aaronjwhiteside commented Apr 20, 2021
edited

It seems that StandardServletMultipartResolver wraps multipart/mixed requests with StandardMultipartHttpServletRequest which fails in Jetty due to strict conformance to the spec.

I.e. HttpServletRequest.getParts() should only be called when the content type is multipart/from-data and not just any content type that starts with multipart/

Spring Framework Version: 5.2.9

Please see jetty/jetty.project#6196 for details. (exception and original request)
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Apr 20, 2021
@jhoeller jhoeller self-assigned this Apr 20, 2021
@jhoeller jhoeller added in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Apr 20, 2021
@jhoeller jhoeller added this to the 5.3.7 milestone Apr 20, 2021
@jhoeller
Copy link
Contributor

How do you intend to handle you multipart/mixed requests, actually? It looks like you'd prefer Spring's multipart resolution to ignore them but then you might go on to process them in a custom way?

@jhoeller
Copy link
Contributor

jhoeller commented Apr 30, 2021
edited

It seems generally sensible to delegate to the container to find out about actual multipart support. If Tomcat accepts other multipart content types as well, we should arguably let it happen that way. The problem seems rather that we're eagerly calling HttpServletRequest.getParts() in the initial request processing phase; if we only triggered this in case of actual MultipartRequest API interaction from the application's side, we wouldn't expose the application to it unnecessarily.

You can get such lenient handling already by defining your own StandardServletMultipartResolver bean and setting the resolveLazily property to true. Maybe we need to make this more obvious or even reconsider the default there.

That said, it would help a lot to understand your specific scenario. I wonder what's commonly expected for such non-form multipart request types: rejecting them upfront if not supported, or rather letting the application deal with it in a custom way?

@jhoeller jhoeller modified the milestones: 5.3.7, 5.3.8 May 10, 2021
@jhoeller jhoeller modified the milestones: 5.3.8, 5.3.9 Jun 8, 2021
@jhoeller jhoeller mentioned this issue Jul 12, 2021
Closed
jhoeller added a commit that referenced this issue Jul 12, 2021
@jhoeller
Restrict fallback multipart binding to POST requests with multipart/f…
ed27ea7 
…orm-data

Closes gh-26999
See gh-26826
@jhoeller jhoeller changed the title StandardServletMultipartResolver should only support multipart/form-data Configure StandardServletMultipartResolver to only support multipart/form-data Jul 12, 2021
@jhoeller jhoeller added type: enhancement A general enhancement and removed type: bug A general bug labels Jul 12, 2021
@jhoeller
Copy link
Contributor

I've introduced a strictServletCompliance flag on StandardServletMultipartResolver, narrowing the applicability of Spring's MultipartHttpServletRequest to form data only. Multipart request with content types other than "multipart/form-data" then enter the application without Spring's request wrapper, leaving it up to the application to process it (or to reject it in a custom way).

@jhoeller jhoeller mentioned this issue Jul 12, 2021
Closed
@sync-by-unito sync-by-unito bot mentioned this issue Jul 14, 2021
Merged
Zoran0104 pushed a commit to Zoran0104/spring-framework that referenced this issue Aug 20, 2021
@jhoeller @Zoran0104
Restrict fallback multipart binding to POST requests with multipart/f…
5c51817 
…orm-data

Closes spring-projectsgh-26999
See spring-projectsgh-26826
Zoran0104 pushed a commit to Zoran0104/spring-framework that referenced this issue Aug 20, 2021
@jhoeller @Zoran0104
StandardServletMultipartResolver provides strict Servlet compliance o…
9d7a0f1 
…ption

Closes spring-projectsgh-26826
lxbzmy pushed a commit to lxbzmy/spring-framework that referenced this issue Mar 26, 2022
@jhoeller @lxbzmy
Restrict fallback multipart binding to POST requests with multipart/f…
a0cd66a 
…orm-data

Closes spring-projectsgh-26999
See spring-projectsgh-26826
lxbzmy pushed a commit to lxbzmy/spring-framework that referenced this issue Mar 26, 2022
@jhoeller @lxbzmy
StandardServletMultipartResolver provides strict Servlet compliance o…
84daa2d 
…ption

Closes spring-projectsgh-26826
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhoeller jhoeller

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
5.3.9
Development

No branches or pull requests
3 participants
@aaronjwhiteside @jhoeller @spring-projects-issues