Comments (4)
wilkinsona
commented on August 30, 2024
Thanks for the report, but this is out of Spring Boot's control as it's up to the underlying web server (Tomcat or Jetty in this case) to apply the max request and file size and to indicate the error to the client.
We recently upgraded our Spring Boot based application from version 3.1.11 to 3.2.7.
We are using the embedded Jetty instead of the embedded Tomcat.
This will have upgraded Jetty from 11 to 12. As such, changes in Jetty's behavior are to be expected as they refine things across major versions.
To be able to send a response to the client and for the client to be able to receive it, the server may need to consume the entirety of the request. Tomcat has a max swallow size property that allows you to control how much of the body it will swallow in order to be able to respond. If the request exceeds that size, it has little choice but to close the connection. Jetty may have something similar that would allow you to tune the behavior, but you should be aware that I don't think it's possible to guarantee that an HTTP error response will be sent to the client.
from spring-boot.
daniel-kr
commented on August 30, 2024
Thank you for the quick response. The reason why we reported the issue here was that it happens on Jetty and on Tomcat. Therefore, we did not suspect the major Jetty upgrade to be the root cause here.
Regarding max swallow size. We also thought about a protection against big file upload attacks. But the issue already appears with files of size 1.4 MB if spring.servlet.multipart.max-file-size is set to 128 KB. Is Tomcat's (or Jetty`s) max swallow size coupled to one of the mentioned Spring Boot properties?
from spring-boot.
wilkinsona
commented on August 30, 2024
You can use server.tomcat.max-swallow-size to configure Tomcat's max swallow size. As I said above, Jetty may have something similar. I don't know for sure though and it's really a question for the Jetty community.
from spring-boot.
daniel-kr
commented on August 30, 2024
We tested with server.tomcat.max-swallow-size and can confirm that this is the explanation in case of Tomcat. We haven't found a similar property for Jetty. I will ask on the jetty project. Thanks for pointing us into the right direction. 👍
from spring-boot.
Related Issues (20)
- Using Gradle's new file permission API is implemented in a way that prevents removal of the old API
- Using Gradle's new file permission API is implemented in a way that prevents removal of the old API
- Support loading config yaml files embedded in env vars via spring.config.import HOT 5
- mapstruct-processor jar is missing when package from springboot2.4 HOT 3
- Reduce warnings reported by Eclipse
- Migrate class references to full javadoc links
- Use javadoc macro for links in adoc files
- Reduce warnings reported by Eclipse
- Rename one instance of DataLdapTestIntegrationTests in spring-boot-test-autoconfigure
- Rename one instance of DataLdapTestIntegrationTests in spring-boot-test-autoconfigure
- Spring Jersey does not return 404 from Controller if entity is null HOT 3
- Some @ControllerEndpoint and @RestControllerEndpoint infrastructure remains undeprecated
- @ConditionalOnProperty for branch of values not match HOT 3
- Update link to documentation for log4j-spring-boot
- Update link to documentation for log4j-spring-boot
- Move "Customize the whitelabel Error Page" how-to
- "Use Spring Data repositories" How-to incorrectly refers to Repository annotations
- Upgrade to Testcontainers 1.20.0 HOT 1
- "Use Spring Data repositories" How-to incorrectly refers to Repository annotations
- "Use Spring Data repositories" How-to incorrectly refers to Repository annotations
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-boot.