Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2991#discussion_r218868215 --- Diff: nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java --- @@ -521,161 +553,221 @@ public void onTrigger(final ProcessContext context, final ProcessSession session final long start = System.nanoTime(); final HttpServletRequest request = container.getRequest(); - FlowFile flowFile = session.create(); - try (OutputStream flowFileOut = session.write(flowFile)) { - StreamUtils.copy(request.getInputStream(), flowFileOut); - } catch (final IOException e) { - // There may be many reasons which can produce an IOException on the HTTP stream and in some of them, eg. - // bad requests, the connection to the client is not closed. In order to address also these cases, we try - // and answer with a BAD_REQUEST, which lets the client know that the request has not been correctly - // processed and makes it aware that the connection can be closed. - getLogger().error("Failed to receive content from HTTP Request from {} due to {}", - new Object[]{request.getRemoteAddr(), e}); - session.remove(flowFile); - try { - HttpServletResponse response = container.getResponse(); - response.sendError(Status.BAD_REQUEST.getStatusCode()); - response.flushBuffer(); - container.getContext().complete(); - } catch (final IOException ioe) { - getLogger().warn("Failed to send HTTP response to {} due to {}", - new Object[]{request.getRemoteAddr(), ioe}); + if (!Strings.isNullOrEmpty(request.getContentType()) && request.getContentType().contains(MIME_TYPE__MULTIPART_FORM_DATA)) { + final long maxRequestSize = context.getProperty(MAX_REQUEST_SIZE).asLong(); + request.setAttribute(Request.__MULTIPART_CONFIG_ELEMENT, new MultipartConfigElement("/tmp", maxRequestSize, maxRequestSize, 0)); --- End diff -- This also opens up a lot of security concerns. We need to be very careful about how we handle, sanitize, trust, store, and display this data. Some good starting places for reading: * https://www.owasp.org/index.php/Deserialization_of_untrusted_data * https://www.owasp.org/index.php/Unrestricted_File_Upload * https://www.owasp.org/index.php/Insecure_Temporary_File * https://www.owasp.org/index.php/Protect_FileUpload_Against_Malicious_File
---