-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 3/30/20 16:51, Mark Thomas wrote:
> On 30/03/2020 21:45, Christopher Schultz wrote:
>> All,
>>
>> In my application under Tomcat 8.5.51, I have configured a
>> servlet to allow multipart/form-data submissions and I have added
>> this configuration as a part of the <servlet> config:
>>
>> <multipart-config> <max-file-size>1048576</max-file-size><!--
>> 1MiB --> <max-request-size>1049600</max-request-size><!-- 1 MiB +
>> 1 kiB --> </multipart-config>
>>
>> Without the <multipart-config> section, the upload does not work
>> at all, so I know I have added this in the right place.
>>
>> But I am able to upload files larger than 1MiB, and the data is
>> being given to the servlet. I was expecting an error to be sent
>> to the client (unlikely) or the data to be suppressed from the
>> servlet, or some kind of indication to the servlet code that the
>> upload was too big.
>>
>> The file I'm uploading as a test is 13658819 bytes, which is
>> greater than both 1048576 and 1049600.
>>
>> What am I missing, here?
>
> Are you reading the request body directly? That will bypass the
> size checks.
>
> If that doesn't explain it, I'd fire up a remote debugger, debug
> through an upload and see why the size checks are skipped.
I finally had an opportunity to debug this.
First of all, part of the problem was that Struts was intercepting the
call which made debugging a little confusing. Tomcat was parsing the
request, but it looked like Struts was *also* trying to parse it,
which ended up with a deeper tree of wrapped request objects than
necessary.
Once I got Struts out of the way, I was able to determine that every
multipart part was being written to the disk, temporarily, even the
one-byte request parameters and stuff like that. Yuck, and oops.
That was happening because I had set no <file-size-threshold> and so
it defaulted to 0 bytes.
Setting a <file-size-threshold> to something reasonable (I chose 1024
bytes) ended up immediately having Tomcat reject my known-too-large
requests with HTTP 413 "Payload Too Large".
So this is good: Tomcat is indeed complaining about the size of the
request. However, it didn't do it until I set a non-zero
<file-size-threshold>. This is my current configuration in web.xml:
<multipart-config>
<max-file-size>1048576</max-file-size><!-- 1MiB -->
<max-request-size>1049600</max-request-size><!-- 1 MiB + 1 kiB -->
<file-size-threshold>1024</file-size-threshold><!-- 1KiB -->
</multipart-config>
With the <file-size-threshold> removed, Tomcat will happily process a
30MiB file upload, which I didn't expect.
I'm going to try to recreate this with a trivial web-app and file a
bug, because I don't think this is how it's expected to behave.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl6m+nkACgkQHPApP6U8
pFhjPw//Xo1veUY5zkczUQ01MjoTbR8awZxzTFHDZlWGFyJUVJutRMz+QbYxUkPO
sPovYR2uG3uygLv37cLXOSyQ5NxImmxWaKMhe+Vcjd779Tg1+f7AqknBrbUWMbRo
IkUsVUQemRsNg0ZDdyva+jyQUcB3hirFMy4JLwKbjSvSYLWtgCH+siql3tyOsDQx
noaTypqBK42C7i/nq1sBDT0vsyV+iHLJyP6bHKOWKt+dH+EmOPTg0mqlsHV3Hvsd
J9DTdqZU4fKh3Zxs+WA9mIJlcK5cPFvLEjP73WwnpGegGz8TDoF/bAz0zc3V/ibK
XEFFaO1i8cyohNd9dZtWLKa+6fQvIXpR/I7/TUoMSct6SM21JPBXBEfMVpyZ2EW8
fDOO4PO3IYB1tYUxwo6ovpx8kLfOMRQ3VgR71mvPirdVlsINakV6aAvN8uitCwDt
zF5zYl6Ef8+WpSKv7Y6ZS7K7xY3QCQMRf8fU5WDeooKp2+bKwtBMHLPsYRu035+E
0oTuNExN4qi+rv4VagOSwa685s51EIFlt26lC/5Jtsy7L30DqQkHLVeMKbLgz+pa
VFwnAwRm/uGbb7b9aLTNsl+bkjjmYGh9E9uC7wRdYIyejFwJPqpd3h0ByoR73ZeC
JVtqoZsGVY7cUSGQNJ4DoHSqEHlG5jt8oLvoLhZJ3ulP5AQ5bNU=
=uAP7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
