HiddenHttpMethodFilter may disturb error rendering when handling malformed multipart request [SPR-15179]

[spring-issuemaster]

Andy Wilkinson opened SPR-15179 and commented

When HiddenHttpMethodFilter is involved in an error dispatch it may disturb error rendering if the error was caused by a failure when calling request.getParameter(String). In the case of the referenced Spring Boot issue, the failure is caused by a malformed multipart request.

The problem can be worked around by provided a custom filter that doesn't do anything when the javax.servlet.error.exception attribute is set:

@Bean
public OrderedHiddenHttpMethodFilter hiddenHttpMethodFilter() {
    return new OrderedHiddenHttpMethodFilter() {

        @Override
        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
                FilterChain filterChain) throws ServletException, IOException {
            if (request.getAttribute(WebUtils.ERROR_EXCEPTION_ATTRIBUTE) != null) {
                filterChain.doFilter(request, response);
            }
            else {
                super.doFilterInternal(request, response, filterChain);
            }
        }

    };
}

This may be a bit too extreme, but I think it would be helpful if the filter did something similar by default.

---

Affects: 4.3.5

Reference URL: spring-projects/spring-boot#7936

Issue Links:

• #19744 DispatcherServet.checkMultipart() does not consider javax.servlet.error.exception that has a MultipartException cause
• #19748 CookieLocaleResolver may disturb error rendering when locale cookie has a malformed value