Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setting a too-big Expires header value results in an uncaught exception [SPR-16560] #21103

Closed
spring-projects-issues opened this issue Mar 6, 2018 · 2 comments
Assignees
Labels
in: web status: declined

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Mar 6, 2018

Francisco Lozano opened SPR-16560 and commented

java.time.DateTimeException: Field Year cannot be printed as the value 292278994 exceeds the maximum print width of 4
	at java.time.format.DateTimeFormatterBuilder$NumberPrinterParser.format(DateTimeFormatterBuilder.java:2548)
	at java.time.format.DateTimeFormatterBuilder$CompositePrinterParser.format(DateTimeFormatterBuilder.java:2179)
	at java.time.format.DateTimeFormatter.formatTo(DateTimeFormatter.java:1746)
	at java.time.format.DateTimeFormatter.format(DateTimeFormatter.java:1720)
	at org.springframework.http.HttpHeaders.setDate(HttpHeaders.java:1201)
	at org.springframework.http.HttpHeaders.setExpires(HttpHeaders.java:917)
	at com.mycode.MyController.publish(MyController.java:401)

when:

responseHeaders.setExpires(new Date(Long.MAX_VALUE));

It's obviously a not very useful date, but the error is very noisy and I'm not sure it's intended. I am fixing it at the app-level, but reporting here as low-priority - just in case.

I think this did not happen in older versions of the framework (but unfortunately I couldn't identify when this changed).


Affects: 5.0.4

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Mar 6, 2018

Juergen Hoeller commented

This turns out to be a regression caused by our use of the JSR-310 java.time.format.DateTimeFormatter instead of the good old SimpleDateFormat: JSR-310 is simply stricter, only accepting four-digit years, while SimpleDateFormat happily renders Sun, 17 Aug 292278994 07:12:55 GMT there...

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Mar 6, 2018

Juergen Hoeller commented

I'm afraid there is not much we can do about this since ultimately such a date value is invalid and cannot be rendered in RFC-1123 format. Implicitly turning this into a maximum date in year 9999 or so seems wrong, and arguably our previous 4.x behavior where we rendered out a year number with more than four digits is also wrong. FWIW, the Expires header is only supposed to be a maximum of one year into the future (see e.g. http://freesoft.org/CIE/RFC/2068/182.htm) to begin with... and it is effectively superseded by the Cache-Control header.

@spring-projects-issues spring-projects-issues added status: declined type: regression in: web labels Jan 11, 2019
@spring-projects-issues spring-projects-issues removed the type: regression label Jan 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web status: declined
Projects
None yet
Development

No branches or pull requests

2 participants