Setting a too-big Expires header value results in an uncaught exception [SPR-16560]

[spring-projects-issues]

Francisco Lozano opened SPR-16560 and commented

java.time.DateTimeException: Field Year cannot be printed as the value 292278994 exceeds the maximum print width of 4
	at java.time.format.DateTimeFormatterBuilder$NumberPrinterParser.format(DateTimeFormatterBuilder.java:2548)
	at java.time.format.DateTimeFormatterBuilder$CompositePrinterParser.format(DateTimeFormatterBuilder.java:2179)
	at java.time.format.DateTimeFormatter.formatTo(DateTimeFormatter.java:1746)
	at java.time.format.DateTimeFormatter.format(DateTimeFormatter.java:1720)
	at org.springframework.http.HttpHeaders.setDate(HttpHeaders.java:1201)
	at org.springframework.http.HttpHeaders.setExpires(HttpHeaders.java:917)
	at com.mycode.MyController.publish(MyController.java:401)

when:

responseHeaders.setExpires(new Date(Long.MAX_VALUE));

It's obviously a not very useful date, but the error is very noisy and I'm not sure it's intended. I am fixing it at the app-level, but reporting here as low-priority - just in case.

I think this did not happen in older versions of the framework (but unfortunately I couldn't identify when this changed).

---

Affects: 5.0.4

[spring-projects-issues]

Juergen Hoeller commented

This turns out to be a regression caused by our use of the JSR-310 java.time.format.DateTimeFormatter instead of the good old SimpleDateFormat: JSR-310 is simply stricter, only accepting four-digit years, while SimpleDateFormat happily renders Sun, 17 Aug 292278994 07:12:55 GMT there...

[spring-projects-issues]

Juergen Hoeller commented

I'm afraid there is not much we can do about this since ultimately such a date value is invalid and cannot be rendered in RFC-1123 format. Implicitly turning this into a maximum date in year 9999 or so seems wrong, and arguably our previous 4.x behavior where we rendered out a year number with more than four digits is also wrong. FWIW, the Expires header is only supposed to be a maximum of one year into the future (see e.g. http://freesoft.org/CIE/RFC/2068/182.htm) to begin with... and it is effectively superseded by the Cache-Control header.