Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Multipartfile request with no authentication is still consumed even after an AccessDeniedException is thrown #7060
As explained by @wilkinsona in this related issue: spring-projects/spring-boot#17345, a multipartfile request with no authentication to a secure endpoint, results in an
Multipart file request with no Authentication to a secure endpoint results in the request being parsed and consumed anyway, then the client gets a
Multipart file request with no Authentication to a secure endpoint should result in the request not being parsed or consumed, and the client gets a
Please see the attached sample. You will need to add the property
Thanks for the report @a-sayyed!
I'm not sure this can be avoided all together. This is a common issue for multipart requests. For example, CSRF needs to process the parameters to determine if the request is valid.
So I can better understand your issue, can you please explain what specific problem this is causing you? I understand a file can be uploaded, but this doesn't seem any more of a problem than a user can make requests to the server (the difference is the file is written to disk vs just being in memory).
Thank you for the explanation @rwinch!
It isn't possible when security needs to read anything from the body (i.e. CSRF parameter, form body, etc).
While I understand this reduces the risk, it seems that if you are in trouble for a DoS attack, you still have this problem if the user is authorized to make the request (many attacks are user's with permissions).
If we modify the request to ignore saving the parameters, then a user that has the session time out while filling out a multipart form is likely to run into an issue where a page requires certain parameters and the saved request no longer has them which would result in surprising errors.
Instead, I'd suggest that we modify the configured HttpSessionRequestCache.requestMatcher to ignore multipart requests. Would you be interested in submitting a PR for it?
In the meantime, you can explicitly create and configure a