Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spring.webflux.multipart.max-disk-usage-per-part behaves incorrectly for values where the number of bytes overflows an int #38146

Closed
koscejev opened this issue Oct 31, 2023 · 3 comments
Closed

spring.webflux.multipart.max-disk-usage-per-part behaves incorrectly for values where the number of bytes overflows an int #38146

koscejev opened this issue Oct 31, 2023 · 3 comments
Assignees
@wilkinsona
Labels
type: bug A general bug
Milestone
2.7.18

Comments

@koscejev
Copy link

When spring.webflux.multipart.max-disk-usage-per-part is set to value that translates to more than MAX_INT bytes (e.g., 3000MB), it causes misconfiguration and consequently much smaller files/parts are denied with HTTP code 413.

The root cause is this code in ReactiveMultipartAutoConfiguration:

map.from(multipartProperties::getMaxDiskUsagePerPart)
  .asInt(DataSize::toBytes)
  .to(defaultPartHttpMessageReader::setMaxDiskUsagePerPart);

Fix should be simply using .as(DataSeize::toBytes) instead since setMaxDiskUsagePerPart accepts parameter of type long and there's no need for conversion to int.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 31, 2023
@koscejev
Copy link
Author

Sorry, I wanted to submit PR with fix (and updated test), but I'm having trouble building the project.

@wilkinsona wilkinsona added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 31, 2023
@wilkinsona wilkinsona added this to the 2.7.x milestone Oct 31, 2023
@wilkinsona wilkinsona self-assigned this Oct 31, 2023
@wilkinsona wilkinsona changed the title spring.webflux.multipart.max-disk-usage-per-part=3000MB is mishandled in ReactiveMultipartAutoConfiguration spring.webflux.multipart.max-disk-usage-per-part behaves incorrectly for values where the number of bytes overflows an int Oct 31, 2023
@wilkinsona wilkinsona mentioned this issue Oct 31, 2023
Closed
@wilkinsona wilkinsona modified the milestones: 2.7.x, 2.7.18 Oct 31, 2023
@Gby56
Copy link

Gby56 commented Nov 27, 2023

Is this the fix related to CVE-2023-34055 ? There is little technical information links in the advisory

@wilkinsona
Copy link
Member

No, this fix is completely unrelated to CVE-2023-34055.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wilkinsona wilkinsona

Labels
type: bug A general bug
Projects
None yet
Milestone
2.7.18
Development

No branches or pull requests
4 participants
@wilkinsona @koscejev @Gby56 @spring-projects-issues