Multipart Upload with Commons Fileupload on lazy mode downloads data on cleanup [SPR-16640]

[spring-projects-issues]

Steven Peh opened SPR-16640 and commented

Using Spring Boot v2.0.0
Apache Commons FileUpload v1.3.3

When set to resolveLazily, Spring boot will not parse the multipart request and download to local temp folder until needed. This works as expected, however if the app subsequently cancels the intent to accept the upload request, i.e. after applying authorization checks and the connection request is not authorized, during the clean up phase, Spring Boot actually initializes the multi-part to download the data so that it can cleanup.

Here's the chain of execution, all within spring boot code base:

CommonsMultipartResolver .cleanupMultipart() {
...cleanupFileItems(request.getMultiFileMap())
-> AbstractMultipartHttpServletRequest.getMultipartFiles() {
if (this.multipartFiles == null) { <-- this will be true when resolveLazily is set
initializeMultipart(); <-- here's the culprit
...
The initializeMultipart will invoke parseRequest(..) to download the multipart upload data on cleanup which doesn't make sense when we have set resolveLazily and we have rejected/cancel the request for various reasons (access control being one of them).

Its also a cyber security issue here as unauthorized requests can upload arbitrary data, though only temporarily it can still be a very large file that use up storage, to the server.

---

Affects: 4.3.14, 5.0.4

Issue Links:

• Support MultipartFile-array property [SPR-2784] #7471 Support MultipartFile-array property

Referenced from: commits 10cb2cc, c1cb031

Backported to: 4.3.15

[spring-projects-issues]

Juergen Hoeller commented

We explicitly check whether the multipart request has been resolved at all now, in CommonsMultipartResolver as well as StandardServletMultipartResolver, before trying to perform a cleanup.