简体   繁体   中英

Multipart file upload using spring boot with tomcat version 9.0.31 is failing

Multi part file upload in spring boot application is not working with tomcat version 9.0.31. But this functionality working fine with older version 9.0.30 .But there is a vulnerability in this version and forced to upgrade the version. See the error given below

 "timestamp": "2020-03-09T08:01:56.169+0000",
"status": 500,
"error": "Internal Server Error",
"message": "Failed to parse multipart servlet request; nested exception is java.io.IOException: org.apache.tomcat.util.http.fileupload.impl.IOFileUploadException: Processing of multipart/form-data request failed. Stream ended unexpectedly",

Error log is given below

nested exception is org.springframework.web.multipart.MultipartException: Failed to parse multipart servlet request; nested exception is java.io.IOException: org.apache.tomcat.util.http.fileupload.impl.IOFileUploadException: Processing of multipart/form-data request failed. Stream ended unexpectedly] with root causeorg.apache.tomcat.util.http.fileupload.MultipartStream$MalformedStreamException: Stream ended unexpectedly

Please help to resolve this.

I think the bug has been fixed with latest tomcat version 9.0.33.

The multi-part file upload functionality which was not working in version 9.0.31, has also been fixed with the upgrade. Also, I have tried checking if there are any vulnerability using owasp dependency checker and found that there are no vulnerabilities in this version.

Just upgrade your dependency with the below version :

<!-- https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core -->
<dependency>
    <groupId>org.apache.tomcat.embed</groupId>
    <artifactId>tomcat-embed-core</artifactId>
    <version>9.0.33</version>
</dependency>

This is a bug in Tomcat 9.0.31. There's already an entry in Apache's Bugzilla: https://bz.apache.org/bugzilla/show_bug.cgi?id=64195 .

According to the bug report, to prevent this issue you can either - use Http11Nio2Protocol instead of Http11NioProtocol - use Tomcat 9.0.30, where this doesn't happen (but has the critical Ghostcat vulnerability in Tomcat's AJP protocol)

The issue will be fixed in 9.0.32 (which is not released yet).

Note: When using http instead of https the problem also does not appear.

Another possible solution is to check user with which tomcat server is running.

In my case, it was not running with root user. If that's the case just restart the tomcat server with root user and problem will be solved.

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM