We recently upgraded our Spring Boot based application from version 3.1.11 to 3.2.7.
We are using the embedded Jetty instead of the embedded Tomcat.
After the upgrade, we recognized an odd behavior when it comes to file uploads:
If the uploaded file(s) exceed the configured size limits of spring.servlet.multipart.max-file-size or spring.servlet.multipart.max-request-size, the server closes the connection instead of responding with an HTTP error response.
While this occurs always with Firefox, it only occurs sometimes with e.g. Safari or Chrome. It feels like timing is involved here.
We managed to reproduce this already with your example application gs-uploading-files. However, there it only occors with Firefox.
Steps to reproduce:
- Start
UploadingFilesApplicationof thecompleteexample. The limits are configured to 128KB by default. - Access the application with Firefox
- Upload a file of > 10 MB
- You should see a connection reset error message
Interestingly, when we only upload a file of 600 KB, we get a proper error response.
We did not manage to reproduce it at all with the examples app and Safari as a browser.
We tried different configurations and versions:
| Jetty | Tomcat | |
|---|---|---|
| SB 3.1.12 | ✅ | ❌ |
| SB 3.2.7 | ❌ | ❌ |
| SB 3.2.8 | ❌ | ❌ |
| SB 3.3.0 | ❌ | ❌ |
My environment:
OS: Mac OS 15.6 Browser: Firefox 128.0 JDK: openjdk 17.0.11 2024-04-16
Comment From: wilkinsona
Thanks for the report, but this is out of Spring Boot's control as it's up to the underlying web server (Tomcat or Jetty in this case) to apply the max request and file size and to indicate the error to the client.
We recently upgraded our Spring Boot based application from version 3.1.11 to 3.2.7. We are using the embedded Jetty instead of the embedded Tomcat.
This will have upgraded Jetty from 11 to 12. As such, changes in Jetty's behavior are to be expected as they refine things across major versions.
To be able to send a response to the client and for the client to be able to receive it, the server may need to consume the entirety of the request. Tomcat has a max swallow size property that allows you to control how much of the body it will swallow in order to be able to respond. If the request exceeds that size, it has little choice but to close the connection. Jetty may have something similar that would allow you to tune the behavior, but you should be aware that I don't think it's possible to guarantee that an HTTP error response will be sent to the client.
Comment From: daniel-kr
Thank you for the quick response. The reason why we reported the issue here was that it happens on Jetty and on Tomcat. Therefore, we did not suspect the major Jetty upgrade to be the root cause here.
Regarding max swallow size. We also thought about a protection against big file upload attacks. But the issue already appears with files of size 1.4 MB if spring.servlet.multipart.max-file-size is set to 128 KB. Is Tomcat's (or Jetty`s) max swallow size coupled to one of the mentioned Spring Boot properties?
Comment From: wilkinsona
You can use server.tomcat.max-swallow-size to configure Tomcat's max swallow size. As I said above, Jetty may have something similar. I don't know for sure though and it's really a question for the Jetty community.
Comment From: daniel-kr
We tested with server.tomcat.max-swallow-size and can confirm that this is the explanation in case of Tomcat. We haven't found a similar property for Jetty. I will ask on the jetty project. Thanks for pointing us into the right direction. 👍