You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sam Meder (Created) (JIRA)" <ji...@apache.org> on 2011/10/25 04:52:32 UTC
[jira] [Created] (CXF-3879) Add the ability to enforce a maximum
attachment size
Add the ability to enforce a maximum attachment size
----------------------------------------------------
Key: CXF-3879
URL: https://issues.apache.org/jira/browse/CXF-3879
Project: CXF
Issue Type: Improvement
Components: JAX-RS
Affects Versions: 2.4.3, 2.3.7, 2.2.12
Reporter: Sam Meder
Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Freeman Fang (Closed) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Freeman Fang closed CXF-3879.
-----------------------------
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Assignee: Daniel Kulp
> Fix For: 2.3.8, 2.4.4
>
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sam Meder (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sam Meder updated CXF-3879:
---------------------------
Attachment: attachment-size-limit.patch
Enforce a optional attachment size limit - Patch against 2.2
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Daniel Kulp (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-3879.
------------------------------
Resolution: Fixed
Fix Version/s: 2.4.4
2.3.8
Patch applied. Major thanks!
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Assignee: Daniel Kulp
> Fix For: 2.3.8, 2.4.4
>
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sam Meder (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13135267#comment-13135267 ]
Sam Meder commented on CXF-3879:
--------------------------------
By the way, are there existing tests for any of the code I touched? Quick look didn't turn up any, so any pointers would be welcome.
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sam Meder (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sam Meder updated CXF-3879:
---------------------------
Attachment: (was: attachment-size-limit.patch)
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sergey Beryozkin (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13135303#comment-13135303 ]
Sergey Beryozkin commented on CXF-3879:
---------------------------------------
"This patch adds a dependency on javax.ws.rs.WebApplicationException into the core which wouldn't be allowed. It would have the throw the IOException that the JAX-RS runtime would need to map appropriately."
Yep...
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sam Meder (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13135309#comment-13135309 ]
Sam Meder commented on CXF-3879:
--------------------------------
I'll add a updated patch later today. Thanks for the feedback.
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sergey Beryozkin (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13135302#comment-13135302 ]
Sergey Beryozkin commented on CXF-3879:
---------------------------------------
for JAXRS these classes are tested indirectly in systest/jaxrs/JAXRSMultipartProvider test, for JAXWS - in MTOM related tests in systest/jaxws.
The patch looks good - can you please recreate it against the trunk ?
And move throwing WebApplicationException to org.apache.cxf.jaxrs.provider.MultipartProvider.readFrom,
try {
List<Attachment> infos =
AttachmentUtils.getAttachments(mc, attachmentDir, attachmentThreshold);
} catch (CacheSizeExceededException ex) {
throw new WebApplicationException(413);
}
as in SOAP case it will have to be 500...
Unfortunately I won;t have time today to recreate the patch against the trunk - so if you can do it then shortly then I might be able to apply later this evening or may be Dan can do it later if he is OK with the changes, thanks
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sam Meder (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sam Meder updated CXF-3879:
---------------------------
Attachment: (was: attachment-size-limit.patch)
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Daniel Kulp (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13135299#comment-13135299 ]
Daniel Kulp commented on CXF-3879:
----------------------------------
This patch adds a dependency on javax.ws.rs.WebApplicationException into the core which wouldn't be allowed. It would have the throw the IOException that the JAX-RS runtime would need to map appropriately.
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sam Meder (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sam Meder updated CXF-3879:
---------------------------
Attachment: attachment-size-limit.patch
Latest version moves the exception handling as suggested and adds a test for the new behavior.
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sam Meder (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sam Meder updated CXF-3879:
---------------------------
Attachment: attachment-size-limit.patch
Updated patch which factors out some repeated code.
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sergey Beryozkin (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13135803#comment-13135803 ]
Sergey Beryozkin commented on CXF-3879:
---------------------------------------
thanks - looks good.
If you can wait then I will apply it early next week as I'm off till Monday - I'd like to see if I can move away a property from FormEncodingProvider - may be it should stay there.
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Daniel Kulp (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp reassigned CXF-3879:
--------------------------------
Assignee: Daniel Kulp
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Assignee: Daniel Kulp
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sam Meder (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sam Meder updated CXF-3879:
---------------------------
Attachment: (was: attachment-size-limit.patch)
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-3879) Add the ability to enforce a maximum
attachment size
Posted by "Sam Meder (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sam Meder updated CXF-3879:
---------------------------
Attachment: attachment-size-limit.patch
One more version. Moved handlind of the cache exception to MessageContextImpl since that seems to cover more code paths.
> Add the ability to enforce a maximum attachment size
> ----------------------------------------------------
>
> Key: CXF-3879
> URL: https://issues.apache.org/jira/browse/CXF-3879
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 2.2.12, 2.3.7, 2.4.3
> Reporter: Sam Meder
> Attachments: attachment-size-limit.patch
>
>
> Safe handling of multipart-* HTTP request requires the ability to cap the size of the uploaded attachments before they get cached. CXF does currently not provide an option for this (other frameworks such as the commons fileupload and the 3.0 servlet spec do provide this). I've attached a quick patch that allows one to set a option for enforcing a size limit while doing the attachment parsing (similar to the threshold and temp dir options). The biggest question imo is how to best bubble up a appropriate error. I chose to subclass IOException and then later on transform it into a 413 (request size too large) HTTP response, but would welcome input on other approaches.
> I will attach a patch against CXF 2.2, but believe that it should also apply to newer versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira