Tomcat9: multipart upload fails over https

Status changed to 'Confirmed' because the bug affects multiple users.

Tomcat version 9.0.31 has another bug for file upload having same infrastructure as the author of this topic. stacktrace below.

org.springframework.web.multipart.MultipartException: Failed to parse multipart servlet request; nested exception is java.io.IOException: org.apache.tomcat.util.http.fileupload.impl.IOFileUploadException: Processing of multipart/form-data request failed. Stream ended unexpectedly

I solved it by manually updating Tomcat to version 9.0.43.

This zip file contains the test application to reproduce the bug.

The attachment "debdiff.patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Hey Tom,

Thanks for the SRU template, debdiff, and even a synthetic reproducer!

I just sent you some review feedback internally, and next steps.
Setting the bug status to 'Incomplete' to reflect that for now.

Updated debdiff.patch to include DEP-3 headers.

Hi Tom,

Thanks for the updated debdiff!

I have reviewed it and adjusted just a couple minor things,
and will upload it to Focal.

1) Deduplicated a bit of the changelog entry.
2) Added back the 'changelog.xml' portion of the patch,
as the (resulting) changelog.html goes in tomcat9-docs,
and it was still referred to in the git diffstat.
3) Even though there's no code changes required to apply
(ie, backport), the changelog file required trivial bits
changed (refresh the upper 3 context lines), so I added
the (optional) 'backport' keyword to the Origin DEP3 tag.
4) Used the shorter/general LP bugs URL in Bug-Ubuntu.

Testing:

Since the package and its reverse dependencies (apt rdepends)
don't seem to have autopkgtests (debian/tests/) to help with
verifying the changes at scale (in addition to the synthetic
reproducer), there's a few points to note:

1) The upstream tomcat9.git/9.0.x branch has no additional
changes/fixes to this commit until the (reverted) code path
simplification is reapplied and improved (very big refactor).
[good]

2) The build time test-suite has `test-nio:` and `test-nio2`
sections, including Http11, which should cover the codepath.
[good]

3) There's no differences for them (test sections in general)
between the build logs of focal-updates (9.0.31-1ubuntu0.3)
and a PPA w/ your changes (9.0.31-1ubuntu0.4).
[good]

4) With the 3 points above, it looks fine to upload to Focal.

Nonetheless, once/if it lands in focal-proposed after review
by the Ubuntu SRU team, could you please perform stress tests
on both non-/SSL paths, with a tool like Apache JMeter?
(a comparison between focal-updates/-proposed would be great!)

It'd be important to iron out the changes as much as we can,
since it's a code deviation since the initial Focal release.

Thanks a bunch!
Mauricio

Hello Simone, or anyone else affected,

Accepted tomcat9 into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Please, if you can, add a jmeter run to the test scenario, as suggested by Mauricio.

Mauricio, thanks for your verifications before sponsoring, that was very thorough! I also spotted that the code came back in later releases, but with other changes to make it viable this time, exactly as you said.

I have done some basic testing with jmeter and can confirm that the fix in -proposed works correctly and there is little to no performance impact on the test cases that worked prior to the fix being applied.

Attached is the jmeter test plan that I used to validate the correctness of the fix

This bug was fixed in the package tomcat9 - 9.0.31-1ubuntu0.4

---------------
tomcat9 (9.0.31-1ubuntu0.4) focal; urgency=medium

  * d/p/lp1903851-multipart-upload-over-https.patch: apply revert
    from 9.0.32 to fix multi-part upload over HTTPS (LP: #1903851)

 -- Tom Moyer <email address hidden> Fri, 18 Nov 2022 19:07:15 +0000

The verification of the Stable Release Update for tomcat9 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.