Multipart form-data larger than 16KiB is not available through Servlet getParameter API after JBoss EAP 7.4.12

Solution Verified - Updated 20 Dec 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 7.4.12 - 7.4.15
- 8.0.0

Issue

The POST request data larger than 16KiB in multipart/form-data request becomes unavailable through Servlet getParameter API after JBoss EAP 7.4.12
When submitting field values via enctype multipart/form-data undertow makes up a submittedFilename for values larger than 16383 Bytes. This leads application to confuse the values with file uploads. Especially JSF wont invoke the bean setter for such values.

Resolution

This issue has been reported as This content is not included.JBEAP-26355 for JBoss EAP 7.4.12+ and also This content is not included.JBEAP-26413 for JBoss EAP 8.0.0, which will be fixed in future releases (tentatively JBoss EAP 7.4.16+ and JBoss EAP 8.0.1+).
This issue can be mitigated by setting the io.undertow.multipart.minsize system property to a large enough value (e.g. -Dio.undertow.multipart.minsize=10485760). See Add/remove/update system properties in JBoss EAP 6/7 for further details on the procedure to follow.

Root Cause

This issue is caused by the fix for CVE-2023-3223 / This content is not included.UNDERTOW-2271 which has been included in JBoss EAP 7.4.12+.

SBR

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Supportability

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.