Restrict fallback multipart binding to POST requests with multipart/form-data

Closes gh-26999
See gh-26826

Author: jhoeller

spring-web/src/main/java/org/springframework/web/bind/ServletRequestDataBinder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,8 @@
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.beans.MutablePropertyValues;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
 import org.springframework.lang.Nullable;
 import org.springframework.util.StringUtils;
 import org.springframework.validation.BindException;
@@ -106,9 +108,9 @@ public void bind(ServletRequest request) {
 		if (multipartRequest != null) {
 			bindMultipart(multipartRequest.getMultiFileMap(), mpvs);
 		}
-		else if (StringUtils.startsWithIgnoreCase(request.getContentType(), "multipart/")) {
+		else if (StringUtils.startsWithIgnoreCase(request.getContentType(), MediaType.MULTIPART_FORM_DATA_VALUE)) {
 			HttpServletRequest httpServletRequest = WebUtils.getNativeRequest(request, HttpServletRequest.class);
-			if (httpServletRequest != null) {
+			if (httpServletRequest != null && HttpMethod.POST.matches(httpServletRequest.getMethod())) {
 				StandardServletPartUtils.bindParts(httpServletRequest, mpvs, isBindEmptyMultipartFiles());
 			}
 		}

spring-web/src/main/java/org/springframework/web/bind/support/WebRequestDataBinder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,9 @@
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.beans.MutablePropertyValues;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
 import org.springframework.lang.Nullable;
 import org.springframework.util.StringUtils;
 import org.springframework.validation.BindException;
@@ -107,13 +110,15 @@ public WebRequestDataBinder(@Nullable Object target, String objectName) {
 	public void bind(WebRequest request) {
 		MutablePropertyValues mpvs = new MutablePropertyValues(request.getParameterMap());
 		if (request instanceof NativeWebRequest) {
-			MultipartRequest multipartRequest = ((NativeWebRequest) request).getNativeRequest(MultipartRequest.class);
+			NativeWebRequest nativeRequest = (NativeWebRequest) request;
+			MultipartRequest multipartRequest = nativeRequest.getNativeRequest(MultipartRequest.class);
 			if (multipartRequest != null) {
 				bindMultipart(multipartRequest.getMultiFileMap(), mpvs);
 			}
-			else if (StringUtils.startsWithIgnoreCase(request.getHeader("Content-Type"), "multipart/")) {
-				HttpServletRequest servletRequest = ((NativeWebRequest) request).getNativeRequest(HttpServletRequest.class);
-				if (servletRequest != null) {
+			else if (StringUtils.startsWithIgnoreCase(
+					request.getHeader(HttpHeaders.CONTENT_TYPE), MediaType.MULTIPART_FORM_DATA_VALUE)) {
+				HttpServletRequest servletRequest = nativeRequest.getNativeRequest(HttpServletRequest.class);
+				if (servletRequest != null && HttpMethod.POST.matches(servletRequest.getMethod())) {
 					StandardServletPartUtils.bindParts(servletRequest, mpvs, isBindEmptyMultipartFiles());
 				}
 			}

spring-web/src/main/java/org/springframework/web/method/annotation/ModelAttributeMethodProcessor.java

@@ -38,6 +38,9 @@
 import org.springframework.beans.BeanUtils;
 import org.springframework.beans.TypeMismatchException;
 import org.springframework.core.MethodParameter;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
 import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
@@ -349,9 +352,10 @@ public Object resolveConstructorArgument(String paramName, Class<?> paramType, N
 				return (files.size() == 1 ? files.get(0) : files);
 			}
 		}
-		else if (StringUtils.startsWithIgnoreCase(request.getHeader("Content-Type"), "multipart/")) {
+		else if (StringUtils.startsWithIgnoreCase(
+				request.getHeader(HttpHeaders.CONTENT_TYPE), MediaType.MULTIPART_FORM_DATA_VALUE)) {
 			HttpServletRequest servletRequest = request.getNativeRequest(HttpServletRequest.class);
-			if (servletRequest != null) {
+			if (servletRequest != null && HttpMethod.POST.matches(servletRequest.getMethod())) {
 				List<Part> parts = StandardServletPartUtils.getParts(servletRequest, paramName);
 				if (!parts.isEmpty()) {
 					return (parts.size() == 1 ? parts.get(0) : parts);

spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/ServletAnnotationControllerHandlerMethodTests.java

@@ -1998,9 +1998,8 @@ void dataClassBindingWithMultipartFile(boolean usePathPatterns) throws Exception
 	void dataClassBindingWithServletPart(boolean usePathPatterns) throws Exception {
 		initDispatcherServlet(ServletPartDataClassController.class, usePathPatterns);
 
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/bind");
 		request.setContentType("multipart/form-data");
-		request.setRequestURI("/bind");
 		request.addPart(new MockPart("param1", "value1".getBytes(StandardCharsets.UTF_8)));
 		request.addParameter("param2", "true");
 		MockHttpServletResponse response = new MockHttpServletResponse();