You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "adam brin (JIRA)" <ji...@apache.org> on 2017/07/14 20:32:00 UTC

[jira] [Commented] (WW-4818) Default Multipart validation regex is invalid

    [ https://issues.apache.org/jira/browse/WW-4818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16088001#comment-16088001 ] 

adam brin commented on WW-4818:
-------------------------------

HtmlUnit (which also uses the Apache HTTP client includes "_" commonly in the boundary.

Content-Type: multipart/form-data; boundary=uhUF9k2Dei7tZu4UQYPyqpL8Upg_y5W

> Default Multipart validation regex is invalid
> ---------------------------------------------
>
>                 Key: WW-4818
>                 URL: https://issues.apache.org/jira/browse/WW-4818
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.5.12
>            Reporter: adam brin
>
> 2.5.12 introduced a regex matches for multipart requests.  The default regex used, however is significantly too strict based on the RFC, as well as common practice.  Specifically, at minimum, it needs to include the *hyphen* and more likely needs to support all of the fields defined by the RFC (https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html).
> {quote}bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "." / "/" / ":" / "=" / "?"{quote}
> In basic testing, we've seen:
> {code} Content-Type: multipart/form-data; boundary=BRKIypZ3Stvuclu7C-CTbP2fNljGAOVk[\r][\n]{code} (generated by the Apache HttpClient)
> and
> {code}multipart/form-data; boundary=----WebKitFormBoundaryZGDtABnGWGozLAjh{code} (generated by Safari)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)