Uploaded image for project: 'Commons FileUpload'
  1. Commons FileUpload
  2. FILEUPLOAD-40

FileUploadBase does not handle quoted boundary specification, which is required by RFC 1521

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0 Final
    • Fix Version/s: None
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Bugzilla Id:
      21269

      Description

      In FileUploadBase.parseRequest(), the boundary string is computed by:

      int boundaryIndex = contentType.indexOf("boundary=");
      byte[] boundary = contentType.substring(boundaryIndex + 9).getBytes();

      This is OK if the boundary string is unquoted. But RFC 1521 states clearly
      that boundary strings may, and in some cases must, be quoted.

      The consequence is that a request containing a quoted boundary string fails to
      parse. The exact behaviour is that the parsing completes "successfully" but no
      FileItems are found.

      The code should look for a leading quote and, if found, move on by one
      character before reading the boundary string. Perhaps it should check for the
      trailing quote, too. Your test suites should be extended to test this case.

      The examples in RFC 1521 show double quotes being used, and that is what
      provoked the failure in the system I am trying to build. However, single
      quotes may also be allowed (it probably says yes or no somewhere in the RFC).

      If confirmed to be correct, I think that this is quite a serious fault,
      requiring rapid attention. I have not provided a proposed patch, at this
      stage, but would be willing to do so, if asked.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              peter.chase@globalgraphics.com Peter Chase
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: