Affects Version/s: 1.0 Final
Fix Version/s: None
Operating System: All
In FileUploadBase.parseRequest(), the boundary string is computed by:
int boundaryIndex = contentType.indexOf("boundary=");
byte boundary = contentType.substring(boundaryIndex + 9).getBytes();
This is OK if the boundary string is unquoted. But RFC 1521 states clearly
that boundary strings may, and in some cases must, be quoted.
The consequence is that a request containing a quoted boundary string fails to
parse. The exact behaviour is that the parsing completes "successfully" but no
FileItems are found.
The code should look for a leading quote and, if found, move on by one
character before reading the boundary string. Perhaps it should check for the
trailing quote, too. Your test suites should be extended to test this case.
The examples in RFC 1521 show double quotes being used, and that is what
provoked the failure in the system I am trying to build. However, single
quotes may also be allowed (it probably says yes or no somewhere in the RFC).
If confirmed to be correct, I think that this is quite a serious fault,
requiring rapid attention. I have not provided a proposed patch, at this
stage, but would be willing to do so, if asked.