Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.5.12
-
None
-
None
Description
2.5.12 introduced a regex matches for multipart requests. The default regex used, however is significantly too strict based on the RFC, as well as common practice. Specifically, at minimum, it needs to include the hyphen and more likely needs to support all of the fields defined by the RFC (https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html).
bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "." / "/" / ":" / "=" / "?"
In basic testing, we've seen:
Content-Type: multipart/form-data; boundary=BRKIypZ3Stvuclu7C-CTbP2fNljGAOVk[\r][\n]
(generated by the Apache HttpClient)
and
multipart/form-data; boundary=----WebKitFormBoundaryZGDtABnGWGozLAjh
(generated by Safari)
Attachments
Issue Links
- is broken by
-
WW-4768 Add proper validation if request is a multipart request
- Closed
- links to