Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4818

Default Multipart validation regex is invalid

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.5.12
    • Fix Version/s: 2.5.13
    • Component/s: None
    • Labels:
      None

      Description

      2.5.12 introduced a regex matches for multipart requests. The default regex used, however is significantly too strict based on the RFC, as well as common practice. Specifically, at minimum, it needs to include the hyphen and more likely needs to support all of the fields defined by the RFC (https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html).

      bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "." / "/" / ":" / "=" / "?"

      In basic testing, we've seen:

       Content-Type: multipart/form-data; boundary=BRKIypZ3Stvuclu7C-CTbP2fNljGAOVk[\r][\n]

      (generated by the Apache HttpClient)
      and

      multipart/form-data; boundary=----WebKitFormBoundaryZGDtABnGWGozLAjh

      (generated by Safari)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                abrin adam brin
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: