struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefaan Dutry (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (WW-4818) Default Multipart validation regex is invalid
Date Tue, 25 Jul 2017 08:53:01 GMT

    [ https://issues.apache.org/jira/browse/WW-4818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16099727#comment-16099727
] 

Stefaan Dutry edited comment on WW-4818 at 7/25/17 8:52 AM:
------------------------------------------------------------

Would the following regex be sufficient? (Keeping the characters in the order of the RFC spec
and removing all unnecessary character escaping)
{code:none|title=regex}
^multipart/form-data(; boundary=[0-9a-zA-Z'()+,\-./:=?_]{1,70})?
{code}

or in the java code:
{code:java|title=org.apache.struts2.dispatcher.Dispatcher (line 91)}
public static final String MULTIPART_FORM_DATA_REGEX = "^multipart/form-data(; boundary=[0-9a-zA-Z'()+,\\-./:=?_]{1,70})?";
{code}

edit: added {{_}}


was (Author: sdutry):
Would the following regex be sufficient? (Keeping the characters in the order of the RFC spec
and removing all unnecessary character escaping)
{code:none|title=regex}
^multipart/form-data(; boundary=[0-9a-zA-Z'()+,\-./:=?]{1,70})?
{code}

or in the java code:
{code:java|title=org.apache.struts2.dispatcher.Dispatcher (line 91)}
public static final String MULTIPART_FORM_DATA_REGEX = "^multipart/form-data(; boundary=[0-9a-zA-Z'()+,\\-./:=?]{1,70})?";
{code}

> Default Multipart validation regex is invalid
> ---------------------------------------------
>
>                 Key: WW-4818
>                 URL: https://issues.apache.org/jira/browse/WW-4818
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.5.12
>            Reporter: adam brin
>             Fix For: 2.5.13
>
>
> 2.5.12 introduced a regex matches for multipart requests.  The default regex used, however
is significantly too strict based on the RFC, as well as common practice.  Specifically, at
minimum, it needs to include the *hyphen* and more likely needs to support all of the fields
defined by the RFC (https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html).
> {quote}bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "."
/ "/" / ":" / "=" / "?"{quote}
> In basic testing, we've seen:
> {code} Content-Type: multipart/form-data; boundary=BRKIypZ3Stvuclu7C-CTbP2fNljGAOVk[\r][\n]{code}
(generated by the Apache HttpClient)
> and
> {code}multipart/form-data; boundary=----WebKitFormBoundaryZGDtABnGWGozLAjh{code} (generated
by Safari)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message