struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4818) Default Multipart validation regex is invalid
Date Tue, 25 Jul 2017 11:38:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16099899#comment-16099899
] 

ASF GitHub Bot commented on WW-4818:
------------------------------------

GitHub user sdutry opened a pull request:

    https://github.com/apache/struts/pull/151

    WW-4818 change default Multipart validation regex to comply with RFC1341

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/sdutry/struts WW-4818

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/struts/pull/151.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #151
    
----
commit 68d52dbe42aebc8e24379ebfaf4f306dd261b91c
Author: Stefaan Dutry <stefaan.dutry@gmail.com>
Date:   2017-07-25T11:05:07Z

    WW-4818 change default Multipart validation regex to comply with RFC1341

----


> Default Multipart validation regex is invalid
> ---------------------------------------------
>
>                 Key: WW-4818
>                 URL: https://issues.apache.org/jira/browse/WW-4818
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.5.12
>            Reporter: adam brin
>             Fix For: 2.5.13
>
>
> 2.5.12 introduced a regex matches for multipart requests.  The default regex used, however
is significantly too strict based on the RFC, as well as common practice.  Specifically, at
minimum, it needs to include the *hyphen* and more likely needs to support all of the fields
defined by the RFC (https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html).
> {quote}bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "."
/ "/" / ":" / "=" / "?"{quote}
> In basic testing, we've seen:
> {code} Content-Type: multipart/form-data; boundary=BRKIypZ3Stvuclu7C-CTbP2fNljGAOVk[\r][\n]{code}
(generated by the Apache HttpClient)
> and
> {code}multipart/form-data; boundary=----WebKitFormBoundaryZGDtABnGWGozLAjh{code} (generated
by Safari)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message