struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Multipart fixes in 2.5.12 and non-file payloads
Date Mon, 17 Jul 2017 06:03:27 GMT
I assume that this is the related ticket to this [1], right?

[1] https://issues.apache.org/jira/browse/WW-4818

2017-07-14 15:46 GMT+02:00 Adam Brin <abrin@digitalantiquity.org>:
> We have a number of API components that include a textBody as part of the
> multipart request.  In 2.5.12, these requests are being kicked out (while
> in 2.5.10 they were fine.  changing the constant:
>
>     <constant name="struts.multipart.validationRegex" value="(.*)"/>
>
> to allow anything (as in the example) seems to fix the issue, but this
> seems imprudent.  This is the code that's making the  API call, which seems
> harmless enough:
>
>               // using the
> org.apache.http.entity.mime.MultipartEntityBuilder
>
>         MultipartEntityBuilder builder = MultipartEntityBuilder.create();
>
>         builder.addTextBody("record", docXml, ContentType.create(
> "application/xml", Consts.UTF_8));
>
>         builder.addTextBody(ACCOUNT_ID, accountId.toString());
>
>         HttpPost post = new HttpPost(baseUrl + API_INGEST_UPDATE_FILES);
>
>         post.setEntity(builder.build());
>
>         CloseableHttpResponse response = getHttpClient().execute(post);
>
>
> In looking deeper, (with the http requests on trace, we see multipart
> boundaries of:
>
>  Content-Type: multipart/form-data; boundary=BRKIypZ3Stvuclu7C*-*
> CTbP2fNljGAOVk[\r][\n]
>
>
> It looks like the RFC does include hyphens in the boundaries too:
> https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html though I'm less
> sure about other characters.  I worry this default regex will likely trip
> up lots of uploads silently,
> --
> _________________________________________________________
> Adam Brin
> Director of Technology, Digital Antiquity
> 480.965.1278

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message