struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Brin <>
Subject Multipart fixes in 2.5.12 and non-file payloads
Date Fri, 14 Jul 2017 13:46:50 GMT
We have a number of API components that include a textBody as part of the
multipart request.  In 2.5.12, these requests are being kicked out (while
in 2.5.10 they were fine.  changing the constant:

    <constant name="struts.multipart.validationRegex" value="(.*)"/>

to allow anything (as in the example) seems to fix the issue, but this
seems imprudent.  This is the code that's making the  API call, which seems
harmless enough:

              // using the

        MultipartEntityBuilder builder = MultipartEntityBuilder.create();

        builder.addTextBody("record", docXml, ContentType.create(
"application/xml", Consts.UTF_8));

        builder.addTextBody(ACCOUNT_ID, accountId.toString());

        HttpPost post = new HttpPost(baseUrl + API_INGEST_UPDATE_FILES);


        CloseableHttpResponse response = getHttpClient().execute(post);

In looking deeper, (with the http requests on trace, we see multipart
boundaries of:

 Content-Type: multipart/form-data; boundary=BRKIypZ3Stvuclu7C*-*

It looks like the RFC does include hyphens in the boundaries too: though I'm less
sure about other characters.  I worry this default regex will likely trip
up lots of uploads silently,
Adam Brin
Director of Technology, Digital Antiquity

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message