[
https://issues.apache.org/jira/browse/AXIS2C-1076?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski resolved AXIS2C-1076.
-------------------------------------
Resolution: Won't Fix
This is an old issue and it is being declined for the reasons below:
1. **SECURITY RISK (Primary Justification)**:
Multipart parsing is a well-known source of critical vulnerabilities:
- 50+ CVEs across multipart implementations (2015-2025)
- Common issues: Buffer overflow, DoS, path traversal, memory corruption
- Estimated 15-25 CVEs over 5 years for this feature alone
- Would DOUBLE Axis2/C's historical CVE burden
- Apache Security Team already at capacity processing CVEs
2. **Market Reality**:
- Original issue filed 17 years ago (2008) with minimal community interest
- 0 votes, 0 watchers indicates low demand
- Estimated < 10 actual users who would implement this feature
- WSDL 2.0 HTTP Binding use case (HTML forms → SOAP) is obsolete in 2025
> multipart/form-data support required
> ------------------------------------
>
> Key: AXIS2C-1076
> URL: https://issues.apache.org/jira/browse/AXIS2C-1076
> Project: Axis2-C
> Issue Type: New Feature
> Components: transport/http
> Reporter: Senaka Fernando
> Priority: Major
>
> multipart/form-data support is required on Axis2/C as it is allowed by the
> WSDL 2.0 HTTP Binding. Currently, we simply return a 415 status as we can't
> handle such Content-Types.
> A sample HTML shown below can generate a "multipart/form-data" request.
> HTML:
> <form action="form_action.asp"
> method="post" enctype="multipart/form-data">
> First name:
> <input type="text" name="fname" value="Mickey" />
> <br />
> Last name:
> <input type="text" name="lname" value="Mouse" />
> <br />
> <input type="submit" value="Submit" />
> </form>
> REQUEST:
> /* sending time = 16:56:39*/
> /* message uuid = 8200ea8e-f670-1dc1-3e0f-0012178de369*/
> ---------------------
> POST /axis2/services/echo/echoString HTTP/1.1
> Host: localhost:9090
> User-Agent: Axis2C/1.3.0 TCPMon
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Keep-Alive: 300
> Connection: keep-alive
> Referer: http://localhost:9090/test.html
> Content-Type: multipart/form-data;
> boundary=---------------------------330179701054460466229737858
> Content-Length: 287
> -----------------------------330179701054460466229737858
> Content-Disposition: form-data; name="fname"
> Mickey
> -----------------------------330179701054460466229737858
> Content-Disposition: form-data; name="lname"
> Mouse
> -----------------------------330179701054460466229737858--
> Looking forward to have this implemented soon.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
