dxbjavid opened a new pull request, #3223: URL: https://github.com/apache/cxf/pull/3223
an inbound multipart attachment whose Content-Transfer-Encoding is quoted-printable is decoded by QuotedPrintableDecoderStream, which looks each of the two bytes following an '=' up in a 128 entry table without checking they are hex digits. a byte of 0x80 or above arrives as a negative java byte and throws ArrayIndexOutOfBoundsException, an invalid ascii pair like =GG is silently turned into 0x00, and a lowercase pair like =e2 decodes to the wrong byte because the table only holds the uppercase forms. this decodes each nibble with Character.digit over the unsigned byte and refuses anything that isn't valid hex, so malformed input is rejected rather than mis-decoded or crashing the parser. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
