Re: [PR] HTTPCLIENT-2325 Avoid adding "; charset=" for multipart/form-data requests [httpcomponents-client]

Mon, 18 Mar 2024 04:32:37 -0700 


vlsi commented on code in PR #556:
URL: 
https://github.com/apache/httpcomponents-client/pull/556#discussion_r1528370944


##########
httpclient5/src/main/java/org/apache/hc/client5/http/entity/mime/MultipartEntityBuilder.java:
##########
@@ -253,12 +253,13 @@ MultipartFormEntity buildEntity() {
         if (charsetCopy == null && contentType != null) {
             charsetCopy = contentType.getCharset();
         }
-        final List<NameValuePair> paramsList = new ArrayList<>(2);
-        paramsList.add(new BasicNameValuePair("boundary", boundaryCopy));
-        if (charsetCopy != null) {
-            paramsList.add(new BasicNameValuePair("charset", 
charsetCopy.name()));
-        }
-        final NameValuePair[] params = 
paramsList.toArray(EMPTY_NAME_VALUE_ARRAY);
+        // Previusly, "charset" parameter was added to the Content-Type 
header, however adding "charset=..."
+        // is not specified in RFC 7578, and it causes issues with (flawed?) 
HTTP servers.
+        // For instance:
+        //  
https://github.com/owasp-modsecurity/ModSecurity/commit/6e56950cdf258c9b39f12cf6eb014cb59797cfd3
+        //  https://github.com/akka/akka-http/issues/338
+        //  https://bz.apache.org/bugzilla/show_bug.cgi?id=61384
+        final NameValuePair[] params = new NameValuePair[]{new 
BasicNameValuePair("boundary", boundaryCopy)};

Review Comment:
   I can easily imagine somebody could try re-adding `charset` property here. 
It would be insufficient to have the comment **only** in the commit message as 
the person who edits the file will not see "somebody did remove charset from 
here previously".
   
   ---
   
   Exactly the same story in JMeter:
   1) `multipartEntityBuilder.setContent(...)` removed in 2017 in 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61384#c15
   2) `multipartEntityBuilder.setContent(...)` added in 2023 in 
https://github.com/apache/jmeter/pull/5987
   
   ---
   
   If you still think the code comment should be removed, I can easily do that. 
It would make the maintenance harder though.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to