[jira] [Commented] (HTTPCLIENT-2325) Avoid adding "; charset=" for multipart/form-data requests

[ASF subversion and git services (Jira)]

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17828069#comment-17828069
 ] 

ASF subversion and git services commented on HTTPCLIENT-2325:
-------------------------------------------------------------

Commit 3b9bc89c2604c4e4ad509fb922e6c88ff101e13e in httpcomponents-client's 
branch refs/heads/master from Vladimir Sitnikov
[ https://gitbox.apache.org/repos/asf?p=httpcomponents-client.git;h=3b9bc89c2 ]

HTTPCLIENT-2325 Avoid adding "; charset=" for multipart/form-data requests


Previusly, "charset" parameter was added to the Content-Type header, however 
adding "charset=..."
is not specified in RFC 7578, and it causes issues with (flawed?) HTTP servers.

The change does not modify ContentType.MULTIPART_FORM_DATA, and it might have 
backward compatibility
side-effects.

See
* https://github.com/apache/jmeter/issues/6250
* 
https://github.com/owasp-modsecurity/ModSecurity/commit/6e56950cdf258c9b39f12cf6eb014cb59797cfd3
* https://bz.apache.org/bugzilla/show_bug.cgi?id=61384
* https://github.com/akka/akka-http/issues/338


> Avoid adding "; charset=" for multipart/form-data requests
> ----------------------------------------------------------
>
>                 Key: HTTPCLIENT-2325
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2325
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.14
>            Reporter: Vladimir Sitnikov
>            Priority: Major
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> Currently, HttpClient adds {{; charset=}} to {{multipart/form-data}} which 
> both
> 1) Breaks certain HTTP servers: see 
> https://github.com/apache/jmeter/pull/6251, 
> https://github.com/akka/akka-http/issues/338
> 2) Does not follow RFC 2046 and RFC 7578
> Even though including "charset" parameter is not explicitly forbidden by 
> RFCs, there are known HTTP servers that can't parse such requests, so why 
> generating the "charset=..." for multipart/form-data in the first place?
> See how RFC 7578 suggests setting the default charset: 
> https://datatracker.ietf.org/doc/html/rfc7578#section-5.1.2
> They mention a {{_charset_}} field instead.
> ----
> Unfortunately, removal of {{multipartEntityBuilder.setCharset(charset);}} in 
> the caller's code is not enough as HttpClient uses the supplied charset in 
> {{HttpBrowserCompatibleMultipart}}.
> ---
> I suggest to avoid sending {{charset}} within {{multipart/form-data}} header, 
> so it includes only {{boundary}} just like RFC 7578 samples.
> In other words, I suggest removing these lines: 
> https://github.com/apache/httpcomponents-client/blob/54900db4653d7f207477e6ee40135b88e9bcf832/httpmime/src/main/java/org/apache/http/entity/mime/MultipartEntityBuilder.java#L215-L217



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org