dxbjavid opened a new pull request, #845:
URL: https://github.com/apache/httpcomponents-client/pull/845

   In EXTENDED mode the RFC 7578 writer builds the Content-Disposition line 
itself rather than going through MimeField.getBody(), and for parameters other 
than filename (in practice the form field name) it writes the value straight 
out with no quoting. So a field name that contains a double quote or a CR/LF 
ends up breaking out of the quoted string and injecting extra header lines into 
the part, which matters when the name comes from somewhere untrusted. The 
STRICT and LEGACY writers already avoid this because they escape quotes and 
strip line breaks; this just brings the RFC 7578 path in line by 
backslash-escaping quotes and replacing line breaks the same way. Added a small 
regression test in HttpRFC7578MultipartTest covering a name with an embedded 
quote and CRLF.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to