[ https://issues.apache.org/jira/browse/WW-4818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16099727#comment-16099727 ]
Stefaan Dutry commented on WW-4818: ----------------------------------- Would the following regex be sufficient? (Keeping the characters in the order of the RFC spec and removing all unnecessary character escaping) {code:none|title=regex} ^multipart/form-data(; boundary=[0-9a-zA-Z'()+,\-./:=?]{1,70})? {code} or in the java code: {code:java|title=org.apache.struts2.dispatcher.Dispatcher (line 91)} public static final String MULTIPART_FORM_DATA_REGEX = "^multipart/form-data(; boundary=[0-9a-zA-Z'()+,\\-./:=?]{1,70})?"; {code} > Default Multipart validation regex is invalid > --------------------------------------------- > > Key: WW-4818 > URL: https://issues.apache.org/jira/browse/WW-4818 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 2.5.12 > Reporter: adam brin > Fix For: 2.5.13 > > > 2.5.12 introduced a regex matches for multipart requests. The default regex > used, however is significantly too strict based on the RFC, as well as common > practice. Specifically, at minimum, it needs to include the *hyphen* and > more likely needs to support all of the fields defined by the RFC > (https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html). > {quote}bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / > "-" / "." / "/" / ":" / "=" / "?"{quote} > In basic testing, we've seen: > {code} Content-Type: multipart/form-data; > boundary=BRKIypZ3Stvuclu7C-CTbP2fNljGAOVk[\r][\n]{code} (generated by the > Apache HttpClient) > and > {code}multipart/form-data; > boundary=----WebKitFormBoundaryZGDtABnGWGozLAjh{code} (generated by Safari) -- This message was sent by Atlassian JIRA (v6.4.14#64029)