[
https://issues.apache.org/jira/browse/WW-4818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16099727#comment-16099727
]
Stefaan Dutry commented on WW-4818:
-----------------------------------
Would the following regex be sufficient? (Keeping the characters in the order
of the RFC spec and removing all unnecessary character escaping)
{code:none|title=regex}
^multipart/form-data(; boundary=[0-9a-zA-Z'()+,\-./:=?]{1,70})?
{code}
or in the java code:
{code:java|title=org.apache.struts2.dispatcher.Dispatcher (line 91)}
public static final String MULTIPART_FORM_DATA_REGEX = "^multipart/form-data(;
boundary=[0-9a-zA-Z'()+,\\-./:=?]{1,70})?";
{code}
> Default Multipart validation regex is invalid
> ---------------------------------------------
>
> Key: WW-4818
> URL: https://issues.apache.org/jira/browse/WW-4818
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.5.12
> Reporter: adam brin
> Fix For: 2.5.13
>
>
> 2.5.12 introduced a regex matches for multipart requests. The default regex
> used, however is significantly too strict based on the RFC, as well as common
> practice. Specifically, at minimum, it needs to include the *hyphen* and
> more likely needs to support all of the fields defined by the RFC
> (https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html).
> {quote}bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," /
> "-" / "." / "/" / ":" / "=" / "?"{quote}
> In basic testing, we've seen:
> {code} Content-Type: multipart/form-data;
> boundary=BRKIypZ3Stvuclu7C-CTbP2fNljGAOVk[\r][\n]{code} (generated by the
> Apache HttpClient)
> and
> {code}multipart/form-data;
> boundary=----WebKitFormBoundaryZGDtABnGWGozLAjh{code} (generated by Safari)
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
