-
Notifications
You must be signed in to change notification settings - Fork 38.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multipart boundary should strip quotes #26616
Comments
This is a non-compliant implementation of |
Hi @michael-o -- can you clarify your comment please? Are you suggesting a quoted boundary value should not be allowed? Based on the longstanding behavior of the .NET HttpClient it seems that it is legal, though uncommon. Or are you saying that the fix should be in the |
No, Iam not suggesting that: Here is how it should look like by the RFC: https://tools.ietf.org/html/rfc7231#appendix-C
When reading a paremeter |
OK, so we agree the current handling is not compliant with the spec then. :) I can take a crack at a PR for this over the weekend. |
@TomRK1089 No need for a PR, I'll pick this up. Unless it's already done, of course :). |
I believe that the fix is in the wrong place. It should have happened on the media type because many other media types us paremters as well and they are subject to this. |
You are right in theory, but such a change could break any application that depends on the current behavior of MediaType, including any subtypes. And that is not a change that I feel comfortable making for the 5.3.5 release. |
@poutsma Thank you! When do you think a new |
I think it’s out already, see https://repo.spring.io/snapshot/org/springframework/spring/5.3.5-SNAPSHOT/
|
This commit makes sure that quoted boundary parameters are supported in the DefaultPartHttpMessageReader. Closes spring-projectsgh-26616
Affects: 5.3.3
Library:
spring-web
Although uncommon, some HTTP clients will quote the multipart boundary value. This does appear to be acceptable based on a reading of the RFC. As a specific example, the .NET SDK's
HttpClient
class will generate a quoted UUID to use as the boundary:The problem is the codec shipped with
spring-web
does not handle this case:The code should check the
boundary
string to see if it starts and ends with an ASCII double-quote ("
). If so, it should strip them before creating the byte array to be used later.See #26615 which led to me discovering this issue.
The text was updated successfully, but these errors were encountered: