Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5CFE0200CE4 for ; Sun, 30 Jul 2017 12:02:05 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 59E8A16419F; Sun, 30 Jul 2017 10:02:05 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id A49251641A4 for ; Sun, 30 Jul 2017 12:02:04 +0200 (CEST) Received: (qmail 72090 invoked by uid 500); 30 Jul 2017 10:02:03 -0000 Mailing-List: contact issues-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list issues@struts.apache.org Received: (qmail 71753 invoked by uid 99); 30 Jul 2017 10:02:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 30 Jul 2017 10:02:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 48E5B1A1B1F for ; Sun, 30 Jul 2017 10:02:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 3gWk369X4jPO for ; Sun, 30 Jul 2017 10:02:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id B08845FC72 for ; Sun, 30 Jul 2017 10:02:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 3F401E0D54 for ; Sun, 30 Jul 2017 10:02:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 972E524652 for ; Sun, 30 Jul 2017 10:02:00 +0000 (UTC) Date: Sun, 30 Jul 2017 10:02:00 +0000 (UTC) From: "Lukasz Lenart (JIRA)" To: issues@struts.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (WW-4818) Default Multipart validation regex is invalid MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Sun, 30 Jul 2017 10:02:05 -0000 [ https://issues.apache.org/jira/browse/WW-4818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart resolved WW-4818. ------------------------------- Resolution: Fixed > Default Multipart validation regex is invalid > --------------------------------------------- > > Key: WW-4818 > URL: https://issues.apache.org/jira/browse/WW-4818 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 2.5.12 > Reporter: adam brin > Fix For: 2.5.13 > > > 2.5.12 introduced a regex matches for multipart requests. The default regex used, however is significantly too strict based on the RFC, as well as common practice. Specifically, at minimum, it needs to include the *hyphen* and more likely needs to support all of the fields defined by the RFC (https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html). > {quote}bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "." / "/" / ":" / "=" / "?"{quote} > In basic testing, we've seen: > {code} Content-Type: multipart/form-data; boundary=BRKIypZ3Stvuclu7C-CTbP2fNljGAOVk[\r][\n]{code} (generated by the Apache HttpClient) > and > {code}multipart/form-data; boundary=----WebKitFormBoundaryZGDtABnGWGozLAjh{code} (generated by Safari) -- This message was sent by Atlassian JIRA (v6.4.14#64029)