Skip to content

Non-compliant Content-Type header for multipart media types #25885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rcgardne opened this issue Oct 8, 2020 · 2 comments
Closed

Non-compliant Content-Type header for multipart media types #25885

rcgardne opened this issue Oct 8, 2020 · 2 comments
Assignees
@poutsma
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Milestone
5.3.2

Comments

@rcgardne
Copy link

rcgardne commented Oct 8, 2020
edited
Loading

Affects: 5.x

The org.springframework.http.codec.multipart package contains various methods for building a Content-Type header for multipart media types. The default method produces a header with the following format:

"multipart/{sub-type};boundary={boundary};charset={charset|UTF-8}"

However, RFC7578 specifies only a required parameter of boundary and optional parameters as none. Hence, the addition of a charset parameter is not strictly in accordance with RCF7578. Robust server implementations should ignore this parameter, but some do not (in my case, civetweb), causing request failures. Here are the relevant framework versions and code locations causing the problems:

I'd like to hear concerns - is removing charset for multipart requests appropriate?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Oct 8, 2020
@poutsma poutsma self-assigned this Nov 6, 2020
@poutsma poutsma added in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Nov 16, 2020
@poutsma poutsma added this to the 5.3.2 milestone Nov 16, 2020
@rstoyanchev
Copy link
Contributor

From previous investigations on charsets and multipart requests, there is a lot of history, multiple specs and and behaviors.

In that context one possible concern is whether existing applications rely on this behavior (right or wrong). For example whether a request prepared with the MultipartHttpMessageWriter that customizes the charset to use, say for multipart headers, would be successfully interpreted by a server side app using Standard Servlet multiple parsing (e.g. Tomcat and Jetty) or Apache Commons FileUpload.

poutsma added a commit to poutsma/spring-framework that referenced this issue Nov 23, 2020
@poutsma
Only write non-default charset in MultipartWriterSupport
f230624 
This commit only writes the 'charset' parameter in the written headers
if it is non-default (not UTF-8), since RFC7578 states that the only
allowed parameter is 'boundary'.

Closes spring-projectsgh-25885
@poutsma
Copy link
Contributor

poutsma commented Nov 24, 2020

Solved by only adding the charset parameter if it is non-standard (i.e. not UTF-8 or ASCII).

@sync-by-unito sync-by-unito bot mentioned this issue Dec 10, 2020
Merged
@ijakus ijakus mentioned this issue Dec 16, 2020
Closed
poutsma added a commit that referenced this issue Jan 8, 2021
@poutsma
Only write non-default charset in FormHttpMessageConverter
ce1ae2f 
This commit only writes the 'charset' parameter in the written headers
if it is non-default (not UTF-8), since RFC7578 states that the only
allowed parameter is 'boundary'.

See gh-25885
Closes gh-26290
@rstoyanchev rstoyanchev mentioned this issue Jan 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@poutsma poutsma

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Projects
None yet
Milestone
5.3.2
Development

No branches or pull requests
4 participants
@poutsma @rstoyanchev @spring-projects-issues @rcgardne