Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multipart boundary should strip quotes #26616

Closed
Thorn1089 opened this issue Feb 26, 2021 · 9 comments
Closed

Multipart boundary should strip quotes #26616

Thorn1089 opened this issue Feb 26, 2021 · 9 comments
Assignees
@poutsma
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Milestone
5.3.5

Comments

@Thorn1089
Copy link

Thorn1089 commented Feb 26, 2021
edited
Loading

Affects: 5.3.3
Library: spring-web

Although uncommon, some HTTP clients will quote the multipart boundary value. This does appear to be acceptable based on a reading of the RFC. As a specific example, the .NET SDK's HttpClient class will generate a quoted UUID to use as the boundary:

POST /foo HTTP/1.1
Content-Type: multipart/form-data; boundary="7e296554-91ca-4075-ada1-c72043296dd7"
Host: foo.bar.example
Content-Length: <snip>
Expect: 100-continue

--7e296554-91ca-4075-ada1-c72043296dd7
Content-Type: text/plain; charset=utf-8
Content-Disposition: form-data; name=Foo

BAR
--7e296554-91ca-4075-ada1-c72043296dd7--

The problem is the codec shipped with spring-web does not handle this case:

	@Nullable
	private static byte[] boundary(HttpMessage message) {
		MediaType contentType = message.getHeaders().getContentType();
		if (contentType != null) {
			String boundary = contentType.getParameter("boundary");
			if (boundary != null) {
				return boundary.getBytes(StandardCharsets.ISO_8859_1);
			}
		}
		return null;
	}

The code should check the boundary string to see if it starts and ends with an ASCII double-quote ("). If so, it should strip them before creating the byte array to be used later.

See #26615 which led to me discovering this issue.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Feb 26, 2021
@michael-o
Copy link

This is a non-compliant implementation of MediaType where no difference is made between token and quoted string.

@Thorn1089
Copy link
Author

Hi @michael-o -- can you clarify your comment please?

Are you suggesting a quoted boundary value should not be allowed? Based on the longstanding behavior of the .NET HttpClient it seems that it is legal, though uncommon.

Or are you saying that the fix should be in the MediaType class to consistently unquote parameters? That does seem to be how the quality parameter (q) is treated, looking at the code.

@michael-o
Copy link

No, Iam not suggesting that: Here is how it should look like by the RFC: https://tools.ietf.org/html/rfc7231#appendix-C

     quoted-string = <quoted-string, see [RFC7230], Section 3.2.6>
     token         = <token, see [RFC7230], Section 3.2.6>

When reading a paremeter MediaType must handle both cases. The quoted string has it purpose to contain characters token cannot contain. I dealing with this in multipart/related. Same rules apply here.

@Thorn1089
Copy link
Author

OK, so we agree the current handling is not compliant with the spec then. :)

I can take a crack at a PR for this over the weekend.

@poutsma poutsma self-assigned this Mar 1, 2021
@poutsma
Copy link
Contributor

poutsma commented Mar 1, 2021

@TomRK1089 No need for a PR, I'll pick this up. Unless it's already done, of course :).

@poutsma poutsma added in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Mar 1, 2021
@poutsma poutsma added this to the 5.3.5 milestone Mar 1, 2021
@poutsma poutsma closed this as completed in 1a79c54 Mar 1, 2021
@michael-o
Copy link

I believe that the fix is in the wrong place. It should have happened on the media type because many other media types us paremters as well and they are subject to this.

@poutsma
Copy link
Contributor

poutsma commented Mar 1, 2021

I believe that the fix is in the wrong place. It should have happened on the media type because many other media types us paremters as well and they are subject to this.

You are right in theory, but such a change could break any application that depends on the current behavior of MediaType, including any subtypes. And that is not a change that I feel comfortable making for the 5.3.5 release.

@Thorn1089
Copy link
Author

@poutsma Thank you! When do you think a new SNAPSHOT build will go out for the library? I'm comfortable adding the Spring snapshot repos in the short term to get this fix into my application.

@poutsma
Copy link
Contributor

poutsma commented Mar 1, 2021 via email

This was referenced Mar 16, 2021
Closed
Closed
Closed
Merged
Closed
Closed
Open
Closed
Open
Open
Closed
Merged
Closed
Merged
This was referenced Mar 17, 2021
Closed
Closed
Closed
Merged
Open
Closed
Merged
Closed
Closed
Closed
Merged
Closed
Closed
Merged
Merged
Merged
Merged
Open
Open
Open
Closed
Open
Open
Open
Closed
Closed
Closed
@poutsma poutsma mentioned this issue Mar 24, 2021
Closed
lxbzmy pushed a commit to lxbzmy/spring-framework that referenced this issue Mar 26, 2022
@poutsma @lxbzmy
Support quoted boundary in DefaultPartHttpMessageReader
735e193 
This commit makes sure that quoted boundary parameters are supported in
the DefaultPartHttpMessageReader.

Closes spring-projectsgh-26616
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@poutsma poutsma

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Projects
None yet
Milestone
5.3.5
Development

No branches or pull requests
4 participants
@poutsma @michael-o @Thorn1089 @spring-projects-issues