Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mime/multipart: SetBoundary validation is overly restrictive #18768

Closed
mgoldsmi opened this issue Jan 24, 2017 · 4 comments
Closed

mime/multipart: SetBoundary validation is overly restrictive #18768

mgoldsmi opened this issue Jan 24, 2017 · 4 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.9

Comments

@mgoldsmi
Copy link

mgoldsmi commented Jan 24, 2017
edited

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.7.4 linux/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/mgoldsmi/golang/terraform"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build636760827=/tmp/go-build"
CXX="g++"
CGO_ENABLED="1"

What did you do?

Setting the boundary of a mime/multipart Writer to the following value "Encrypted Boundary" failed due to the space character. A space is allowed by the MIME standard in all but the final character of the boundary (RFC 2046 https://www.ietf.org/rfc/rfc2046.txt, section 5.1.1, p22) however the standard library prohibits it anywhere in the boundary.

This particular MIME boundary setting is mandated by the Microsoft Web Services Management Protocol Extensions for Windows Vista protocol (https://msdn.microsoft.com/en-us/library/cc251526.aspx).

Sample application demonstrating fault

package main

import (
        "bytes"
        "log"
        "mime/multipart"
)

func main() {
        const multipartBoundary = "Encrypted Boundary"

        ntlmBody := bytes.Buffer{}
        ntlmBodyWriter := multipart.NewWriter(&ntlmBody)
        if err := ntlmBodyWriter.SetBoundary(multipartBoundary); err != nil {
                log.Printf("Failed to set boundary: %v", err)
        }
}

What did you expect to see?

Expected to see boundary to be set with no error.

What did you see instead?

$ ./multipart-boundary
2017/01/23 21:59:35 Failed to set boundary: mime: invalid boundary character
@bradfitz bradfitz added this to the Go1.9 milestone Jan 24, 2017
@bradfitz bradfitz added the NeedsFix The path to resolution is known, but the work has not been done. label Jan 24, 2017
@skinp
Copy link
Contributor

skinp commented Jan 26, 2017

I'll work on this if @mgoldsmi isn't already at it...

@bradfitz
Copy link
Contributor

There is already https://golang.org/cl/35507

@skinp
Copy link
Contributor

skinp commented Jan 26, 2017
edited

Cool, the issue didn't link I guess.

Reading the RFC while looking into this, I realized the boundary length was also wrong...

the boundary parameter, which consists of 1 to 70 characters from a set of characters

boundary := 0*69<bchars> bcharsnospace

New issue?

@gopherbot
Copy link

CL https://golang.org/cl/35507 mentions this issue.

@skinp skinp mentioned this issue Jan 26, 2017
Closed
@golang golang locked and limited conversation to collaborators May 23, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.9
Development

No branches or pull requests
4 participants
@bradfitz @skinp @gopherbot @mgoldsmi