Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mime: ParseMediaType rejects valid boundaries #26521

Closed
crawshaw opened this issue Jul 21, 2018 · 3 comments
Closed

mime: ParseMediaType rejects valid boundaries #26521

crawshaw opened this issue Jul 21, 2018 · 3 comments
Labels
FrozenDueToAge

Comments

@crawshaw
Copy link
Member 

contentType := "multipart/alternative; boundary=(boundary)"
_, _, err := mime.ParseMediaType(contentType)

// err = mime: invalid media parameter

https://play.golang.org/p/tC-Ri26iiTo

Looking at RFC 2046, parentheses are valid boundary characters:

boundary := 0*69<bchars> bcharsnospace
bchars := bcharsnospace / " "
bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" /
                 "+" / "_" / "," / "-" / "." /
                 "/" / ":" / "=" / "?"

https://tools.ietf.org/html/rfc2046#section-5.1.1:

Indeed, the SetBoundary function in the multipart package checks the boundary is valid, and explicitly lets '(' and ')' pass through.

If someone else double-checks my work and confirms this is a bug, I'm happy to fix it.
@FMNSSun
Copy link

FMNSSun commented Jul 21, 2018
edited

RFC 2045 mentions:

token := 1*<any (US-ASCII) CHAR except SPACE, CTLs,
                 or tspecials>

     tspecials :=  "(" / ")" / "<" / ">" / "@" /
                   "," / ";" / ":" / "\" / <">
                   "/" / "[" / "]" / "?" / "="
                   ; Must be in quoted-string,
                   ; to use within parameter values

according to RFC2045 special characters are only allowed within quoted-strings. RFC2046 even warns about this:

The grammar for parameters on the Content-
   type field is such that it is often necessary to enclose the boundary
   parameter values in quotes on the Content-type line.  This is not
   always necessary, but never hurts.

@crawshaw
Copy link
Member Author

Thanks @FMNSSun. Closing as not-a-bug.

@FMNSSun
Copy link

FMNSSun commented Jul 21, 2018

Although it looks like there's not always quotes added in the multipart package:

// FormDataContentType returns the Content-Type for an HTTP
// multipart/form-data with this Writer's Boundary.
func (w *Writer) FormDataContentType() string {
	return "multipart/form-data; boundary=" + w.boundary
}

So it might be that FormDataContentType returns invalid parameters according to RFC 2045? Might be worth re-opening (maybe another issue) and someone else have a look at this because I'm just a random person on the internet.

@FMNSSun FMNSSun mentioned this issue Jul 22, 2018
Closed
@golang golang locked and limited conversation to collaborators Jul 21, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FMNSSun @crawshaw @gopherbot