Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mime/multipart: FormDataContentType doesn't properly use quoted-string #26532

Closed
FMNSSun opened this issue Jul 22, 2018 · 4 comments
Closed

mime/multipart: FormDataContentType doesn't properly use quoted-string #26532

FMNSSun opened this issue Jul 22, 2018 · 4 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Go1.12

Comments

@FMNSSun
Copy link

FMNSSun commented Jul 22, 2018
edited

I've noticed this while digging into #26521 but afaict ParseMediaType behaves correctly according to RFC 2045 but the FormDataContentType doesn't return quoted-string. The function mentions that it formats according to Content-Type header but RFC 2616 Sect. 2.2 also excludes special characters
for use in token and must be part of a quoted-string as well.

What version of Go are you using (go version)?

go 1.10.3

Does this issue reproduce with the latest release?

Yes.

What did you do?

package main

import (
	"mime/multipart"
	"mime"
	"os"
	"fmt"
)

func main() {
	w := multipart.NewWriter(os.Stdout)
	err := w.SetBoundary("(boundary)")
	fmt.Println(err)
	ct := w.FormDataContentType()
	_, _, err = mime.ParseMediaType(ct)
	fmt.Println(ct, err)
}

(https://play.golang.org/p/5ZPC_EGHODn)

What did you expect to see?

multipart/form-data; boundary="(boundary)"

What did you see instead?

multipart/form-data; boundary=(boundary)

Which according to RFC 2045 and RFC 2616 is illegal as ( belongs to special characters that are only allowed in quoted-strings.
@agnivade
Copy link
Contributor

/cc @bradfitz @minux

@agnivade agnivade added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 22, 2018
@FMNSSun
Copy link
Author

FMNSSun commented Jul 23, 2018

Also, the boundary needs to be properly escaped when put into a quoted-string (\ is a valid boundary character as well).

@bradfitz bradfitz added this to the Go1.12 milestone Jul 23, 2018
@ianlancetaylor
Copy link
Contributor

@FMNSSun As far as I can tell from RFC 2046, \ is not a valid boundary character.

boundary := 0*69<bchars> bcharsnospace

bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" /
                      "+" / "_" / "," / "-" / "." /
                      "/" / ":" / "=" / "?"

And indeed \ is not accepted by multipart.Writer.SetBoundary.

It doesn't seem that any additional quoting is needed for the boundary string.

@gopherbot
Copy link

Change https://golang.org/cl/154120 mentions this issue: mime/multipart: quote boundary in Content-Type if necessary

@golang golang locked and limited conversation to collaborators Dec 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Go1.12
Development

No branches or pull requests
5 participants
@bradfitz @FMNSSun @agnivade @ianlancetaylor @gopherbot