New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mime/multipart: parsing error with embedded multipart #46042
Comments
Change https://golang.org/cl/338549 mentions this issue: |
Summarizing comment on https://golang.org/cl/338549: By my reading of RFC 2046 section 5.1.1 a boundary delimiter must consist of the boundary parameter, either the string "--" or 0-2 characters of linear whitespace, and a newline. Currently, |
Reading RFC 2046 more closely, in particular the BNF in section 5.1.1, I'm now unconvinced that it is valid for an embedded multipart part to use a boundary that has the outer boundary as a prefix. (e.g., outer part has boundary="foo", embedded part has boundary "foo-sub".) The relevant part of the BNF is:
This clearly states that the delimiter must not appear in a body part. If the delimiter is "\r\n--foo", then an embedded multipart part cannot use "\r\n--foo-sub" as a delimiter without violating this restriction. |
The supporting text in 5.1 says
and 5.1.1
Which seems pretty clear that using a prefix for the outer boundary is invalid |
Indeed I missed that in the RFC. That said, this part of the RFC seems not to be really followed, as in the issue #10616. |
As a data point, the Python 3 MIME parser accepts invalid multipart bodies in which the boundary delimiter appears within the body. I haven't checked any other implementations, but it wouldn't surprise me if others accept this as well. #10616 is another case where |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I defined an embedded multipart inside the main multipart. But they have the same prefix, followed by a dash for the embedded multipart. ("foo" and "foo-sub")
https://play.golang.org/p/HlZiGseSb4b
What did you expect to see?
All parts of the main multipart.
Part "A": "--foo-sub\nFoo: A1\n\nSubcontent 1\n\n--foo-sub\nFoo: A2\n\nSubcontent 2\n\n--foo-sub--\n"
Part "B": "Content 2\n"
What did you see instead?
Part "A": ""
2009/11/10 23:00:00 multipart: unexpected line in Next(): "--foo-sub\n"
Note
On the func matchAfterPrefix at https://github.com/golang/go/blob/master/src/mime/multipart/multipart.go#L281, maybe we shouldn't consider only one '-' as end marker of dash-boundary-dash?
The text was updated successfully, but these errors were encountered: