From 68d52dbe42aebc8e24379ebfaf4f306dd261b91c Mon Sep 17 00:00:00 2001
From: Stefaan Dutry <stefaan.dutry@gmail.com>
Date: Tue, 25 Jul 2017 13:05:07 +0200
Subject: [PATCH 1/2] WW-4818 change default Multipart validation regex to
 comply with RFC1341

---
 .../src/main/java/org/apache/struts2/dispatcher/Dispatcher.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
index 55707a4be8..97e2149215 100644
--- a/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
+++ b/core/src/main/java/org/apache/struts2/dispatcher/Dispatcher.java
@@ -88,7 +88,7 @@ public class Dispatcher {
      */
     public static final String REQUEST_POST_METHOD = "POST";
 
-    public static final String MULTIPART_FORM_DATA_REGEX = "^multipart\\/form-data(; boundary=[\\-a-zA-Z0-9]{1,70})?";
+    public static final String MULTIPART_FORM_DATA_REGEX = "^multipart/form-data(; boundary=[0-9a-zA-Z'()+_,\\-./:=?]{1,70})?";
 
     /**
      * Provide a thread local instance.

From bbbe2a80356811ff4dbaa99da2417a067eb614cc Mon Sep 17 00:00:00 2001
From: Stefaan Dutry <stefaan.dutry@gmail.com>
Date: Tue, 25 Jul 2017 14:30:07 +0200
Subject: [PATCH 2/2] WW-4818 added a couple of simple tests for
 MULTIPART_FORM_DATA_REGEX

---
 .../struts2/dispatcher/DispatcherTest.java    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/core/src/test/java/org/apache/struts2/dispatcher/DispatcherTest.java b/core/src/test/java/org/apache/struts2/dispatcher/DispatcherTest.java
index 0f430de55e..4f043cb7ba 100644
--- a/core/src/test/java/org/apache/struts2/dispatcher/DispatcherTest.java
+++ b/core/src/test/java/org/apache/struts2/dispatcher/DispatcherTest.java
@@ -146,6 +146,32 @@ public void testPrepareMultipartRequest() throws Exception {
         assertTrue(wrapped instanceof MultiPartRequestWrapper);
     }
 
+    public void testPrepareMultipartRequestAllAllowedCharacters() throws Exception {
+        MockHttpServletRequest req = new MockHttpServletRequest();
+        MockHttpServletResponse res = new MockHttpServletResponse();
+
+        req.setMethod("post");
+        req.setContentType("multipart/form-data; boundary=01=23a.bC:D((e)d'z?p+o_r,e-");
+        Dispatcher du = initDispatcher(Collections.<String, String>emptyMap());
+        du.prepare(req, res);
+        HttpServletRequest wrapped = du.wrapRequest(req);
+
+        assertTrue(wrapped instanceof MultiPartRequestWrapper);
+    }
+
+    public void testPrepareMultipartRequestIllegalCharacter() throws Exception {
+        MockHttpServletRequest req = new MockHttpServletRequest();
+        MockHttpServletResponse res = new MockHttpServletResponse();
+
+        req.setMethod("post");
+        req.setContentType("multipart/form-data; boundary=01=2;3a.bC:D((e)d'z?p+o_r,e-");
+        Dispatcher du = initDispatcher(Collections.<String, String>emptyMap());
+        du.prepare(req, res);
+        HttpServletRequest wrapped = du.wrapRequest(req);
+
+        assertFalse(wrapped instanceof MultiPartRequestWrapper);
+    }
+
     public void testDispatcherListener() throws Exception {
     	
     	final DispatcherListenerState state = new DispatcherListenerState();