Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TIMOB-18341] Fix malformed Content-Type error with modsecurity #19

Merged
merged 1 commit into from Feb 5, 2015
Merged

[TIMOB-18341] Fix malformed Content-Type error with modsecurity #19

merged 1 commit into from Feb 5, 2015

Conversation

itsbrnrd
Copy link
Contributor

While working on a Titanium iOS application (SDK 3.4.0.GA which uses APSHTTPClient under the hood), I couldn't upload a picture to our backend which uses modsecurity. The upload request was rejected by modsecurity and the following error appeared in the logs:

Multipart parsing error (init): Multipart: Invalid boundary in C-T (malformed).

I looked into APSHTTPClient and saw that the header was created as follow:

[self addHeaderKey:@"Content-Type" andHeaderValue:[NSString stringWithFormat:@"multipart/form-data; charset=%@; boundary=%@", charset, boundry]];

http://www.w3.org/Protocols/rfc1341/7_2_Multipart.html gives a simple multi-part example:

     From: Nathaniel Borenstein <nsb@bellcore.com> 
     To:  Ned Freed <ned@innosoft.com> 
     Subject: Sample message 
     MIME-Version: 1.0 
     Content-type: multipart/mixed; boundary="simple
     boundary"

     This is the preamble.  It is to be ignored, though it 
     is a handy place for mail composers to include an 
     explanatory note to non-MIME compliant readers. 
     --simple boundary 

     This is implicitly typed plain ASCII text. 
     It does NOT end with a linebreak. 
     --simple boundary 
     Content-type: text/plain; charset=us-ascii

     This is explicitly typed plain ASCII text. 
     It DOES end with a linebreak. 

     --simple boundary-- 
     This is the epilogue.  It is also to be ignored.

The reason modsecurity rejected the request is because the Content-Type multipart/data format requires a parameter boundary immediately after the subtype. It doesn't expect anything other than the boundary header (except space and ;).

It must be Content-Type: multipart/form-data; boundary=0xTibOuNdArY_1234567890 in order to work with modsecurity.

The charset part has been moved inside each part block.

@jhaynie
Copy link
Contributor

jhaynie commented Dec 30, 2014

thanks for your PR. @ingo can we get a CLA signed for this?

@ingo
Copy link
Contributor

ingo commented Jan 7, 2015

@itsbrnrd Thank you for your contribution. Could you please sign the CLA here? https://cla.appcelerator.com

@itsbrnrd
Copy link
Contributor Author

itsbrnrd commented Jan 7, 2015

Done.
Everything should be all right now.

@ingo ingo changed the title Fix malformed Content-Type error with modsecurity [TIMOB-18341] Fix malformed Content-Type error with modsecurity Jan 7, 2015
@ingo
Copy link
Contributor

ingo commented Jan 7, 2015

Jira ticket is here: https://jira.appcelerator.org/browse/TIMOB-18341. We'll pull this in soon.

@pec1985
Copy link
Contributor

pec1985 commented Feb 5, 2015

PR test and reviewed. APPROVED!

Thanks @itsbrnrd

pec1985 added a commit that referenced this pull request Feb 5, 2015
@pec1985
Merge pull request #19 from itsbrnrd/modsecurity-ct-malformed
ae2c0d3 
[TIMOB-18341] Fix malformed Content-Type error with modsecurity
@pec1985 pec1985 merged commit ae2c0d3 into tidev:master Feb 5, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@itsbrnrd @jhaynie @ingo @pec1985