New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mime/multipart: FormDataContentType doesn't properly use quoted-string #26532

Open
FMNSSun opened this Issue Jul 22, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@FMNSSun

FMNSSun commented Jul 22, 2018

I've noticed this while digging into #26521 but afaict ParseMediaType behaves correctly according to RFC 2045 but the FormDataContentType doesn't return quoted-string. The function mentions that it formats according to Content-Type header but RFC 2616 Sect. 2.2 also excludes special characters
for use in token and must be part of a quoted-string as well.

What version of Go are you using (go version)?

go 1.10.3

Does this issue reproduce with the latest release?

Yes.

What did you do?

package main

import (
	"mime/multipart"
	"mime"
	"os"
	"fmt"
)

func main() {
	w := multipart.NewWriter(os.Stdout)
	err := w.SetBoundary("(boundary)")
	fmt.Println(err)
	ct := w.FormDataContentType()
	_, _, err = mime.ParseMediaType(ct)
	fmt.Println(ct, err)
}

(https://play.golang.org/p/5ZPC_EGHODn)

What did you expect to see?

multipart/form-data; boundary="(boundary)"

What did you see instead?

multipart/form-data; boundary=(boundary)

Which according to RFC 2045 and RFC 2616 is illegal as ( belongs to special characters that are only allowed in quoted-strings.

@agnivade

This comment has been minimized.

Member

agnivade commented Jul 22, 2018

@FMNSSun

This comment has been minimized.

FMNSSun commented Jul 23, 2018

Also, the boundary needs to be properly escaped when put into a quoted-string (\ is a valid boundary character as well).

@bradfitz bradfitz added this to the Go1.12 milestone Jul 23, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment