Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mime/multipart: FormDataContentType doesn't properly use quoted-string #26532

Closed
FMNSSun opened this Issue Jul 22, 2018 · 4 comments

Comments

Projects
None yet
5 participants
@FMNSSun
Copy link

FMNSSun commented Jul 22, 2018

I've noticed this while digging into #26521 but afaict ParseMediaType behaves correctly according to RFC 2045 but the FormDataContentType doesn't return quoted-string. The function mentions that it formats according to Content-Type header but RFC 2616 Sect. 2.2 also excludes special characters
for use in token and must be part of a quoted-string as well.

What version of Go are you using (go version)?

go 1.10.3

Does this issue reproduce with the latest release?

Yes.

What did you do?

package main

import (
	"mime/multipart"
	"mime"
	"os"
	"fmt"
)

func main() {
	w := multipart.NewWriter(os.Stdout)
	err := w.SetBoundary("(boundary)")
	fmt.Println(err)
	ct := w.FormDataContentType()
	_, _, err = mime.ParseMediaType(ct)
	fmt.Println(ct, err)
}

(https://play.golang.org/p/5ZPC_EGHODn)

What did you expect to see?

multipart/form-data; boundary="(boundary)"

What did you see instead?

multipart/form-data; boundary=(boundary)

Which according to RFC 2045 and RFC 2616 is illegal as ( belongs to special characters that are only allowed in quoted-strings.

@agnivade

This comment has been minimized.

Copy link
Member

agnivade commented Jul 22, 2018

@FMNSSun

This comment has been minimized.

Copy link
Author

FMNSSun commented Jul 23, 2018

Also, the boundary needs to be properly escaped when put into a quoted-string (\ is a valid boundary character as well).

@bradfitz bradfitz added this to the Go1.12 milestone Jul 23, 2018

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

ianlancetaylor commented Dec 13, 2018

@FMNSSun As far as I can tell from RFC 2046, \ is not a valid boundary character.

boundary := 0*69<bchars> bcharsnospace

bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" /
                      "+" / "_" / "," / "-" / "." /
                      "/" / ":" / "=" / "?"

And indeed \ is not accepted by multipart.Writer.SetBoundary.

It doesn't seem that any additional quoting is needed for the boundary string.

@gopherbot

This comment has been minimized.

Copy link

gopherbot commented Dec 13, 2018

Change https://golang.org/cl/154120 mentions this issue: mime/multipart: quote boundary in Content-Type if necessary

@gopherbot gopherbot closed this in a629399 Dec 13, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.