diff options
author | Ian Lance Taylor <iant@golang.org> | 2018-12-13 15:23:35 -0800 |
---|---|---|
committer | Ian Lance Taylor <iant@golang.org> | 2018-12-13 23:58:06 +0000 |
commit | a6293995c55659f51e0662e7656f395633c99b5b (patch) | |
tree | 063372cbcd6005b23f0f7ce5ff6a7613b798f4af /src/mime | |
parent | 784d810976e6fce946d8202b19f3e3c33beb89a2 (diff) | |
download | go-a6293995c55659f51e0662e7656f395633c99b5b.tar.gz go-a6293995c55659f51e0662e7656f395633c99b5b.zip |
mime/multipart: quote boundary in Content-Type if necessary
Fixes #26532
Change-Id: Ic086c90503c7b24982f947c828c7ccf016ddbf69
Reviewed-on: https://go-review.googlesource.com/c/154120
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Diffstat (limited to 'src/mime')
-rw-r--r-- | src/mime/multipart/writer.go | 8 | ||||
-rw-r--r-- | src/mime/multipart/writer_test.go | 13 |
2 files changed, 20 insertions, 1 deletions
diff --git a/src/mime/multipart/writer.go b/src/mime/multipart/writer.go index 3dd0c8fb13..d1ff151a7d 100644 --- a/src/mime/multipart/writer.go +++ b/src/mime/multipart/writer.go @@ -72,7 +72,13 @@ func (w *Writer) SetBoundary(boundary string) error { // FormDataContentType returns the Content-Type for an HTTP // multipart/form-data with this Writer's Boundary. func (w *Writer) FormDataContentType() string { - return "multipart/form-data; boundary=" + w.boundary + b := w.boundary + // We must quote the boundary if it contains any of the + // tspecials characters defined by RFC 2045, or space. + if strings.ContainsAny(b, `()<>@,;:\"/[]?= `) { + b = `"` + b + `"` + } + return "multipart/form-data; boundary=" + b } func randomBoundary() string { diff --git a/src/mime/multipart/writer_test.go b/src/mime/multipart/writer_test.go index 8b1bcd68d8..b89b093fff 100644 --- a/src/mime/multipart/writer_test.go +++ b/src/mime/multipart/writer_test.go @@ -7,6 +7,7 @@ package multipart import ( "bytes" "io/ioutil" + "mime" "net/textproto" "strings" "testing" @@ -94,6 +95,7 @@ func TestWriterSetBoundary(t *testing.T) { {"my-separator", true}, {"with space", true}, {"badspace ", false}, + {"(boundary)", true}, } for i, tt := range tests { var b bytes.Buffer @@ -107,6 +109,17 @@ func TestWriterSetBoundary(t *testing.T) { if got != tt.b { t.Errorf("boundary = %q; want %q", got, tt.b) } + + ct := w.FormDataContentType() + mt, params, err := mime.ParseMediaType(ct) + if err != nil { + t.Errorf("could not parse Content-Type %q: %v", ct, err) + } else if mt != "multipart/form-data" { + t.Errorf("unexpected media type %q; want %q", mt, "multipart/form-data") + } else if b := params["boundary"]; b != tt.b { + t.Errorf("unexpected boundary parameter %q; want %q", b, tt.b) + } + w.Close() wantSub := "\r\n--" + tt.b + "--\r\n" if got := b.String(); !strings.Contains(got, wantSub) { |