From ddd9ba28668f502a8a9ab8e290e91be8b54dbea3 Mon Sep 17 00:00:00 2001 From: Allan Boll Date: Fri, 16 Jun 2017 17:42:24 -0700 Subject: [PATCH] Less strict multipart parsing --- apache2/msc_multipart.c | 53 ++++++++++++++++------------------------- 1 file changed, 20 insertions(+), 33 deletions(-) diff --git a/apache2/msc_multipart.c b/apache2/msc_multipart.c index 45c18e3444..880b13c579 100644 --- a/apache2/msc_multipart.c +++ b/apache2/msc_multipart.c @@ -695,42 +695,29 @@ static int multipart_boundary_characters_valid(char *boundary) { if (p == NULL) return -1; - while((c = *p) != '\0') { - /* Control characters and space not allowed. */ - if (c < 32) { + while ((c = *p) != '\0') { + // Check against allowed list defined in RFC2046 page 21 + if (!( + ('0' <= c && c <= '9') + || ('A' <= c && c <= 'Z') + || ('a' <= c && c <= 'z') + || (c == ' ' && *(p + 1) != '\0') // space allowed, but not as last character + || c == '\'' + || c == '(' + || c == ')' + || c == '+' + || c == '_' + || c == ',' + || c == '-' + || c == '.' + || c == '/' + || c == ':' + || c == '=' + || c == '?' + )) { return 0; } - /* Non-ASCII characters not allowed. */ - if (c > 126) { - return 0; - } - - switch(c) { - /* Special characters not allowed. */ - case '(' : - case ')' : - case '<' : - case '>' : - case '@' : - case ',' : - case ';' : - case ':' : - case '\\' : - case '"' : - case '/' : - case '[' : - case ']' : - case '?' : - case '=' : - return 0; - break; - - default : - /* Do nothing. */ - break; - } - p++; }