[
https://issues.apache.org/jira/browse/CXF-9207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andriy Redko updated CXF-9207:
------------------------------
Fix Version/s: 4.2.1
3.6.11
4.1.6
> Improve multipart Content-Disposition formatting (optional space after
> form-data;) for better interoperability with strict WAFs
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-9207
> URL: https://issues.apache.org/jira/browse/CXF-9207
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 4.1.5
> Reporter: Markus Mahlmann
> Priority: Minor
> Fix For: 4.2.1, 3.6.11, 4.1.6
>
>
> We are using Apache CXF to send multipart/form-data requests, and we noticed
> that CXF currently generates {{Content-Disposition}} headers without a space
> after {{{}form-data;{}}}. For example, one of the parts is sent as:
> {code:java}
> Content-Disposition: form-data;name="issuer" {code}
> According to the relevant RFCs, this is perfectly valid and
> standards-compliant. However, our customer has a Web Application Firewall
> (WAF) in front of their system that expects a space after {{form-data;}} and
> rejects requests that do not follow this exact formatting.
> So we need it to be:
> {code:java}
> Content-Disposition: form-data; name="issuer" {code}
> In addition, most public examples of {{Content-Disposition}} headers (for
> instance in the MDN documentation:
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Disposition#examples])
> also include a space after {{form-data}}
> It would be very helpful from an interoperability perspective if CXF could:
> * either add a space after {{form-data;}} in the {{Content-Disposition}}
> header by default, or
> * provide a configuration option / extension point that allows customizing
> the exact formatting of the {{Content-Disposition}} header for multipart
> parts.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
