[
https://issues.apache.org/jira/browse/CXF-9207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18066665#comment-18066665
]
Andriy Redko edited comment on CXF-9207 at 3/19/26 1:23 AM:
------------------------------------------------------------
Thanks for filling the issue, [~markus123] , the WAF behavior is really
surprising. To be fair, it will be very difficult to allows customization of
the content disposition (it being used in many places where propagating such
customization is not straightforward), adding space by default could be an
option to consider ([https://datatracker.ietf.org/doc/html/rfc6266] states that:
OPTIONAL whitespace can appear between words (token or
quoted-string) and separator characters.
was (Author: reta):
Thanks for filling the issue, [~markus123] , the WAF behavior is really
surprising. To be fair, it will be very difficult to allows customization of
the content disposition (it being used in many places where propagating such
customization is not straightforward), adding space by default could be an
option to consider ([https://datatracker.ietf.org/doc/html/rfc6266] states that:
OPTIONAL whitespace can appear between words (token or
quoted-string) and separator characters.
> Improve multipart Content-Disposition formatting (optional space after
> form-data;) for better interoperability with strict WAFs
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-9207
> URL: https://issues.apache.org/jira/browse/CXF-9207
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 4.1.5
> Reporter: Markus Mahlmann
> Priority: Minor
>
> We are using Apache CXF to send multipart/form-data requests, and we noticed
> that CXF currently generates {{Content-Disposition}} headers without a space
> after {{{}form-data;{}}}. For example, one of the parts is sent as:
> {code:java}
> Content-Disposition: form-data;name="issuer" {code}
> According to the relevant RFCs, this is perfectly valid and
> standards-compliant. However, our customer has a Web Application Firewall
> (WAF) in front of their system that expects a space after {{form-data;}} and
> rejects requests that do not follow this exact formatting.
> So we need it to be:
> {code:java}
> Content-Disposition: form-data; name="issuer" {code}
> In addition, most public examples of {{Content-Disposition}} headers (for
> instance in the MDN documentation:
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Disposition#examples])
> also include a space after {{form-data}}
> It would be very helpful from an interoperability perspective if CXF could:
> * either add a space after {{form-data;}} in the {{Content-Disposition}}
> header by default, or
> * provide a configuration option / extension point that allows customizing
> the exact formatting of the {{Content-Disposition}} header for multipart
> parts.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
