mime/multipart: parse boundary with spaces properly

- spaces are allowed anywhere but the last character of a boundary Fixes #18768 Change-Id: I36b054462533ff6dfc060e37e7a58777ae4b66fe Reviewed-on: https://go-review.googlesource.com/35507 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2024-11-27 05:01:19 -07:00 · 2017-01-24 07:40:17 -07:00 · 2017-01-24 07:40:17 -07:00 · a28ce75daa
commit a28ce75daa
parent e26b51b0d5
2 changed files with 15 additions and 7 deletions
--- a/src/mime/multipart/writer.go
+++ b/src/mime/multipart/writer.go
@ -50,13 +50,18 @@ func (w *Writer) SetBoundary(boundary string) error {
 	if len(boundary) < 1 || len(boundary) > 70 {
 		return errors.New("mime: invalid boundary length")
 	}
-	for _, b := range boundary {
+	end := len(boundary) - 1
+	for i, b := range boundary {
 		if 'A' <= b && b <= 'Z' || 'a' <= b && b <= 'z' || '0' <= b && b <= '9' {
 			continue
 		}
 		switch b {
 		case '\'', '(', ')', '+', '_', ',', '-', '.', '/', ':', '=', '?':
 			continue
+		case ' ':
+			if i != end {
+				continue
+			}
 		}
 		return errors.New("mime: invalid boundary character")
 	}
--- a/src/mime/multipart/writer_test.go
+++ b/src/mime/multipart/writer_test.go
@ -80,8 +80,6 @@ func TestWriter(t *testing.T) {
 }

 func TestWriterSetBoundary(t *testing.T) {
-	var b bytes.Buffer
-	w := NewWriter(&b)
 	tests := []struct {
 		b  string
 		ok bool
@ -94,8 +92,12 @@ func TestWriterSetBoundary(t *testing.T) {
 		{strings.Repeat("x", 71), false},
 		{"bad!ascii!", false},
 		{"my-separator", true},
+		{"with space", true},
+		{"badspace ", false},
 	}
 	for i, tt := range tests {
+		var b bytes.Buffer
+		w := NewWriter(&b)
 		err := w.SetBoundary(tt.b)
 		got := err == nil
 		if got != tt.ok {
@ -105,12 +107,13 @@ func TestWriterSetBoundary(t *testing.T) {
 			if got != tt.b {
 				t.Errorf("boundary = %q; want %q", got, tt.b)
 			}
+			w.Close()
+			wantSub := "\r\n--" + tt.b + "--\r\n"
+			if got := b.String(); !strings.Contains(got, wantSub) {
+				t.Errorf("expected %q in output. got: %q", wantSub, got)
+			}
 		}
 	}
-	w.Close()
-	if got := b.String(); !strings.Contains(got, "\r\n--my-separator--\r\n") {
-		t.Errorf("expected my-separator in output. got: %q", got)
-	}
 }

 func TestWriterBoundaryGoroutines(t *testing.T) {