Skip to content

Reject truncated percent-encoding in RFC2231Utils.decodeText#475

Merged
garydgregory merged 1 commit into
apache:masterfrom
alhudz:rfc2231-truncated-pct
Jul 11, 2026
Merged

Reject truncated percent-encoding in RFC2231Utils.decodeText#475
garydgregory merged 1 commit into
apache:masterfrom
alhudz:rfc2231-truncated-pct

Conversation

@alhudz

@alhudz alhudz commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Repro: parse a Content-Disposition value of form-data; name="f"; filename*=UTF-8''report%3 (a truncated RFC 5987 percent escape) and read the resulting file name.
Expected: rejected, the same as %GG or a non-ASCII byte already are.
Actual: RFC2231Utils.decodeText returns report; fromHex treats a % with fewer than two following characters as end-of-input and returns what it decoded so far, dropping the truncated escape.
Fix: throw IllegalArgumentException on a truncated % escape, so the value is rejected like every other malformed input in fromHex and like the sibling QuotedPrintableDecoder. Covered by a new case in RFC2231UtilityTestCase.

@garydgregory garydgregory merged commit 3e28315 into apache:master Jul 11, 2026
9 checks passed
@garydgregory

Copy link
Copy Markdown
Member

Thank you @alhudz , merged 🚀 Please port to the 1.x branch.

@alhudz

alhudz commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

Thanks for merging. Port to 1.x is up as #477, same change adapted to RFC2231Utility, full suite green there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants