Merge pull request #8008 from eclipse/jetty-10.0.x-legacyMultipartParser

Add compliance mode for LEGACY multipart parser in Jetty 10+

Author: lachlan-roberts

jetty-server/src/main/config/etc/jetty.xml

@@ -75,6 +75,7 @@
       <Set name="uriCompliance"><Call class="org.eclipse.jetty.http.UriCompliance" name="from"><Arg><Property name="jetty.httpConfig.uriCompliance" default="SAFE"/></Arg></Call></Set>
       <Set name="requestCookieCompliance"><Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.requestCookieCompliance" default="RFC6265"/></Arg></Call></Set>
       <Set name="responseCookieCompliance"><Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.responseCookieCompliance" default="RFC6265"/></Arg></Call></Set>
+      <Set name="multiPartFormDataCompliance"><Call class="org.eclipse.jetty.server.MultiPartFormDataCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.multiPartFormDataCompliance" default="RFC7578"/></Arg></Call></Set>
       <Set name="relativeRedirectAllowed"><Property name="jetty.httpConfig.relativeRedirectAllowed" default="false"/></Set>
       <Set name="useInputDirectByteBuffers" property="jetty.httpConfig.useInputDirectByteBuffers"/>
       <Set name="useOutputDirectByteBuffers" property="jetty.httpConfig.useOutputDirectByteBuffers"/>

jetty-server/src/main/config/modules/server.mod

@@ -82,6 +82,9 @@ etc/jetty.xml
 # jetty.httpConfig.responseCookieCompliance=RFC6265
 # end::documentation-server-compliance[]
 
+## multipart/form-data compliance mode of: LEGACY(slow), RFC7578(fast)
+# jetty.httpConfig.multiPartFormDataCompliance=RFC7578
+
 # tag::documentation-server-config[]
 ### Server configuration
 ## Whether ctrl+c on the console gracefully stops the Jetty server

jetty-server/src/main/java/org/eclipse/jetty/server/HttpConfiguration.java

@@ -75,6 +75,7 @@ public class HttpConfiguration implements Dumpable
     private UriCompliance _uriCompliance = UriCompliance.DEFAULT;
     private CookieCompliance _requestCookieCompliance = CookieCompliance.RFC6265;
     private CookieCompliance _responseCookieCompliance = CookieCompliance.RFC6265;
+    private MultiPartFormDataCompliance _multiPartCompliance = MultiPartFormDataCompliance.RFC7578;
     private boolean _notifyRemoteAsyncErrors = true;
     private boolean _relativeRedirectAllowed;
     private HostPort _serverAuthority;
@@ -625,6 +626,21 @@ public void setResponseCookieCompliance(CookieCompliance cookieCompliance)
         _responseCookieCompliance = cookieCompliance == null ? CookieCompliance.RFC6265 : cookieCompliance;
     }
 
+    /**
+     * Sets the compliance level for multipart/form-data handling.
+     *
+     * @param multiPartCompliance The multipart/form-data compliance level.
+     */
+    public void setMultiPartFormDataCompliance(MultiPartFormDataCompliance multiPartCompliance)
+    {
+        _multiPartCompliance = multiPartCompliance == null ? MultiPartFormDataCompliance.RFC7578 : multiPartCompliance;
+    }
+
+    public MultiPartFormDataCompliance getMultipartFormDataCompliance()
+    {
+        return _multiPartCompliance;
+    }
+
     /**
      * @param notifyRemoteAsyncErrors whether remote errors, when detected, are notified to async applications
      */

jetty-server/src/main/java/org/eclipse/jetty/server/MultiPartFormDataCompliance.java

@@ -0,0 +1,34 @@
+//
+// ========================================================================
+// Copyright (c) 1995-2022 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+package org.eclipse.jetty.server;
+
+/**
+ * The compliance level for parsing <code>multiPart/form-data</code>
+ */
+public enum MultiPartFormDataCompliance
+{
+    /**
+     * Legacy <code>multiPart/form-data</code> parsing which is slow but forgiving.
+     * It will accept non-compliant preambles and inconsistent line termination.
+     *
+     * @see org.eclipse.jetty.server.MultiPartInputStreamParser
+     */
+    LEGACY,
+    /**
+     * RFC7578 compliant parsing that is a fast but strict parser.
+     *
+     * @see org.eclipse.jetty.server.MultiPartFormInputStream
+     */
+    RFC7578
+}

jetty-server/src/main/java/org/eclipse/jetty/server/MultiPartFormInputStream.java

@@ -37,6 +37,7 @@
 import javax.servlet.ServletInputStream;
 import javax.servlet.http.Part;
 
+import org.eclipse.jetty.server.MultiParts.NonCompliance;
 import org.eclipse.jetty.util.BufferUtil;
 import org.eclipse.jetty.util.ByteArrayOutputStream2;
 import org.eclipse.jetty.util.MultiException;
@@ -104,23 +105,6 @@ private enum State
     private volatile int _bufferSize = 16 * 1024;
     private State state = State.UNPARSED;
 
-    public enum NonCompliance
-    {
-        TRANSFER_ENCODING("https://tools.ietf.org/html/rfc7578#section-4.7");
-
-        final String _rfcRef;
-
-        NonCompliance(String rfcRef)
-        {
-            _rfcRef = rfcRef;
-        }
-
-        public String getURL()
-        {
-            return _rfcRef;
-        }
-    }
-
     /**
      * @return an EnumSet of non compliances with the RFC that were accepted by this parser
      */