Lucee handles files uploads incorrectly when Content-Type is missing

Description

Lucee treats POSTed files as regular form fields if they are missing the "Content-Type" multipart MIME header.

I ran into this when posting a file from Adobe ColdFusion to Lucee.

1 2 3 4 5 6 7 8 <!--- ColdFusion Server ---> <cfhttp url="#luceeURL#" method="post" result="res"> <cfhttpparam name="filename" type="file" file="#expandPath('hello.tmp')#"> </cfhttp> <!--- Lucee Server ---> <cffile action="move" source="#form.filename#" destination="#newFileHome#"> <!--- error because form.filename holds the file contents instead of the filename --->

I believe this occurs due to this code:
https://github.com/lucee/Lucee/blob/0db6e70b53a870d4fcd750f4402a10bcfedaa701/core/src/main/java/lucee/runtime/type/scope/FormImpl.java#L192

1 2 3 4 5 6 if(item.getContentType() == null || StringUtil.isEmpty(item.getName())) { list.add(new URLItem(item.getFieldName(), new String(IOUtil.toBytes(is), encoding), false)); } else { // snip - saves the contents to a temporary file and sets the field value to the filename }

When Adobe ColdFusion cannot automatically determine the "mimeType" attribute it doesn't set the "Content-Type" header at all. For example, if the filename was "hello.txt" instead of "hello.tmp" then it would send the correct "Content-Type". I think Lucee always sets a "Content-Type", falling back to "text/plain".

Lucee behaves differently than ColdFusion, which doesn't depend on the "Content-Type" header being present.

A workaround for Adobe ColdFusion is to specify the mimeType attribute on cfhttpparam instead of letting it automatically determine the type. However I think the "Content-Type" is optional and the bug is in Lucee. This could affect anything that posts files to Lucee.

Here's an example POST that illustrates the problem:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 POST /bug.cfm HTTP/1.1 User-Agent: ColdFusion Content-Type: multipart/form-data; boundary=-----------------------------7d0d117230764 Connection: close Content-Length: 12345 Host: localhost Accept-Encoding: gzip,deflate -------------------------------7d0d117230764 Content-Disposition: form-data; name="myTextField" Content-Type: text/plain; charset=UTF-8 This is a regular text field, because the Content-Disposition doesn't specify a filename -------------------------------7d0d117230764 Content-Disposition: form-data; name="myFile"; filename="C:\ColdFusion11\cfusion\runtime\work\Catalina\localhost\tmp\doc_7812246263320350461.tmp" This is a file, because the Content-Disposition specifies a filename. This file is treated as a regular text field in Lucee as it is missing the "Content-Type" header. -------------------------------7d0d117230764--

Environment

Windows 10

Status

Assignee

Michael Offner

Reporter

Thomas Rafferty

Labels

Sprint

None

Fix versions

Priority

Critical