Lucee handles files uploads incorrectly when Content-Type is missing

Description

Lucee treats POSTed files as regular form fields if they are missing the "Content-Type" multipart MIME header.

I ran into this when posting a file from Adobe ColdFusion to Lucee.

I believe this occurs due to this code:
https://github.com/lucee/Lucee/blob/0db6e70b53a870d4fcd750f4402a10bcfedaa701/core/src/main/java/lucee/runtime/type/scope/FormImpl.java#L192

When Adobe ColdFusion cannot automatically determine the "mimeType" attribute it doesn't set the "Content-Type" header at all. For example, if the filename was "hello.txt" instead of "hello.tmp" then it would send the correct "Content-Type". I think Lucee always sets a "Content-Type", falling back to "text/plain".

Lucee behaves differently than ColdFusion, which doesn't depend on the "Content-Type" header being present.

A workaround for Adobe ColdFusion is to specify the mimeType attribute on cfhttpparam instead of letting it automatically determine the type. However I think the "Content-Type" is optional and the bug is in Lucee. This could affect anything that posts files to Lucee.

Here's an example POST that illustrates the problem:

Environment

Windows 10

Status

Assignee

Michael Offner

Reporter

Thomas Rafferty

Labels

Sprint

None

Fix versions

Priority

Critical
Configure