9

In a multi-part (i.e. Content-Type=multipart/form-data) form, is there an upper limit on the length of the boundary string that an HTTP server should accept?

As far as I can tell, the relevant RFCs say 70 chars:

  • RFC2616 (HTTP/1.1) section "3.7 Media Types" says that the allowed types in the Content-Type header is defined by RFC1590 (Media Type Registration Procedure).
  • RFC1590 updates RFC-1521(MIME).
  • RFC1521 says that a boundary "must be no longer than 70 characters, not counting the two leading hyphens".
  • The same text also appears in RFC2046 which supposedly obsoletes RFC1521.

So can I be certain all the major HTTP/1.1 browsers out there today adhere to this limit? Are there any browsers (or other HTTP clients/libraries) known to break this limit?

Is there some other spec or common rule-of-thumb I'm missing that says the string will be shorter than 70 chars? In Chrome(ium) I get something like this: ----WebKitFormBoundaryLu4dNSGEhJZUgoe5, which is obviously shorter than 70 chars.

I'm asking this question because my server is running in an extremely memory-constrained environment, so "malloc a buffer large enough to hold the entire header string" is not an ideal answer.

Improve this question
6
  • You ask for an upper limit. Of course it is possible that you do not get the full upper limit but less (related to the Chrome boundary). Commented Aug 1, 2013 at 16:34
  • there should be no problem if you use AJAX and process the data in your PHP file directly Commented Oct 5, 2013 at 16:17
  • “hold the entire header string”? Why the entire header, if you just need the boundary? Commented May 21, 2016 at 12:21
  • Why not allocate as much memory as the actual input requires? Use an upper limit of 70 bytes and reject larger boundaries as mal-formed. Commented May 21, 2016 at 12:24
  • 1
    @RobertSiemer - As a concrete example of the falling hardware cost, this was originally asked right around the time the Raspberry Pi Rev A was available for $35 USD, and you couldn't build a low-qty (a few thousand?) Linux board much cheaper than that. The Pi project only pulled it off due to high volume. Today, the Pi Zero would do everything we needed 10x over and goes for $5 USD. Ultra low-power (microamps standby current) applications, or extremely high volume stuff would be the only reasons I'd do a project like this today, professionally anyway. Commented May 23, 2016 at 15:34

1 Answer 1

Reset to default
9

As you note, RFC 2046 updated the MIME spec, but kept the restriction of the maximum boundary string to 70 characters, not counting the two leading hyphens.

I think it's a fair assumption that the spec is followed by all major browsers (and all MIME-using clients, like mail programs) since otherwise passing around multipart data would be very risky indeed.

To be sure, I've experimentally verified it for you using the latest versions of:

  • curl: ----------------------------5a56a6c893f2 (40)
  • Chrome 30 (WebKit): ----WebKitFormBoundarym0vCJKBpUYdCIWQG (38)
  • Safari 6 (WebKit, and same as Chrome): ----WebKitFormBoundaryFHUXvJBZwO2JKkNa (38)
  • FireFox 24: ---------------------------7096603861379320641089344535 (55)
  • IE 10: ---------------------------7dd1961640278 (40) - same technique as curl!
  • Apache HttpClient: -----------------------------1294919323195 (42)

Thus not only does every major browser/client conform, but all would allow you to save 15 allocated bytes per boundary per buffer from the theoretical max. If you could trivially switch on user agent, you could squeeze even more performance out. ;-)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Switch on user-agent? Are you serious?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.