we are hosting some SAP Servers capable of receiving HTTP Post requests. Now we have some client application willing to POST some multipart data, but it fails because the Server is rejecting with HTTP 400 Bad Request.
After some investigation it looks like the reason is that the client application is sending the content type header as following:
Content-Type: multipart/mixed
boundary="----=_Part_161608_2058542758.1711354500700"
I asked the client application to not do any line break (CRLF) in the middle of the header and they rejected referring to the spec here: https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html
Still I am wondering is it really allowed to do line break within the content-type or any other header?
In the meantime I also tested some publicly available http servers (webhook.site, httpbin.org, pipedream.com) and all of them also respond with http 400 bad request if I send the content type field with a line break.
This is an incredibly old spec, but it's also the incorrect one. The Content-Type header here is part of the HTTP envelope (even if the body is a multi-part body), so the correct reference is the HTTP spec.
In the HTTP spec at some point it was allowed to fold lines like this, but at the very least the following lines should start with a whitespace.
However, this is no longer allowed and the HTTP specification explicitly says these should be rejected with a 400 Bad Request:
https://www.rfc-editor.org/rfc/rfc9112#name-obsolete-line-folding
So you are correct, this is a badly behaving client that's not conforming to the HTTP specification. They should fix the problem.