netty: StringIndexOutOfBoundsException thrown by HttpPostRequestDecoder.splitHeaderContentType() when Content-Type header starts with a semicolon

Expected behavior

I’m not sure what the desired behavior should be for HttpPostRequestDecoder.splitHeaderContentType() when it finds a Content-Type header that starts with a semicolon, but I’m assuming StringIndexOutOfBoundsException is not intentional.

Actual behavior

HttpPostRequestDecoder.splitHeaderContentType() throws a StringIndexOutOfBoundsException when it parses a Content-Type header that starts with a semicolon ;. Specifically this line, because the aEnd variable is 0 when the Content-Type header starts with a semicolon: https://github.com/netty/netty/blob/00afb19d7a37de21b35ce4f6cb3fa7f74809f2ab/codec-http/src/main/java/io/netty/handler/codec/http/multipart/HttpPostRequestDecoder.java#L278.

Steps to reproduce

1. Make a request to a Netty HTTP server and pass a Content-Type header that starts with a semicolon ;. I’m not sure if there are HTTP clients that would sanitize this for you and prevent the problem, but I was able to reproduce this with RestAssured and a Netty Bootstrap acting as a HTTP Client via HttpClientCodec, so there are at least a few clients you can use to reproduce.
2. In the Netty server that receives the request, call HttpPostRequestDecoder.isMultipart(HttpRequest) or any other code path that ultimately causes HttpPostRequestDecoder.splitHeaderContentType(String) to be called with the request’s Content-Type header.
3. You’ll see a StringIndexOutOfBoundsException get thrown.

Netty version

4.1.30.Final (probably others as well)