Closed p5pRT closed 16 years ago
I'm using the CGI module to parse HTTP POST file upload requests. I noticed that if the file name is quoted and contains a semicolon CGI fails to parse the name correctly. For example using 'foo;bar.txt' as the file name would result in the following Content-Disposition line in the HTTP request:
Content-Disposition: form-data; name="filename1"; filename="foo;bar.txt"
which would cause CGI to fail the file name parsing.
According to RFC 1867\, 2183 and 2045 the file name field value can contain semicolons when the name is quoted.
A related issue is that when the file name parsing fails the file content is loaded into the parsed CGI object i.e. in main memory.
I would propose the following patch to the CGI module to fix these issues:
3258c3258\,3260 \< my($filename) = $header{'Content-Disposition'}=~/ filename="([^;]*)"/; ---
\# RFC 1867\, 2183\, 2045 my \($filename\) = $header\{'Content\-Disposition'\}=~/ filename=\(\("\[^"\]\*"\)|\(
[a-z\d!#'\*\+\,\.^_\`\{\}\|\~]*))/i; $filename =~ s/^"([^"]*)"$/$1/; 3262a3265\,3269 # prevent file content from being loaded into memory should # content-disposition parsing fail. if($header{'Content-Disposition'}=~/ filename=/ && !$filename) { $filename = "noname.bin"; }
-- aspa
The following part in the patch breaks HTML forms with multiple file upload elements when there's one or more empty elements posted to the server:
if($header{'Content-Disposition'}=~/ filename=/ && !$filename) { $filename = "noname.bin"; }
[aspa - Fri Nov 04 04:33:48 2005]:
The following part in the patch breaks HTML forms with multiple file upload elements when there's one or more empty elements posted to the server:
if($header{'Content-Disposition'}=~/ filename=/ && !$filename) { $filename = "noname.bin"; }
Could you please resend the patch as a diff -u (if your diff supports it) or as a diff -c. It makes it much easier to see the changes.
Thanks.
The RT System itself - Status changed from 'new' to 'open'
[stmpeters - Tue Dec 27 05:48:06 2005]:
Could you please resend the patch as a diff -u (if your diff supports it) or as a diff -c. It makes it much easier to see the changes.
here you go.
br. aspa
On Tue Dec 27 23:40:27 2005\, aspa wrote:
[stmpeters - Tue Dec 27 05:48:06 2005]:
Could you please resend the patch as a diff -u (if your diff supports it) or as a diff -c. It makes it much easier to see the changes.
here you go.
br. aspa
Sorry\, but this response seems to never have made it to any mailing list. I've just applied this patch as change #32683.
@smpeters - Status changed from 'open' to 'resolved'
Migrated from rt.perl.org#37607 (status was 'resolved')
Searchable as RT37607$