search

SuaveIO / suave

Suave is a simple web development F# library providing a lightweight web server and a set of combinators to manipulate route flow and task composition.
https://suave.io
Other
1.32k stars 198 forks source link

Issue with parsing boundary from multipart/form-data Content-Type header causes a crash #759

Closed eriadam closed 2 years ago

eriadam commented 2 years ago

Hello!

We found that in case the Content-Type header contains a charset parameter next to the boundary, the parsing logic is faulty, which leads to an invalid boundary and a crash.

Content-Type: "multipart/form-data; charset=utf-8; boundary=__X_PAW_BOUNDARY__"

results in

 --utf-8; boundary=__X_PAW_BOUNDARY__

as the logic in the ConnectionFacade.fs looks for the first =.

let boundary =
    "--"
    + (ce
       |> String.substring (ce.IndexOf('=') + 1)
       |> String.trimStart
       |> String.trimc '"')
Click to expand the stack trace ``` [12:23:24 WRN] TCP request processing failed System.Exception: Invalid multipart format: expected boundary ‘--utf-8; boundary=__X_PAW_BOUNDARY__’ got ‘--__X_PAW_BOUNDARY__’ at Microsoft.FSharp.Core.PrintfModule.PrintFormatToStringThenFail@1439.Invoke(String message) in D:\a\_work\1\s\src\fsharp\FSharp.Core\printf.fs:line 1439 at .$ConnectionFacade.clo@413-21.Invoke(String _arg18) at Microsoft.FSharp.Control.AsyncPrimitives.CallThenInvokeNoHijackCheck[a,b](AsyncActivation`1 ctxt, b result1, FSharpFunc`2 userCode) in D:\a\_work\1\s\src\fsharp\FSharp.Core\async.fs:line 464 at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at Suave.Sockets.SocketOpModule.orInputError@46-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at Suave.Sockets.SocketOpModule.orInputError@46-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$ConnectionFacade.-ctor@141-14.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at .$SocketMonad.Return@9-1.Invoke(AsyncActivation`1 ctxt) at Microsoft.FSharp.Control.Trampoline.Execute(FSharpFunc`2 firstAction) in D:\a\_work\1\s\src\fsharp\FSharp.Core\async.fs:line 104 ```

I have prepared a PR with a fix, I will submit it shortly.

Cheers, Adam