search

rwf2 / multer

An async parser for multipart/form-data content-type in Rust
MIT License
156 stars 35 forks source link

Not extracting `file_name` correctly if filename contains double quotes #57

Closed BenJeau closed 7 months ago

BenJeau commented 11 months ago

Hi, thanks for this great library!

I'm uploading files via multipart/form-data within axum and see that if my filename contains double quotes, it's not properly parsed when using the file_name() method of the Field struct.

Example starting with "

Example sample code (modified from simple_example.rs) ```rust use bytes::Bytes; use futures_util::stream::Stream; use multer::Multipart; use std::convert::Infallible; #[tokio::main] async fn main() -> Result<(), Box> { let (stream, boundary) = get_byte_stream_from_somewhere().await; let mut multipart = Multipart::new(stream, boundary); while let Some(field) = multipart.next_field().await? { println!("Name: {:?}, File Name: {:?}", field.name(), field.file_name()); println!("Content: {:?}", field.text().await?); } Ok(()) } async fn get_byte_stream_from_somewhere() -> (impl Stream>, &'static str) { let data = "--X-BOUNDARY\r\nContent-Disposition: form-data; name=\"\"; filename=\"\"Exclusive Offer\"_ Last chance To Get microsoft-office-365.eml\"\r\n\r\nabcd\r\n--X-BOUNDARY--\r\n"; let stream = futures_util::stream::iter( data.chars() .map(|ch| ch.to_string()) .map(|part| Ok(Bytes::copy_from_slice(part.as_bytes()))), ); (stream, "X-BOUNDARY") } ```

The file name on the file system:

"Exclusive Offer"_ Last chance To Get microsoft-office-365.eml

Prints the following:

Name: Some(""), File Name: Some("")
Content: "abcd"

I would have expected the following output (or something similar to):

Name: Some("\"\""), File Name: Some("\"\"Exclusive Offer\"_ Last chance To Get microsoft-office-365.eml\"")
Content: "abcd"

Example containing with "

The file name on the file system:

[URGENT] "Exclusive Offer"_ Last chance To Get microsoft-office-365.eml

Prints the following:

Name: Some(""), File Name: Some("[URGENT] ")
Content: "abcd"

I would have expected the following output (or something similar to):

Name: Some("\"\""), File Name: Some("\[URGENT] "\"Exclusive Offer\"_ Last chance To Get microsoft-office-365.eml\"")
Content: "abcd"

Looking in the codebase, it seems like the issue is within this file and I think is related to the FIXME comment https://github.com/rousan/multer-rs/blob/8746d3bd876ddfcc9df9cd1d30783a87873345a8/src/constants.rs#L35-L38

I'm fiddling around with that part of the code, but it's tricky getting this right.