moll
commented
2 weeks ago Now that I'm looking at it, the UrlEncoded variant of conduitRequestBodyEx doesn't check the parameter name lengths at all. Either both should or neither should. The current method of just checking param name lengths of multipart forms is odd. Doesn't gain nor protect much. I think just checking the header line length is sufficient to protect against metadata (such as param name, file name) resource abuse. Individual param name and filename length checks should be left to business logic.
Hey,
I think the
FilenameTooLongerror in Wai Parse is incorrectly thrown for a too long key name, not the file name.https://github.com/yesodweb/wai/blob/53da27d12db4c8fb3b99c6c1cf29ce098e26f0a2/wai-extra/Network/Wai/Parse.hs#L583-L589
The
namelength check mirrors the one just beneath the otherJust (_ct, name, Nothing)case and that's for the parameter name. There's no code right now that checks the file name length, so the error itself seems unused.