Wai Parse `FilenameTooLong` error incorrectly thrown for too long param name

[moll]

Hey,

I think the FilenameTooLong error in Wai Parse is incorrectly thrown for a too long key name, not the file name.

https://github.com/yesodweb/wai/blob/53da27d12db4c8fb3b99c6c1cf29ce098e26f0a2/wai-extra/Network/Wai/Parse.hs#L583-L589

The name length check mirrors the one just beneath the other Just (_ct, name, Nothing) case and that's for the parameter name. There's no code right now that checks the file name length, so the error itself seems unused.

[moll]

Now that I'm looking at it, the UrlEncoded variant of conduitRequestBodyEx doesn't check the parameter name lengths at all. Either both should or neither should. The current method of just checking param name lengths of multipart forms is odd. Doesn't gain nor protect much. I think just checking the header line length is sufficient to protect against metadata (such as param name, file name) resource abuse. Individual param name and filename length checks should be left to business logic.

[Vlix]

Good point. That logic is obviously conflating two separate things.

Let's see if anyone else has strong opinions about this. I personally also feel a "header length" check is sufficient. I also don't really get why this exists. This module is only imported in RequestLogger and then only a handful of things. I wonder if anyone would directly use this module :thinking: