diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-09-28 10:12:29 -0700 |
---|---|---|
committer | eileencodes <eileencodes@gmail.com> | 2017-05-08 12:53:11 -0400 |
commit | c0598cd42b24f2c9ec870157b5501adef5e2bbb6 (patch) | |
tree | 64d3159891f59889641899ede30189092c21400d | |
parent | 2e6313c292ca8ac8e2459bc35185aac5a0e0a228 (diff) | |
download | rack-c0598cd42b24f2c9ec870157b5501adef5e2bbb6.tar.gz |
Merge pull request #1115 from Shopify/fix-multipart-parsing-with-null-byte
Handle NULL byte in multipart file name
-rw-r--r-- | lib/rack/multipart/parser.rb | 3 | ||||
-rw-r--r-- | test/multipart/filename_with_null_byte | 7 | ||||
-rw-r--r-- | test/spec_multipart.rb | 6 |
3 files changed, 14 insertions, 2 deletions
diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb index 22d38e74..0cbd3732 100644 --- a/lib/rack/multipart/parser.rb +++ b/lib/rack/multipart/parser.rb @@ -6,7 +6,6 @@ module Rack class Parser BUFSIZE = 16384 - DUMMY = Struct.new(:parse).new def self.create(env) @@ -19,7 +18,7 @@ module Rack content_length = content_length.to_i if content_length tempfile = env['rack.multipart.tempfile_factory'] || - lambda { |filename, content_type| Tempfile.new(["RackMultipart", ::File.extname(filename)]) } + lambda { |filename, content_type| Tempfile.new(["RackMultipart", ::File.extname(filename.gsub("\0".freeze, '%00'.freeze))]) } bufsize = env['rack.multipart.buffer_size'] || BUFSIZE new($1, io, content_length, env, tempfile, bufsize) diff --git a/test/multipart/filename_with_null_byte b/test/multipart/filename_with_null_byte new file mode 100644 index 00000000..961d44c4 --- /dev/null +++ b/test/multipart/filename_with_null_byte @@ -0,0 +1,7 @@ +--AaB03x
+Content-Type: image/jpeg
+Content-Disposition: attachment; name="files"; filename="flowers.exe%00.jpg"
+Content-Description: a complete map of the human genome
+
+contents
+--AaB03x--
diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb index 74578d7b..ffaca557 100644 --- a/test/spec_multipart.rb +++ b/test/spec_multipart.rb @@ -261,6 +261,12 @@ describe Rack::Multipart do params["files"].size.should.equal 252 end + should "parse multipart form with a null byte in the filename" do + env = Rack::MockRequest.env_for '/', multipart_fixture(:filename_with_null_byte) + params = Rack::Multipart.parse_multipart(env) + params["files"][:filename].should.equal "flowers.exe\u0000.jpg" + end + should "parse multipart/mixed" do env = Rack::MockRequest.env_for("/", multipart_fixture(:mixed_files)) params = Rack::Utils::Multipart.parse_multipart(env) |