diff options
| author | fatkodima <fatkodima123@gmail.com> | 2019-11-29 16:57:03 +0200 |
|---|---|---|
| committer | fatkodima <fatkodima123@gmail.com> | 2019-11-29 16:57:03 +0200 |
| commit | 2a8aa75fae1856713ccb9cdff20dd758f488d0e0 (patch) | |
| tree | 7fc1278e3d534cc1eeca4bcf04687c9993d0259f | |
| parent | 93dfcdf46084760079514c858ae7391e90a7821e (diff) | |
| download | rack-2a8aa75fae1856713ccb9cdff20dd758f488d0e0.tar.gz | |
Robust separation of Content-Disposition fields
| -rw-r--r-- | lib/rack/multipart.rb | 6 | ||||
| -rw-r--r-- | test/multipart/robust_field_separation | 6 | ||||
| -rw-r--r-- | test/spec_multipart.rb | 6 |
3 files changed, 15 insertions, 3 deletions
diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb index 31ac29eb..bd91f43f 100644 --- a/lib/rack/multipart.rb +++ b/lib/rack/multipart.rb @@ -16,10 +16,10 @@ module Rack TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/ CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/ - BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i - BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i + BROKEN_QUOTED = /^#{CONDISP}.*;\s*filename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i + BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni - MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*\s+name=(#{VALUE})/ni + MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni # Updated definitions from RFC 2231 ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]} diff --git a/test/multipart/robust_field_separation b/test/multipart/robust_field_separation new file mode 100644 index 00000000..34956b15 --- /dev/null +++ b/test/multipart/robust_field_separation @@ -0,0 +1,6 @@ +--AaB03x
+Content-Disposition: form-data;name="text"
+Content-Type: text/plain
+
+contents
+--AaB03x--
diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb index b029048e..2d51f091 100644 --- a/test/spec_multipart.rb +++ b/test/spec_multipart.rb @@ -306,6 +306,12 @@ describe Rack::Multipart do params["files"][:filename].must_equal "flowers.exe\u0000.jpg" end + it "is robust separating Content-Disposition fields" do + env = Rack::MockRequest.env_for("/", multipart_fixture(:robust_field_separation)) + params = Rack::Multipart.parse_multipart(env) + params["text"].must_equal "contents" + end + it "not include file params if no file was selected" do env = Rack::MockRequest.env_for("/", multipart_fixture(:none)) params = Rack::Multipart.parse_multipart(env) |