diff options
| author | Jean Boussier <jean.boussier@gmail.com> | 2016-09-28 14:36:11 +0200 |
|---|---|---|
| committer | Jean Boussier <jean.boussier@gmail.com> | 2016-09-28 14:41:44 +0200 |
| commit | 05177e0cf1cfa84a062b5344ccca40272e3da919 (patch) | |
| tree | 80721ba6f73ee150f98794a903ad66dc661bc566 | |
| parent | 7ca86b7c42def1865f032c4d71c01ea94584b470 (diff) | |
| download | rack-05177e0cf1cfa84a062b5344ccca40272e3da919.tar.gz | |
Handle NULL byte in multipart file name
| -rw-r--r-- | lib/rack/multipart/parser.rb | 2 | ||||
| -rw-r--r-- | test/multipart/filename_with_null_byte | 7 | ||||
| -rw-r--r-- | test/spec_multipart.rb | 6 |
3 files changed, 14 insertions, 1 deletions
diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb index 74a7ee67..d8cb3670 100644 --- a/lib/rack/multipart/parser.rb +++ b/lib/rack/multipart/parser.rb @@ -8,7 +8,7 @@ module Rack BUFSIZE = 16384 TEXT_PLAIN = "text/plain" TEMPFILE_FACTORY = lambda { |filename, content_type| - Tempfile.new(["RackMultipart", ::File.extname(filename)]) + Tempfile.new(["RackMultipart", ::File.extname(filename.gsub("\0".freeze, '%00'.freeze))]) } class BoundedIO # :nodoc: diff --git a/test/multipart/filename_with_null_byte b/test/multipart/filename_with_null_byte new file mode 100644 index 00000000..961d44c4 --- /dev/null +++ b/test/multipart/filename_with_null_byte @@ -0,0 +1,7 @@ +--AaB03x
+Content-Type: image/jpeg
+Content-Disposition: attachment; name="files"; filename="flowers.exe%00.jpg"
+Content-Description: a complete map of the human genome
+
+contents
+--AaB03x--
diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb index 80e49ccb..02b86bed 100644 --- a/test/spec_multipart.rb +++ b/test/spec_multipart.rb @@ -305,6 +305,12 @@ describe Rack::Multipart do params["files"][:filename].must_equal "bob's flowers.jpg" end + it "parse multipart form with a null byte in the filename" do + env = Rack::MockRequest.env_for '/', multipart_fixture(:filename_with_null_byte) + params = Rack::Multipart.parse_multipart(env) + params["files"][:filename].must_equal "flowers.exe\u0000.jpg" + end + it "not include file params if no file was selected" do env = Rack::MockRequest.env_for("/", multipart_fixture(:none)) params = Rack::Multipart.parse_multipart(env) |