I'm trying to understand if the Perl code is doing the right thing by
placing a newline directly in the double-quoted filename in the
Content-Disposition header.
Even though it's probably a bad thing to do, POSIX allows newlines in
filenames. Receiving systems, of course, must be careful how that filename
is used -- but in this case it's never actually used in a filesystem (i.e.
it's just considered metadata).
The code below does a full round-trip successfully (meaning the newline in
the filename is preserved), but that's all within Perl.
I'm POSTing to a service written in Golang and that library is complaining
about malformed headers.
My question: Is HTTP::Request not escaping correctly or is Golang library
not parsing correctly?
use strict;
use warnings;
use HTTP::Request::Common;
use HTTP::Response;
use HTTP::Body;
use Data::Dumper;
my $filename = "name with\na newline";
my $req = POST(
'http://example.com/post',
content_type => 'form-data',
Content => [
file => [
$0,
$filename,
],
one => 1,
two => 2,
],
);
my $res = HTTP::Response->parse( $req->as_string );
my $body = HTTP::Body->new( join( ' ' ,$res->content_type),
$res->content_length );
$body->add( $res->decoded_content );
print Dumper $body->upload;
Above returns:
$VAR1 = {
'file' => {
'filename' => 'name with
a newline',
'tempname' =>
'/var/folders/sz/w4rntlpx76vcy5xrp441m0qw0000gn/T/6QNv98gd5B',
'size' => 561,
'headers' => {
'Content-Disposition' => 'form-data;
name="file"; filename="name with
a newline"',
'Content-Type' => 'text/plain'
},
'name' => 'file'
}
};
It seems like header folding is no longer allowed, but I'm not clear that
this is a case of header-folding:
https://stackoverflow.com/questions/521275/how-to-escape-a-line-break-literal-in-the-http-header
Or asked another way, is Perl or Golang breaking Postel's law
<https://en.wikipedia.org/wiki/Robustness_principle>?
--
Bill Moseley
mose...@hank.org
