On Fri, Jan 19, 2001 at 10:24:34AM -0500, Nalin Dahyabhai wrote:
> It looks like the variable name is cut at the \n which follows the name,
> but there's a \r before it. I'm attaching a patch for this.
After some additional checks (and a more thorough reading of the parsing
function), I've revised the patch. It terminates the variable at the
right location, and skips over an Content-Type header which might follow
the name parameter. It might be better to save the type, like the parser
currently does for file uploads, but for now it appears to work with all
of the clients I've tried (Navigator and multiple versions of Lynx on
Linux and Navigator and IE5 on Windows).
Thanks,
Nalin
Parser fixups. Be more careful about isolating variable names, and skip over
a Content-Type header in form data if we get one. This seems to fix all of the
known problem scenarios I can find.
--- php-4.0.4pl1/main/rfc1867.c.parse Mon Jan 29 20:33:58 2001
+++ php-4.0.4pl1/main/rfc1867.c Tue Jan 30 03:57:17 2001
@@ -110,7 +110,7 @@
{
char *ptr, *loc, *loc2, *loc3, *s, *name, *filename, *u, *temp_filename;
int len, state = 0, Done = 0, rem, urem;
- int eolsize;
+ int eolsize = 2;
long bytes, max_file_size = 0;
char *namebuf=NULL, *filenamebuf=NULL, *lbuf=NULL,
*abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL;
@@ -132,7 +132,7 @@
PG(http_globals)[TRACK_VARS_FILES] = http_post_files;
ptr = buf;
- rem = cnt;
+ rem = cnt; /* rem seems to always be == (cnt - (ptr - buf)) == buf + cnt -
+ptr, so can't we remove it? */
len = strlen(boundary);
while ((ptr - buf < cnt) && !Done) {
switch (state) {
@@ -144,7 +144,8 @@
state = 1;
eolsize = 2;
- if(*(loc+len)==0x0a) {
+ if(*(loc+len)=='\n') {
+ /* broken client - ends lines
+with LF, not CR-LF */
eolsize = 1;
}
@@ -152,6 +153,9 @@
ptr = loc + len + eolsize;
} else {
rem -= (loc - ptr) + 1;
+ /* ptr += (loc - ptr) + 1; */
+ /* ptr = ptr + (loc - ptr) + 1; */
+ /* ptr = ptr + loc - ptr + 1; */
ptr = loc + 1;
}
} else {
@@ -180,6 +184,13 @@
}
} else if(!s) {
s = loc;
+ /* make 's' point to the first
+character which isn't part of the variable name, such as the '"' above */
+ if(memchr(name, '\r', s - name))
+ s = memchr(name, '\r', s -
+name);
+ if(memchr(name, ' ', s - name))
+ s = memchr(name, ' ', s -
+name);
+ if(memchr(name, ';', s - name))
+ s = memchr(name, ';', s -
+name);
} else {
php_error(E_WARNING, "File Upload Mime
headers garbled name: [%c%c%c%c%c]", *name, *(name + 1), *(name + 2), *(name + 3),
*(name + 4));
SAFE_RETURN;
@@ -193,8 +204,18 @@
}
lbuf = emalloc(s-name + MAX_SIZE_OF_INDEX + 1);
state = 2;
+ if (!strncasecmp(loc + 1, "Content-Type:",
+13)) {
+ loc2 = memchr(loc + 1, '\n', buf + cnt
+- loc - 1);
+ if(loc2) {
+ loc = loc2;
+ ptr = loc + 1;
+ }
+ }
loc2 = memchr(loc + 1, '\n', rem);
rem -= (loc2 - ptr) + 1;
+ /* ptr += (loc2 - ptr) + 1; */
+ /* ptr = ptr + (loc2 - ptr) + 1; */
+ /* ptr = ptr + loc2 - ptr + 1; */
ptr = loc2 + 1;
/* is_arr_upload is true when name of file
upload field
* ends in [.*]
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
