Yes, this is an error. Line 251 of web-server/http/request.rkt uses a regular-expression to extract the name and it is not robust against quoted strings. I don't have the bandwidth to fix this until after RacketCon. Let me know if you will look into it, otherwise I will put it in my TODO list.
Jay On Wed, Sep 14, 2016 at 8:18 PM, John Clements <cleme...@brinckerhoff.org> wrote: > The web-server code has been rock-solid for me, but I think I’ve actually > found a bug. Specifically, it looks like the filename part of a > multipart/form-data file submission is prematurely terminated when a filename > contains a double-quote. Either that, or Firefox is not using the right > encoding scheme. > > To see this, I run this toy web server: > > #lang racket > > (require web-server/servlet-env > web-server/http/request-structs > web-server/http/xexpr) > > (define (go request) > (printf "~v\n" > (request-bindings/raw request)) > (printf "request: ~v\n" > request) > (printf "body: ~v\n" > (request-post-data/raw request)) > (response/xexpr '(html > (body > (p "yay") > (form ((action "/foo") > (method "post") > (enctype "multipart/form-data")) > (input ((type "file") (name "abcz"))) > (input ((type "submit")))))))) > > > (serve/servlet go > #:servlet-regexp #px”") > > … and then, in Firefox, I choose a file named abc”d. That is, abcd with a > double-quote in the middle of it. > > DrRacket then reports: > > Your Web application is running at > http://localhost:8000/servlets/standalone.rkt. > Stop this program at any time to terminate the Web Server. > '() > request: (request #"GET" (url #f #f #f #f #t (list (path/param "servlets" > '()) (path/param "standalone.rkt" '())) '() #f) (list (header #"Host" > #"localhost:8000") (header #"User-Agent" #"Mozilla/5.0 (Macintosh; Intel Mac > OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0") (header #"Accept" > #"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8") (header > #"Accept-Language" #"en-US,en;q=0.5") (header #"Accept-Encoding" #"gzip, > deflate") (header #"Connection" #"keep-alive") (header > #"Upgrade-Insecure-Requests" #"1") (header #"If-Modified-Since" #"Thu, 15 Sep > 2016 00:10:04 GMT")) #<promise!()> #f "127.0.0.1" 8000 "127.0.0.1") > body: #f > (list (binding:file #"abcz" #"abc\\" (list (header #"Content-Disposition" > #"form-data; name=\"abcz\"; filename=\"abc\\\"d\"") (header #"Content-Type" > #"application/octet-stream")) #"baht.\n")) > request: (request #"POST" (url #f #f #f #f #t (list (path/param "foo" '())) > '() #f) (list (header #"Host" #"localhost:8000") (header #"User-Agent" > #"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 > Firefox/48.0") (header #"Accept" > #"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8") (header > #"Accept-Language" #"en-US,en;q=0.5") (header #"Accept-Encoding" #"gzip, > deflate") (header #"Referer" > #"http://localhost:8000/servlets/standalone.rkt";) (header #"Connection" > #"keep-alive") (header #"Upgrade-Insecure-Requests" #"1") (header > #"Content-Type" #"multipart/form-data; > boundary=---------------------------199536542610020832301446086836") (header > #"Content-Length" #"238")) #<promise!(#(struct:binding:file #"abcz" #"abc\\" > (#(struct:header #"Content-Disposition" #"form-data; name=\"abcz\"; > filename=\"abc\\\"d\"") #(struct:header #"Content-Type" > #"application/octet-stream")) #"baht.\n"))> #f "127.0.0.1" 8000 "127.0.0.1") > body: #f > > > The first request is just the web browser saying hello, but the second one > shows the filename field of the binding:file set to #”abc\\”. The actual > headers for the element show that the filename is abc”d, correctly. Looks to > me like the header is just parsed to the first double-quote. > > I think I can probably fix this, but I want to confirm that it’s a bug before > I dig any deeper. > > Many thanks, > > John > > > -- Jay McCarthy Associate Professor PLT @ CS @ UMass Lowell http://jeapostrophe.github.io "Wherefore, be not weary in well-doing, for ye are laying the foundation of a great work. And out of small things proceedeth that which is great." - D&C 64:33 -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
