> On Sep 14, 2016, at 6:27 PM, Jay McCarthy <jay.mccar...@gmail.com> wrote: > > Yes, this is an error. Line 251 of web-server/http/request.rkt uses a > regular-expression to extract the name and it is not robust against > quoted strings. I don't have the bandwidth to fix this until after > RacketCon. Let me know if you will look into it, otherwise I will put > it in my TODO list.
I’m looking at it now, and I’m seeing other potential issues; it looks to me like the regexp could just possibly match in the wrong part of the line entirely. Looking at RFC 6266…. John > > Jay > > On Wed, Sep 14, 2016 at 8:18 PM, John Clements > <cleme...@brinckerhoff.org> wrote: >> The web-server code has been rock-solid for me, but I think I’ve actually >> found a bug. Specifically, it looks like the filename part of a >> multipart/form-data file submission is prematurely terminated when a >> filename contains a double-quote. Either that, or Firefox is not using the >> right encoding scheme. >> >> To see this, I run this toy web server: >> >> #lang racket >> >> (require web-server/servlet-env >> web-server/http/request-structs >> web-server/http/xexpr) >> >> (define (go request) >> (printf "~v\n" >> (request-bindings/raw request)) >> (printf "request: ~v\n" >> request) >> (printf "body: ~v\n" >> (request-post-data/raw request)) >> (response/xexpr '(html >> (body >> (p "yay") >> (form ((action "/foo") >> (method "post") >> (enctype "multipart/form-data")) >> (input ((type "file") (name "abcz"))) >> (input ((type "submit")))))))) >> >> >> (serve/servlet go >> #:servlet-regexp #px”") >> >> … and then, in Firefox, I choose a file named abc”d. That is, abcd with a >> double-quote in the middle of it. >> >> DrRacket then reports: >> >> Your Web application is running at >> http://localhost:8000/servlets/standalone.rkt. >> Stop this program at any time to terminate the Web Server. >> '() >> request: (request #"GET" (url #f #f #f #f #t (list (path/param "servlets" >> '()) (path/param "standalone.rkt" '())) '() #f) (list (header #"Host" >> #"localhost:8000") (header #"User-Agent" #"Mozilla/5.0 (Macintosh; Intel Mac >> OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0") (header #"Accept" >> #"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8") (header >> #"Accept-Language" #"en-US,en;q=0.5") (header #"Accept-Encoding" #"gzip, >> deflate") (header #"Connection" #"keep-alive") (header >> #"Upgrade-Insecure-Requests" #"1") (header #"If-Modified-Since" #"Thu, 15 >> Sep 2016 00:10:04 GMT")) #<promise!()> #f "127.0.0.1" 8000 "127.0.0.1") >> body: #f >> (list (binding:file #"abcz" #"abc\\" (list (header #"Content-Disposition" >> #"form-data; name=\"abcz\"; filename=\"abc\\\"d\"") (header #"Content-Type" >> #"application/octet-stream")) #"baht.\n")) >> request: (request #"POST" (url #f #f #f #f #t (list (path/param "foo" '())) >> '() #f) (list (header #"Host" #"localhost:8000") (header #"User-Agent" >> #"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 >> Firefox/48.0") (header #"Accept" >> #"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8") (header >> #"Accept-Language" #"en-US,en;q=0.5") (header #"Accept-Encoding" #"gzip, >> deflate") (header #"Referer" >> #"http://localhost:8000/servlets/standalone.rkt";) (header #"Connection" >> #"keep-alive") (header #"Upgrade-Insecure-Requests" #"1") (header >> #"Content-Type" #"multipart/form-data; >> boundary=---------------------------199536542610020832301446086836") (header >> #"Content-Length" #"238")) #<promise!(#(struct:binding:file #"abcz" #"abc\\" >> (#(struct:header #"Content-Disposition" #"form-data; name=\"abcz\"; >> filename=\"abc\\\"d\"") #(struct:header #"Content-Type" >> #"application/octet-stream")) #"baht.\n"))> #f "127.0.0.1" 8000 "127.0.0.1") >> body: #f >> >> >> The first request is just the web browser saying hello, but the second one >> shows the filename field of the binding:file set to #”abc\\”. The actual >> headers for the element show that the filename is abc”d, correctly. Looks to >> me like the header is just parsed to the first double-quote. >> >> I think I can probably fix this, but I want to confirm that it’s a bug >> before I dig any deeper. >> >> Many thanks, >> >> John >> >> >> > > > > -- > Jay McCarthy > Associate Professor > PLT @ CS @ UMass Lowell > http://jeapostrophe.github.io > > "Wherefore, be not weary in well-doing, > for ye are laying the foundation of a great work. > And out of small things proceedeth that which is great." > - D&C 64:33 > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
