Re: release apreq 2.18 and mothball the project
Will apreq 2.18 still be released? On 16/02/2024 09:44, Joe Orton wrote: Joe, you've been warned before to moderate your language. This ends now. It is completely unacceptable to insult other members of the community like this one time, let alone repeatedly. It is unproductive, unprofessional, and in violation of the ASF code of conduct. I've taken the decision as PMC chair to remove you from dev@ and you are now banned from posting in the future. - Project Chair of HTTP Server, Joe Orton
Re: libapreq 2.17 POST upload with empty filename parameter
Hi, After building and installing from trunk, I can see all of the parameters being parsed as expected. Thank you for your help, kind regards, Raymond Field On 04/07/2023 22:01, Joe Schaefer wrote: 2.17 was a dud security release. Use trunk Joe Schaefer, Ph.D +1 (954) 253-3732 SunStar Systems, Inc. /Orion - The Enterprise Jamstack Wiki/ / / *From:* Raymond Field via dev *Sent:* Tuesday, July 4, 2023 7:36:33 AM *To:* dev@httpd.apache.org *Subject:* libapreq 2.17 POST upload with empty filename parameter Hi, I don't know if this is the correct place to report an issue with libapreq2, please let me know where I should sent this report if this isn't the correct place. If I POST a form to the server that contains unfilled file upload fields, the library seems to give up processing at the first empty filename, e.g. if I POST -15448443913271751721417945010 Content-Disposition: form-data; name="postticket" -15448443913271751721417945010 Content-Disposition: form-data; name="uid" 1263741688468911 -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_file"; filename="some_test.txt" Content-Type: text/plain this is some text -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_type" Document -15448443913271751721417945010 Content-Disposition: form-data; name="vidlinkhtml" -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_thumbnail"; filename="" Content-Type: application/octet-stream -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_file_thumbnail"; filename="" Content-Type: application/octet-stream -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_title" joe_wicks_crispy_sesame_chicken -15448443913271751721417945010 Content-Disposition: form-data; name="new_access" General -15448443913271751721417945010 Content-Disposition: form-data; name="new_port_name" -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_desc" -15448443913271751721417945010 Content-Disposition: form-data; name="role_7_priv_2" 21 -15448443913271751721417945010 Content-Disposition: form-data; name="new_comments" YES -15448443913271751721417945010 Content-Disposition: form-data; name="new_notify" YES -15448443913271751721417945010 Content-Disposition: form-data; name="add_submit" Submit -15448443913271751721417945010 Content-Disposition: form-data; name="add_submit_button" Submit -15448443913271751721417945010-- When looking at $apr->param I only see the following names: postticket uid new_doc_file vidlinkhtml i.e. up to but not including the first parameter with filename="" If I submit the form without the parameters that have empty filenames I see all of the parameter names. This started happening when I upgraded a server from Debian 11 to Debian 12, so it worked OK in libapreq 2.13. The libapreq libraries are not currently included in the Bookwork package list, so I added them from testing. I've also tried installing directly from CPAN, but the same issue. Kind regards, Raymond Field
libapreq 2.17 POST upload with empty filename parameter
Hi, I don't know if this is the correct place to report an issue with libapreq2, please let me know where I should sent this report if this isn't the correct place. If I POST a form to the server that contains unfilled file upload fields, the library seems to give up processing at the first empty filename, e.g. if I POST -15448443913271751721417945010 Content-Disposition: form-data; name="postticket" -15448443913271751721417945010 Content-Disposition: form-data; name="uid" 1263741688468911 -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_file"; filename="some_test.txt" Content-Type: text/plain this is some text -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_type" Document -15448443913271751721417945010 Content-Disposition: form-data; name="vidlinkhtml" -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_thumbnail"; filename="" Content-Type: application/octet-stream -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_file_thumbnail"; filename="" Content-Type: application/octet-stream -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_title" joe_wicks_crispy_sesame_chicken -15448443913271751721417945010 Content-Disposition: form-data; name="new_access" General -15448443913271751721417945010 Content-Disposition: form-data; name="new_port_name" -15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_desc" -15448443913271751721417945010 Content-Disposition: form-data; name="role_7_priv_2" 21 -15448443913271751721417945010 Content-Disposition: form-data; name="new_comments" YES -15448443913271751721417945010 Content-Disposition: form-data; name="new_notify" YES -15448443913271751721417945010 Content-Disposition: form-data; name="add_submit" Submit -15448443913271751721417945010 Content-Disposition: form-data; name="add_submit_button" Submit -15448443913271751721417945010-- When looking at $apr->param I only see the following names: postticket uid new_doc_file vidlinkhtml i.e. up to but not including the first parameter with filename="" If I submit the form without the parameters that have empty filenames I see all of the parameter names. This started happening when I upgraded a server from Debian 11 to Debian 12, so it worked OK in libapreq 2.13. The libapreq libraries are not currently included in the Bookwork package list, so I added them from testing. I've also tried installing directly from CPAN, but the same issue. Kind regards, Raymond Field
