Re: libapreq 2.17 POST upload with empty filename parameter

2023-07-05 Thread Raymond Field via dev

Hi,

After building and installing from trunk, I can see all of the 
parameters being parsed as expected.


Thank you for your help,

kind regards,

Raymond Field

On 04/07/2023 22:01, Joe Schaefer wrote:

2.17 was a dud security release.  Use trunk

Joe Schaefer, Ph.D

+1 (954) 253-3732
SunStar Systems, Inc.
/Orion - The Enterprise Jamstack Wiki/
/
/

*From:* Raymond Field via dev 
*Sent:* Tuesday, July 4, 2023 7:36:33 AM
*To:* dev@httpd.apache.org 
*Subject:* libapreq 2.17 POST upload with empty filename parameter
Hi,

I don't know if this is the correct place to report an issue with
libapreq2, please let me know where I should sent this report if this
isn't the correct place.

If I POST a form to the server that contains unfilled file upload 
fields, the

library seems to give up processing at the first empty filename, e.g. if
I POST

-15448443913271751721417945010
Content-Disposition: form-data; name="postticket"


-15448443913271751721417945010
Content-Disposition: form-data; name="uid"

1263741688468911
-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_file";
filename="some_test.txt"
Content-Type: text/plain

this is some text


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_type"

Document
-15448443913271751721417945010
Content-Disposition: form-data; name="vidlinkhtml"


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_thumbnail"; filename=""
Content-Type: application/octet-stream


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_file_thumbnail"; filename=""
Content-Type: application/octet-stream


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_title"

joe_wicks_crispy_sesame_chicken
-15448443913271751721417945010
Content-Disposition: form-data; name="new_access"

General
-15448443913271751721417945010
Content-Disposition: form-data; name="new_port_name"


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_desc"


-15448443913271751721417945010
Content-Disposition: form-data; name="role_7_priv_2"

21
-15448443913271751721417945010
Content-Disposition: form-data; name="new_comments"

YES
-15448443913271751721417945010
Content-Disposition: form-data; name="new_notify"

YES
-15448443913271751721417945010
Content-Disposition: form-data; name="add_submit"

Submit
-15448443913271751721417945010
Content-Disposition: form-data; name="add_submit_button"

Submit
-15448443913271751721417945010--

When looking at $apr->param I only see the following names: postticket
uid new_doc_file vidlinkhtml

i.e. up to but not including the first parameter with filename=""

If I submit the form without the parameters that have empty filenames I
see all of the parameter names.

This started happening when I upgraded a server from Debian 11 to Debian
12, so it worked OK in libapreq 2.13.  The libapreq libraries are not
currently included in the Bookwork package list, so I added them from
testing.  I've also tried installing directly from CPAN, but the same 
issue.


Kind regards,

Raymond Field


Re: libapreq 2.17 POST upload with empty filename parameter

2023-07-04 Thread Joe Schaefer
2.17 was a dud security release.  Use trunk

Joe Schaefer, Ph.D

+1 (954) 253-3732
SunStar Systems, Inc.
Orion - The Enterprise Jamstack Wiki


From: Raymond Field via dev 
Sent: Tuesday, July 4, 2023 7:36:33 AM
To: dev@httpd.apache.org 
Subject: libapreq 2.17 POST upload with empty filename parameter

Hi,

I don't know if this is the correct place to report an issue with
libapreq2, please let me know where I should sent this report if this
isn't the correct place.

If I POST a form to the server that contains unfilled file upload fields, the
library seems to give up processing at the first empty filename, e.g. if
I POST

-15448443913271751721417945010
Content-Disposition: form-data; name="postticket"


-15448443913271751721417945010
Content-Disposition: form-data; name="uid"

1263741688468911
-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_file";
filename="some_test.txt"
Content-Type: text/plain

this is some text


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_type"

Document
-15448443913271751721417945010
Content-Disposition: form-data; name="vidlinkhtml"


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_thumbnail"; filename=""
Content-Type: application/octet-stream


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_file_thumbnail"; filename=""
Content-Type: application/octet-stream


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_title"

joe_wicks_crispy_sesame_chicken
-15448443913271751721417945010
Content-Disposition: form-data; name="new_access"

General
-15448443913271751721417945010
Content-Disposition: form-data; name="new_port_name"


-15448443913271751721417945010
Content-Disposition: form-data; name="new_doc_desc"


-15448443913271751721417945010
Content-Disposition: form-data; name="role_7_priv_2"

21
-15448443913271751721417945010
Content-Disposition: form-data; name="new_comments"

YES
-15448443913271751721417945010
Content-Disposition: form-data; name="new_notify"

YES
-15448443913271751721417945010
Content-Disposition: form-data; name="add_submit"

Submit
-15448443913271751721417945010
Content-Disposition: form-data; name="add_submit_button"

Submit
-15448443913271751721417945010--

When looking at $apr->param I only see the following names: postticket
uid new_doc_file vidlinkhtml

i.e. up to but not including the first parameter with filename=""

If I submit the form without the parameters that have empty filenames I
see all of the parameter names.

This started happening when I upgraded a server from Debian 11 to Debian
12, so it worked OK in libapreq 2.13.  The libapreq libraries are not
currently included in the Bookwork package list, so I added them from
testing.  I've also tried installing directly from CPAN, but the same issue.

Kind regards,

Raymond Field