The attached patch fixes (tested) some problems with
e.g. Lynx. Please try it and tell me if it can be
committed or not.
--Jani
Index: rfc1867.c
===================================================================
RCS file: /repository/php4/main/rfc1867.c,v
retrieving revision 1.60
diff -u -r1.60 rfc1867.c
--- rfc1867.c 2001/02/26 06:07:31 1.60
+++ rfc1867.c 2001/04/05 05:49:01
@@ -153,30 +153,39 @@
}
break;
case 1: /* Check content-disposition */
- if (strncasecmp(ptr, "Content-Disposition:
form-data;", 31)) {
+ while (strncasecmp(ptr, "Content-Disposition:
+form-data;", 31)) {
if (rem < 31) {
SAFE_RETURN;
}
- php_error(E_WARNING, "File Upload Mime headers
garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2), *(ptr + 3), *(ptr + 4));
- SAFE_RETURN;
+ if (ptr[1] == '\n') {
+ /* empty line as end of header found
+*/
+ php_error(E_WARNING, "File Upload Mime
+headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2), *(ptr + 3), *(ptr +
+4));
+ SAFE_RETURN;
+ }
+ /* some other headerfield found, skip it */
+ loc = (char *) memchr(ptr, '\n', rem)+1;
+ while (*loc == ' ' || *loc == '\t')
+ /* other field is folded, skip it */
+ loc = (char *) memchr(loc, '\n',
+rem-(loc-ptr))+1;
+ rem -= (loc - ptr);
+ ptr = loc;
}
loc = memchr(ptr, '\n', rem);
+ while (loc[1] == ' ' || loc[1] == '\t')
+ /* field is folded, look for end */
+ loc = memchr(loc+1, '\n', rem-(loc-ptr)-1);
name = strstr(ptr, " name=");
if (name && name < loc) {
name += 6;
- s = memchr(name, '\"', loc - name);
- if ( name == s ) {
+ if ( *name == '\"' ) {
name++;
s = memchr(name, '\"', loc - name);
if(!s) {
php_error(E_WARNING, "File
Upload Mime headers garbled name: [%c%c%c%c%c]", *name, *(name + 1), *(name + 2),
*(name + 3), *(name + 4));
SAFE_RETURN;
}
- } else if(!s) {
- s = loc;
} else {
- php_error(E_WARNING, "File Upload Mime
headers garbled name: [%c%c%c%c%c]", *name, *(name + 1), *(name + 2), *(name + 3),
*(name + 4));
- SAFE_RETURN;
+ s = strpbrk(name, "
+\t()<>@,;:\\\"/[]?=\r\n");
}
if (namebuf) {
efree(namebuf);
@@ -187,9 +196,13 @@
}
lbuf = emalloc(s-name + MAX_SIZE_OF_INDEX +
1);
state = 2;
- loc2 = memchr(loc + 1, '\n', rem);
- rem -= (loc2 - ptr) + 1;
- ptr = loc2 + 1;
+ loc2 = loc;
+ while (loc2[2] != '\n') {
+ /* empty line as end of header not yet
+found */
+ loc2 = memchr(loc2 + 1, '\n',
+rem-(loc2-ptr)-1);
+ }
+ rem -= (loc2 - ptr) + 3;
+ ptr = loc2 + 3;
/* is_arr_upload is true when name of file
upload field
* ends in [.*]
* start_arr is set to point to 1st [
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
