The attached patch fixes (tested) some problems with e.g. Lynx. Please try it and tell me if it can be committed or not. --Jani
Index: rfc1867.c =================================================================== RCS file: /repository/php4/main/rfc1867.c,v retrieving revision 1.60 diff -u -r1.60 rfc1867.c --- rfc1867.c 2001/02/26 06:07:31 1.60 +++ rfc1867.c 2001/04/05 05:49:01 @@ -153,30 +153,39 @@ } break; case 1: /* Check content-disposition */ - if (strncasecmp(ptr, "Content-Disposition: form-data;", 31)) { + while (strncasecmp(ptr, "Content-Disposition: +form-data;", 31)) { if (rem < 31) { SAFE_RETURN; } - php_error(E_WARNING, "File Upload Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2), *(ptr + 3), *(ptr + 4)); - SAFE_RETURN; + if (ptr[1] == '\n') { + /* empty line as end of header found +*/ + php_error(E_WARNING, "File Upload Mime +headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2), *(ptr + 3), *(ptr + +4)); + SAFE_RETURN; + } + /* some other headerfield found, skip it */ + loc = (char *) memchr(ptr, '\n', rem)+1; + while (*loc == ' ' || *loc == '\t') + /* other field is folded, skip it */ + loc = (char *) memchr(loc, '\n', +rem-(loc-ptr))+1; + rem -= (loc - ptr); + ptr = loc; } loc = memchr(ptr, '\n', rem); + while (loc[1] == ' ' || loc[1] == '\t') + /* field is folded, look for end */ + loc = memchr(loc+1, '\n', rem-(loc-ptr)-1); name = strstr(ptr, " name="); if (name && name < loc) { name += 6; - s = memchr(name, '\"', loc - name); - if ( name == s ) { + if ( *name == '\"' ) { name++; s = memchr(name, '\"', loc - name); if(!s) { php_error(E_WARNING, "File Upload Mime headers garbled name: [%c%c%c%c%c]", *name, *(name + 1), *(name + 2), *(name + 3), *(name + 4)); SAFE_RETURN; } - } else if(!s) { - s = loc; } else { - php_error(E_WARNING, "File Upload Mime headers garbled name: [%c%c%c%c%c]", *name, *(name + 1), *(name + 2), *(name + 3), *(name + 4)); - SAFE_RETURN; + s = strpbrk(name, " +\t()<>@,;:\\\"/[]?=\r\n"); } if (namebuf) { efree(namebuf); @@ -187,9 +196,13 @@ } lbuf = emalloc(s-name + MAX_SIZE_OF_INDEX + 1); state = 2; - loc2 = memchr(loc + 1, '\n', rem); - rem -= (loc2 - ptr) + 1; - ptr = loc2 + 1; + loc2 = loc; + while (loc2[2] != '\n') { + /* empty line as end of header not yet +found */ + loc2 = memchr(loc2 + 1, '\n', +rem-(loc2-ptr)-1); + } + rem -= (loc2 - ptr) + 3; + ptr = loc2 + 3; /* is_arr_upload is true when name of file upload field * ends in [.*] * start_arr is set to point to 1st [
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]