Hi Mark,

On Apr 16, 2008, at 10:32 AM, Mark Pauley wrote:

The bug is in the php tool, not in webkit. From the RFC (rfc1341 http://www.w3.org/Protocols/rfc1341/7_2_Multipart.html) :

boundary := 0*69<bchars> bcharsnospace

bchars := bcharsnospace / " "

bcharsnospace :=    DIGIT / ALPHA / "'" / "(" / ")" / "+"  /
               / "," / "-" / "." / "/" / ":" / "=" / "?"

'+' is absolutely allowable, I'm betting that your upload tool source has a faulty regular expression for grabbing multipart boundaries. Perhaps what we really want here is a method of specifying the multipart boundary to webkit... and so allow all manner of hackers to work around parsing issues like this one without encouraging people to write crappy parsers.

or, you could grab the webkit source, hack a work-around and ship your own webkit dylib embedded in your app. Let's not go tooling with code that works on millions of people's machines because of a fault in code that works on thousands of people's machines.

You are correct by the letter of the spec that "+" is allowed in the boundary separator. However, this is not the first time we've had a site break in WebKit-based browsers when it worked fine in other browsers, due to our choice of boundary characters. Even though the spec allows a wide character set, I think it would be wise to limit the characters we use to those sent by other browsers, since some web developers develop against IE/Firefox and test against Safari as an afterthought, if at all.


webkit-dev mailing list

Reply via email to