Closed
Bug 270670
Opened 20 years ago
Closed 20 years ago
Missing MIME Content-Disposition escaping in HTTP request
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
RESOLVED
DUPLICATE
of bug 136676
People
(Reporter: marc, Assigned: darin.moz)
References
Details
(Keywords: intl, Whiteboard: form submission?)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a4) Gecko/20040927 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a4) Gecko/20040927 When I upload a file called (notice the '"' and '\' characters): foo" =ba\r it is not escaped in the HTTP request: Content-Disposition: form-data; name="filename"; filename="foo" =ba\r" I expect something like: Content-Disposition: form-data; name="filename"; filename="foo\" =ba\\r" Reproducible: Always Steps to Reproduce: 1. create a filename with interesting (MIME-wise) characters 2. Upload it 3. Analyse the HTTP request
|
||
Comment 1•20 years ago
|
||
I recall seeing this issue in the code, but I can't find an existing bug on it... Darin, I assume it's caller's responsibility to make sure headers are properly escaped? Does necko export any utilities for doing that?
|
|
||
Comment 2•20 years ago
|
||
Oh, confirming. But this may need reassigning to form submission.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: form submission?
|
Assignee | |
Comment 3•20 years ago
|
||
bz: Right, necko doesn't attempt to fixup the supplied request headers. It
submits them as is. Anyways, it would be terribly difficult to write code that
escapes this:
Content-Disposition: form-data; name="filename"; filename="foo" =ba\r"
How would you know that the second to last quote should be escaped? I think
this absolutely must be taken care of by the guy who calls SetRequestHeader.
As for utilities, how about nsCString::ReplaceSubstring("\"", "\\\"") ?|
|
Assignee | |
Comment 4•20 years ago
|
||
> As for utilities, how about nsCString::ReplaceSubstring("\"", "\\\"") ?
Hmm, actually that's probably not right since it would double escape any
existing escaped quotes :-/|
|
||
Comment 5•20 years ago
|
||
No, that would actually do the right thing... There's another problem, though. We don't handle non-ascii characters correctly, it looks like. We just sorta convert them into the page's encoding and dump them in the header. That's wrong... See http://lxr.mozilla.org/seamonkey/source/content/html/content/src/nsFormSubmission.cpp#791
|
||
Comment 6•20 years ago
|
||
Hmm. I thought I had filed a bug on this, but I can't find it. Perhaps, I only filed it (a more complicated case) for mailnews (bug 193439).
|
|
||
Comment 7•20 years ago
|
||
This should end up sharing code with bug 193439, I would hope.
Depends on: 193439
|
|
||
Comment 8•20 years ago
|
||
*** This bug has been marked as a duplicate of 136676 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•