Closed Bug 53696 Opened 24 years ago Closed 23 years ago

Attachments of mime type containing a . are rejected

Categories

(Bugzilla :: Attachments & Requests, defect, P3)

Product:
Bugzilla
Component:
Attachments & Requests
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.12

People

(Reporter: erik.devriendt, Assigned: tara)

References

Details

(Whiteboard: 2.16)

Attachments

(3 files)

New regexp for matching mime type of attachment
756 bytes, patch
Details | Diff | Splinter Review
oops, here it is again without the extra \
755 bytes, patch
Details | Diff | Splinter Review
test attachment to see if text/xul still works
545 bytes, text/xul
Details 
When creating an attachment of mime type 'vnd.ms-excel' bugzilla
replies : You must select a legal mime type, vnd.ms-excel just will not do.

As already pointed out on the newsgroup, the problem is caused by the
line 
    if ($mimetype !~ m@^(\w|-)+/(\w|-)+$@)
in createatatchment.cgi

It should be something like

if ($mimetype !~ m@^(\w|-|\.)+/(\w|-|\.)+$@)

See also news://news.mozilla.org/39A4019C.FBCBB851%40zeroknowledge.com
*** Bug 67180 has been marked as a duplicate of this bug. ***
bug 67180 has a patch for this...

let me know if you want me to attach it to this one.
Oh, forgot to mention that MIME types follow the form of "*/(vnd.)*", as I have 
yet to see a type that has a . without vnd.
We're debating the regexp and reviewing RFCs in IRC right now.  Apparently there 
are other things besides vnd.* that are legal, whether or not you've seen them 
before. :)  Relevant RFCs are RFC2045 and RFC2048 if you wanted to have a look.

OK, after reviewing RFC2048 (http://www.isi.edu/in-notes/rfc2048.txt) it appears 
to me that both the type and the subtype can have a "classification tree" which 
is separated from the rest of the type/subtype by a period.  The classification 
tree can be anything, but is defined by IANA, and currently, the only trees 
defined are vnd.*, prs.*, and x.*.  Since they can define new ones if they feel 
the need, we shouldn't depend on a particular one being there.

Thus, the type or the subtype should include no more than one period, since it's 
not legal except as a separator for the classification tree.

Which leads us to the following for the regexp to detect a legal mime-type:

m@^(\w|-)+(\.(\w|-)+)?/(\w|-)+(\.(\w|-)+)?$@

Any comments?  Is my interpretation of the RFC off?  (it's a bit hard to 
decypher)
Whiteboard: 2.14
Whiteboard: 2.14 → 2.16
moving to real milestones...
Target Milestone: --- → Bugzilla 2.16
*** Bug 74515 has been marked as a duplicate of this bug. ***
The mime type bug 74515 was filed for is "application/vnd.mozilla.xul+xml" which
would be rejected by the last regexp listed here (more than one . after the /).

Page four of http://www.isi.edu/in-notes/rfc2048.txt states:
   Registrations in the vendor tree will be distinguished by the leading
   facet "vnd.".  That may be followed, at the discretion of the
   registration, by either a media type name from a well-known producer
   (e.g., "vnd.mudpie") or by an IANA-approved designation of the
   producer's name which is then followed by a media type or product
   designation (e.g., vnd.bigcompany.funnypictures).

which says it can have more then one dot.  Also, the + is still considered
illegal by bugzilla (at least I don't think /w contains + in its set).

No, \w doesn't contain +.  \w is [A-Za-z_0-9]

which leads is to something like this:


m@^(\w|-|\+)+(\.(\w|-|\+)+(\.(\w|-|\+)+)?)?/(\w|-|\+)+(\.(\w|-|\+)+(\.(\w|-|\+)+
)?)??$@

Wow, that's ugly.

that ?? on the end should only be one ?

Marking critical. This is making it impossible to attach XUL test cases to bugs.
Severity: normal → critical
Moving into 2.12 to get it on the radar...

Let's be a little less strict here (makes the regexp less scary...)

m@^(\w|-|\+|\.)+/(\w|-|\+|\.)+@

That looks much easier to digest, even though it doesn't enforce the standard to 
the letter.  It's close enough.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.12
Looks good to me... r= jake@acutex.net
This has been checked in.  Endico: do your thing.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
thing done
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Component: Bugzilla-General → attachment and request management
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: