2.17 was a dud security release. Use trunk Joe Schaefer, Ph.D <j...@sunstarsys.com> +1 (954) 253-3732 SunStar Systems, Inc. Orion - The Enterprise Jamstack Wiki
________________________________ From: Raymond Field via dev <dev@httpd.apache.org> Sent: Tuesday, July 4, 2023 7:36:33 AM To: dev@httpd.apache.org <dev@httpd.apache.org> Subject: libapreq 2.17 POST upload with empty filename parameter Hi, I don't know if this is the correct place to report an issue with libapreq2, please let me know where I should sent this report if this isn't the correct place. If I POST a form to the server that contains unfilled file upload fields, the library seems to give up processing at the first empty filename, e.g. if I POST -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="postticket" -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="uid" 1263741688468911 -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_file"; filename="some_test.txt" Content-Type: text/plain this is some text -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_type" Document -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="vidlinkhtml" -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_thumbnail"; filename="" Content-Type: application/octet-stream -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_file_thumbnail"; filename="" Content-Type: application/octet-stream -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_title" joe_wicks_crispy_sesame_chicken -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_access" General -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_port_name" -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_doc_desc" -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="role_7_priv_2" 21 -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_comments" YES -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="new_notify" YES -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="add_submit" Submit -----------------------------15448443913271751721417945010 Content-Disposition: form-data; name="add_submit_button" Submit -----------------------------15448443913271751721417945010-- When looking at $apr->param I only see the following names: postticket uid new_doc_file vidlinkhtml i.e. up to but not including the first parameter with filename="" If I submit the form without the parameters that have empty filenames I see all of the parameter names. This started happening when I upgraded a server from Debian 11 to Debian 12, so it worked OK in libapreq 2.13. The libapreq libraries are not currently included in the Bookwork package list, so I added them from testing. I've also tried installing directly from CPAN, but the same issue. Kind regards, Raymond Field
