Lets take this to apreq-dev land.
--
------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollu...@p6m7g8.com) c: 703.336.9354
Consultant - P6M7G8 Inc. http://p6m7g8.net
Director IT - RideCharge, Inc. http://ridecharge.com
Contractor - PositiveEnergyUSA http://positiveenergyusa.com
ASF Member - Apache Software Foundation http://apache.org
FreeBSD Committer - FreeBSD Foundation http://freebsd.org
Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.
--- Begin Message ---
When you handle a multipart/form-data post with libapreq quotes in
filenames are mishandled. For example, a post that includes:
Content-Disposition: form-data; name="foo"; filename="break"here.jpg"
Will result in a filename of just 'break'.
To reproduce, set up a test following the snippets below, and upload a
file named 'break"here.jpg' to the resulting form.
I'm using Apache/2.2.9 (Ubuntu) DAV/2 SVN/1.5.1 mod_ssl/2.2.9
OpenSSL/0.9.8g mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
In your error log you will see just 'break'.
---httpd.conf---
<Perl>
use lib qw(/home/mcrawfor/);
</Perl>
PerlModule QuoteParse
<Location /test/>
SetHandler perl-script
PerlResponseHandler QuoteParse
</Location>
---QuoteParse.pm---
package QuoteParse;
use strict;
use warnings;
use Apache2::RequestRec ();
use Apache2::Request ();
use Apache2::Const -compile => qw(OK);
sub handler {
my $r = shift;
my $req = Apache2::Request->new($r);
warn $req->param('foo');
$r->content_type('text/html');
print "<form method='post' enctype='multipart/form-data'><input
type='file' name='foo'><input type='submit'></form>";
return Apache2::Const::OK;
}
1;
--- End Message ---
--- Begin Message ---
Miles Crawford wrote:
When you handle a multipart/form-data post with libapreq quotes in
filenames are mishandled. For example, a post that includes:
Content-Disposition: form-data; name="foo"; filename="break"here.jpg"
Isn't that a malformed header? I would think that the internal '"'
should be escaped for it to be properly represent that filename.
Assuming that's the case, the rest of the behavior that you describe is
what I'd expect.
Adam
--- End Message ---
--- Begin Message ---
I agree it looks bogus, but safari and firefox send the header in that
format. Not sure about IE since Windows does not allow files with a "
in the name.
I looked over the Content-Disposition header RFC but it does not seem
to address escaping directly.
Either way, it seems that this format is a "browser fact of life"
-miles
On Fri, Jan 2, 2009 at 4:44 PM, Adam Prime <adam.pr...@utoronto.ca> wrote:
> Miles Crawford wrote:
>>
>> When you handle a multipart/form-data post with libapreq quotes in
>> filenames are mishandled. For example, a post that includes:
>>
>> Content-Disposition: form-data; name="foo"; filename="break"here.jpg"
>
> Isn't that a malformed header? I would think that the internal '"' should
> be escaped for it to be properly represent that filename. Assuming that's
> the case, the rest of the behavior that you describe is what I'd expect.
>
> Adam
>
--- End Message ---
