Skip to content

Commit e4942b8

Browse files
committed
Randomise multipart boundary. Thanks to Yamada Masahiro.
1 parent 6405b5d commit e4942b8

File tree

3 files changed

+15
-5
lines changed

3 files changed

+15
-5
lines changed

Diff for: lib/CGI/Simple.pm

+8-1
Original file line numberDiff line numberDiff line change
@@ -1125,7 +1125,14 @@ sub multipart_init {
11251125
my ( $self, @p ) = @_;
11261126
use CGI::Simple::Util qw(rearrange);
11271127
my ( $boundary, @other ) = rearrange( ['BOUNDARY'], @p );
1128-
$boundary = $boundary || '------- =_aaaaaaaaaa0';
1128+
if ( !$boundary ) {
1129+
$boundary = '------- =_';
1130+
my @chrs = ( '0' .. '9', 'A' .. 'Z', 'a' .. 'z' );
1131+
for ( 1 .. 17 ) {
1132+
$boundary .= $chrs[ rand( scalar @chrs ) ];
1133+
}
1134+
}
1135+
11291136
my $CRLF = $self->crlf; # get CRLF sequence
11301137
my $warning
11311138
= "WARNING: YOUR BROWSER DOESN'T SUPPORT THIS SERVER-PUSH TECHNOLOGY.";

Diff for: t/050.simple.t

+3-2
Original file line numberDiff line numberDiff line change
@@ -945,10 +945,11 @@ $q = new CGI::Simple;
945945
$sv = $q->multipart_init();
946946
like(
947947
$sv,
948-
qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_aaaaaaaaaa0"|,
948+
qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_[a-zA-Z0-9]{17}"|,
949949
'multipart_init(), 1'
950950
);
951-
like( $sv, qr/--------- =_aaaaaaaaaa0$CRLF/, 'multipart_init(), 2' );
951+
like( $sv, qr/--------- =_[a-zA-Z0-9]{17}$CRLF/,
952+
'multipart_init(), 2' );
952953
$sv = $q->multipart_init( 'this_is_the_boundary' );
953954
like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init(), 3' );
954955
$sv = $q->multipart_init( -boundary => 'this_is_another_boundary' );

Diff for: t/070.standard.t

+4-2
Original file line numberDiff line numberDiff line change
@@ -953,10 +953,12 @@ restore_parameters();
953953
$sv = multipart_init();
954954
like(
955955
$sv,
956-
qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_aaaaaaaaaa0"|,
956+
qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_[a-zA-Z0-9]{17}"|,
957957
'multipart_init(), 1'
958958
);
959-
like( $sv, qr/--------- =_aaaaaaaaaa0$CRLF/, 'multipart_init(), 2' );
959+
960+
like( $sv, qr/--------- =_[a-zA-Z0-9]{17}$CRLF/,
961+
'multipart_init(), 2' );
960962
$sv = multipart_init( 'this_is_the_boundary' );
961963
like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init(), 3' );
962964
$sv = multipart_init( -boundary => 'this_is_another_boundary' );

0 commit comments

Comments
 (0)