Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
7.47.1 VS 7.61.1 / curl_formadd deals with '\' in param differently #3361
Comments
Agreed. @monnerat can you recall the reason behind this? The code that does this seems to be here Line 1747 in 3a9cb0d I could reproduce the problem by adjusting tests/libcurl/lib554.c like this: diff --git a/tests/libtest/lib554.c b/tests/libtest/lib554.c
index cc21d245b..79ab72136 100644
--- a/tests/libtest/lib554.c
+++ b/tests/libtest/lib554.c
@@ -80,11 +80,11 @@ static int once(char *URL, bool oldstyle)
/* Fill in the file upload field */
if(oldstyle) {
formrc = curl_formadd(&formpost,
&lastptr,
- CURLFORM_COPYNAME, "sendfile",
+ CURLFORM_COPYNAME, "send\\file",
CURLFORM_STREAM, &pooh,
CURLFORM_CONTENTSLENGTH, (long)pooh.sizeleft,
CURLFORM_FILENAME, "postit2.c",
CURLFORM_END);
} |
|
Given some more thoughts: I suppose this treatment is done to "escape" the letter correctly then generating the header so that a MIME compliant receiver would un-escape it correctly in the other end. |
|
My server is a basic ASP.NET Core one and when I end up trying to extract the Request.Form.File[0].Name it is failing to "de-escape" that doubled backslash. I don't find a clear specifications of what should be the content-disposition encoding (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition), but if libcurl way of encoding the backslash is correct, I guess I should notify the ASP.NET Core. Does anyone know for sure how such a character should be encoded in that case? Thank you, |
RFC 7578 (multipart/form-data) introduces the RFC 2183 (content disposition) defines RFC 2045 (MIME) defines RFC 822 (Mail) defines Thus IMO, the escaping done by curl is correct and a receiving server should conform to this too. |
|
@monnerat Thanks a lot, I was struggling to find this information. Then I guess I should notify the ASP.NET Core team. In the meantime, as a work around, I will be using another form text parameter to pass my information un-escaped. |
|
@bagder Can we admit this is not a bug and add a note in the curl_formadd documentation? |
|
Yes! |
Hi.
In 7.47.1, we were passing as curl_formadd parameter CURLFORM_COPYNAME (comment also apply to CURLFORM_FILENAME) a string with a backslash ''. So a simple, single byte per character, null terminated string like "a\b" is being picked up nicely by the server, no issue.
But in 7.61.1, the back-slash ends up being doubled and the server get a string "a\b" instead in the content-disposition.
I can see in https://curl.haxx.se/libcurl/c/curl_formadd.html that the 7.56 introduced a difference in the management of parameters, but I don't understand that particular behaviour change. Doubling the backslashes seems like a bug to me. Am I missing anything? If it is done on purpose, for a reason I'm missing, maybe updating the documentation would be helpful?
Thank you,
David.