Output isn't quoted when multipart form values include spaces

[salty-horse]

When a mutlipart form value contains spaces, h2c outputs --form FOO=1 2 3 4 instead of --form 'FOO=1 2 3 4'.

Since h2c's output is a valid shell command, one should be careful with other characters such as ; or ', which may require quoting or escaping.

[bagder]

Oh right. I think I'll go with always-quoting the string and add escaping for a bunch of sensitive letters. What do you think about that?

[salty-horse]

I struggle with getting shells to understand me sometimes. Always quoting seems like a good idea.

[bagder]

That also makes letters such as semicolons not needing extra escaping.

[salty-horse]

Since the fix uses double quotes instead of single quotes, a shell will expand $ variables.

POST / HTTP/1.1
Host: localhost:8000
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 143
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------fdbf5f7d1c2a96b2

--------------------------fdbf5f7d1c2a96b2
Content-Disposition: form-data; name="FOO"

$PATH
--------------------------fdbf5f7d1c2a96b2--

outputs:
curl --http1.1 --user-agent "curl/7.47.0" --form FOO="$PATH" https://localhost:8000/, which is bad.

[bagder]

Adding $ and \ to the regex now. Anything else?

[salty-horse]

Windows will expand %PATH%. I think single-quoting is the only way to avoid that if the output command should be cross-platform.

[bagder]

The windows command prompt doesn't support single quotes!

[bagder]

So quote % as well?

[salty-horse]

Impossible...? In Windows, % is quoted with %%, but in a POSIX shell, %% is treated as %%.

[bagder]

Hm, okey, so maybe ignore Windows for now and add an option to make the output "windows compatible" later.

[slavaatsig]

Seems like best effort option is to provide the output suitable for the host platform with the option to generate output for other systems.

Looks like String::ShellQuote is a good bicycle for POSIX platforms.

If external library dependencies is a no-no, then for POSIX shells easiest way seems to use singular quotes so this is the only character that you will have to take care.

Reference: https://stackoverflow.com/a/24869016/7598113

[bagder]

BUGS
Only Bourne shell quoting is supported

... so it won't help us a whole lot.

[slavaatsig]

For Microsoft® Windows™ platforms there is an MSDN blog-post about the wrong ways to do so.

TL;DR: See conclusions at the end of the post, it should enlighten on how to do it properly.

P.S.
It would be more helpful if Microsoft would posted about how to do it in a proper way instead.

[bagder]

still, that requires a "windows output mode" option to quote in that style instead