From be6337367beca9c93c426cf8b6c2665cb95cd49a Mon Sep 17 00:00:00 2001 From: Daniel Browning Date: Sat, 2 Apr 2011 14:04:32 -0700 Subject: [PATCH] Disallow name="" in Content-Disposition header. Jon Jensen noticed that the last commit (b29f34f5) introduced a new problem by relaxing the constraint a little too much and allowing empty strings. This patch by Mike Heins goes back to requiring at least one character, while still allowing 0. --- lib/Vend/Server.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Vend/Server.pm b/lib/Vend/Server.pm index a6620f5da..5baf1090e 100644 --- a/lib/Vend/Server.pm +++ b/lib/Vend/Server.pm @@ -478,7 +478,7 @@ sub parse_multipart { } #::logDebug("Content-Disposition: " . $header{'Content-Disposition'}); - my($param)= $header{'Content-Disposition'}=~/ name="?([^\";]*)"?/; + my($param)= $header{'Content-Disposition'}=~/ name="?([^\";]+)"?/; # Bug: Netscape doesn't escape quotation marks in file names!!! my($filename) = $header{'Content-Disposition'}=~/ filename="?([^\";]*)"?/;