-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP multipart/form-data is broken in multiple IPFS implementation #437
Comments
Small correction: in the case of the golang |
Tagging some relevant individual: @magik6k @lgierth @daviddias @Stebalien |
* needs a name parameter * "file" isn't a valid disposition see https://github.com/ipfs/ipfs/issues/395
* needs a name parameter * "file" isn't a valid disposition see https://github.com/ipfs/ipfs/issues/395
Thanks for reporting all this! Status:
|
@daviddias This was a cross-implementation issue filed against both go and js. |
Also, looking into this, all parts appear to have been fixed. |
I tried to parse a
multipart/form-data
HTTP request produced bygo-ipfs-api
with golang's standardhttp
package and it completely failed. After going down the rabbit hole, turns out that there is multiple issues, shared by multiple IPFS implementation:Content-Disposition
header, withgo-ipfs-api
, parameters are separated with a:
instead of a;
Content-Disposition
of typefile
is invalid; it should beform-data
(see https://tools.ietf.org/html/rfc7578#section-4.2)Content-Disposition
is missing the mandatoryname
parameter (again, see https://tools.ietf.org/html/rfc7578#section-4.2)On the go side, I opened ipfs/go-ipfs-api#167 to address 1. , and ipfs/go-ipfs-files#8 to address 2. and 3. .
On the js side, I opened ipfs-inactive/js-ipfs-http-client#948 to address 2. and 3. . I don't know if 1. is an issue here.
I'm opening this issue because the problem seems to be more widespread than just those PR (see https://github.com/search?p=1&q=org%3Aipfs+Content-Disposition&type=Code as an example).
Another problem I faced but that is not covered by a RFC: when adding content that is not a file (say
ipfs add
with a data buffer), the body part headerContent-Disposition
doesn't have a properfilename
parameter. While this is legal according to the RFCs, the consequence is that those part are parsed as form values (think text field entered by a user), and not files.With the go standard library, one key difference is that a form file will be offloaded on disk if too big but a value is not. This means that the memory usage in this case will commonly be high. I'd like to suggest to always have a valid
filename
parameter to force the parsing of those potentially huge part as file, and to use an extra parameter to distinguish from an actual file and a buffer for proper handling in a daemon.The text was updated successfully, but these errors were encountered: