Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP multipart/form-data is broken in multiple IPFS implementation #437

Closed
MichaelMure opened this issue Feb 21, 2019 · 5 comments
Closed

HTTP multipart/form-data is broken in multiple IPFS implementation #437

MichaelMure opened this issue Feb 21, 2019 · 5 comments

Comments

@MichaelMure
Copy link

I tried to parse a multipart/form-data HTTP request produced by go-ipfs-api with golang's standard http package and it completely failed. After going down the rabbit hole, turns out that there is multiple issues, shared by multiple IPFS implementation:

  1. In the HTTP Content-Disposition header, with go-ipfs-api , parameters are separated with a : instead of a ;
  2. In the body part header, Content-Disposition of type file is invalid; it should be form-data (see https://tools.ietf.org/html/rfc7578#section-4.2)
  3. In the body part header, Content-Disposition is missing the mandatory name parameter (again, see https://tools.ietf.org/html/rfc7578#section-4.2)

On the go side, I opened ipfs/go-ipfs-api#167 to address 1. , and ipfs/go-ipfs-files#8 to address 2. and 3. .

On the js side, I opened ipfs-inactive/js-ipfs-http-client#948 to address 2. and 3. . I don't know if 1. is an issue here.

I'm opening this issue because the problem seems to be more widespread than just those PR (see https://github.com/search?p=1&q=org%3Aipfs+Content-Disposition&type=Code as an example).

Another problem I faced but that is not covered by a RFC: when adding content that is not a file (say ipfs add with a data buffer), the body part header Content-Disposition doesn't have a proper filename parameter. While this is legal according to the RFCs, the consequence is that those part are parsed as form values (think text field entered by a user), and not files.

With the go standard library, one key difference is that a form file will be offloaded on disk if too big but a value is not. This means that the memory usage in this case will commonly be high. I'd like to suggest to always have a valid filename parameter to force the parsing of those potentially huge part as file, and to use an extra parameter to distinguish from an actual file and a buffer for proper handling in a daemon.
@MichaelMure
Copy link
Author

Small correction: in the case of the golang http package, a maximum of (10MB+maxMemory) is allowed to read form values, so anything over that will error instead of allocating more memory as I stated. Default value for maxMemory is 32MB.

@MichaelMure
Copy link
Author

Tagging some relevant individual: @magik6k @lgierth @daviddias @Stebalien

Stebalien referenced this issue in ipfs/go-ipfs-files Mar 20, 2019
@Stebalien
fix the content disposition header
c0546a9 
* needs a name parameter
* "file" isn't a valid disposition

see https://github.com/ipfs/ipfs/issues/395
Stebalien referenced this issue in ipfs/go-ipfs-files Mar 20, 2019
@Stebalien
fix the content disposition header
cff97fc 
* needs a name parameter
* "file" isn't a valid disposition

see https://github.com/ipfs/ipfs/issues/395
@Stebalien
Copy link
Member

Thanks for reporting all this! Status:

@daviddias daviddias transferred this issue from ipfs/ipfs Oct 8, 2019
@Stebalien Stebalien transferred this issue from ipfs/kubo Oct 8, 2019
@Stebalien
Copy link
Member

@daviddias This was a cross-implementation issue filed against both go and js.

@Stebalien
Copy link
Member

Also, looking into this, all parts appear to have been fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MichaelMure @Stebalien