Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Support multipart/form-data "name" with backslash at the end.

Also add multipart/form-data tests ("name" with escaped characters).
  • Loading branch information...
commit ebe66b6bfcbe7f7f436ea8f3b65e61dfaea445a2 1 parent 25b8e4c
@weisslj weisslj authored vinoski committed
Showing with 31 additions and 0 deletions.
  1. +2 −0  src/yaws_api.erl
  2. +29 −0 test/eunit/multipart_post_parsing.erl
View
2  src/yaws_api.erl
@@ -303,6 +303,8 @@ parse_arg_key([C|Line], Key, Value) ->
parse_arg_value([], Key, Value, _, _) ->
make_parse_line_reply(Key, Value, []);
+parse_arg_value([$\\,$"], Key, Value, _, _) ->
+ make_parse_line_reply(Key, [$\\|Value], []);
parse_arg_value([$\\,$"|Line], Key, Value, Quote, Begun) ->
parse_arg_value(Line, Key, [$"|Value], Quote, Begun);
parse_arg_value([$"|Line], Key, Value, false, _) ->
View
29 test/eunit/multipart_post_parsing.erl
@@ -192,6 +192,35 @@ malformed_multipart_form_test() ->
{error, no_multipart_form_data} = yaws_api:parse_multipart_post(A5),
ok.
+escaped_data_to_parse(Name) ->
+ list_to_binary(
+ ["--!!!\r\n",
+ "Content-Disposition: form-data; name=\"" ++ Name ++ "\"\r\n\r\n"
+ "sometext\n\r\n--!!!--\r\n"]).
+
+get_unescaped_name(RawName) ->
+ Data = escaped_data_to_parse(RawName),
+ {result, Params} = yaws_api:parse_multipart_post(mk_arg(Data)),
+ 2 = length(Params),
+ {Name, HeadParams} = proplists:get_value(head, Params),
+ [{"name", Name}] = HeadParams,
+ Name.
+
+escaped_parse_test() ->
+ %% Support both escaped (Firefox, Opera) and unescaped (Konqueror)
+ %% quotation mark.
+ "a\"b" = get_unescaped_name("a\\\"b"),
+ "a\"b" = get_unescaped_name("a\"b"),
+ %% Do not decode "%22" (IE, Chrome), user must deal with ambiguity
+ %% himself.
+ "a%22b" = get_unescaped_name("a%22b"),
+ %% Support unescaped backslash (Firefox, Chrome, Konqueror, IE).
+ "a\\b" = get_unescaped_name("a\\b"),
+ "a\\\\b" = get_unescaped_name("a\\\\b"),
+ %% Support backslash at the end of name (for simple form values).
+ "a\\" = get_unescaped_name("a\\"),
+ ok.
+
mk_arg(Data) ->
ContentType = "multipart/form-data; boundary=!!!",
Req = #http_request{method = 'POST'},
Please sign in to comment.
Something went wrong with that request. Please try again.