Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Correct multipart parser skips for cases where we have data that look…

…s partially like it's percent-hex encoded
  • Loading branch information...
commit 8d2028291ddf474437f5093ded865401c32a50f3 1 parent 30ab12a
@raggi raggi authored
View
2  lib/rack/multipart/parser.rb
@@ -135,7 +135,7 @@ def get_filename(head)
filename = $1
end
- if filename && filename !~ /%[^0-9a-fA-F]{2}/
+ if filename && filename.scan(/%..?/).all? { |s| s =~ /%[0-9a-fA-F]{2}/ }
filename = Utils.unescape(filename)
end
if filename && filename !~ /\\[^\\"]/
View
6 test/multipart/filename_with_unescaped_percentages2
@@ -0,0 +1,6 @@
+------WebKitFormBoundary2NHc7OhsgU68l3Al
+Content-Disposition: form-data; name="document[attachment]"; filename="100%a"
+Content-Type: image/jpeg
+
+contents
+------WebKitFormBoundary2NHc7OhsgU68l3Al--
View
15 test/spec_multipart.rb
@@ -226,6 +226,21 @@ def multipart_file(name)
files[:tempfile].read.should.equal "contents"
end
+ should "parse filename with unescaped percentage characters that look like partial hex escapes" do
+ env = Rack::MockRequest.env_for("/", multipart_fixture(:filename_with_unescaped_percentages2, "----WebKitFormBoundary2NHc7OhsgU68l3Al"))
+ params = Rack::Multipart.parse_multipart(env)
+ files = params["document"]["attachment"]
+ files[:type].should.equal "image/jpeg"
+ files[:filename].should.equal "100%a"
+ files[:head].should.equal <<-MULTIPART
+Content-Disposition: form-data; name="document[attachment]"; filename="100%a"\r
+Content-Type: image/jpeg\r
+ MULTIPART
+
+ files[:name].should.equal "document[attachment]"
+ files[:tempfile].read.should.equal "contents"
+ end
+
it "rewinds input after parsing upload" do
options = multipart_fixture(:text)
input = options[:input]
Please sign in to comment.
Something went wrong with that request. Please try again.