-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is a boundary delimiter-only body an invalid request? #2103
Comments
For RFC 2046, it appears invalid:
If you consider the updated RFC (RFC 7578), it still appears invalid because RFC 7578 references section 5.1 of RFC 2046:
RFC 7578 does not state that zero parts are allowed as a change from RFC2046. That being said, it doesn't appear to be just an issue with Chrome, I see identical behavior with Firefox. So while not blessed by the RFCs, as a practical matter, I'm open to supporting this and having the multipart parser return an empty value (e.g. |
Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
…er. (#2104) Fixed: #2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: #2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: #2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Sending the following request in a chrome browser will generate a boundary request with only delimiter-line.
This request causes
Rack::Multipart::EmptyContentError
in rack application.As @jeremyevans mentions, it doesn't seem to match the RFC2046 specification.
#1603 (comment)
Unlike #1603 (comment), the body described in this issue is not completely empty and contains a delimiter.
I am creating this issue because I think there is a possibility that delimiter-only requests have not been considered before.
But as far as I read RFC2046, is it a bug in chromium?
The text was updated successfully, but these errors were encountered: