Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Rack fails to find multipart boundary. #518

Closed
bwilk opened this Issue Feb 14, 2013 · 5 comments

Comments

Projects
None yet
3 participants

bwilk commented Feb 14, 2013

The method fast_forward_to_first_boundary of the multipart parser: rack / lib / rack / multipart / parser.rb fails to find boundary if it is is terminated by "\n" (not the EOL = "\r\n"). As a result the parts of request cannot be identified at all. Is it intended behaviour?

The following line is affected:
return if read_buffer == full_boundary

Owner

chneukirchen commented Feb 14, 2013

AFAICT the HTTP RFC enforces use of CRLF.

bwilk commented Feb 15, 2013

Well, I totally agree. Just for your consideration - although being strict is great when you are the active side (client) of the protocol, a rigor on the passive side (server) may cause some clients (not so well implemented) not fuctioning - eg. I failed using http://restclient.net/. The reason of failure is not so easy to detect while debugging the request processing flow.

Owner

chneukirchen commented Feb 15, 2013

The problem is that lax handling of line terminators opens the door to a lot of injection attacks.

Perhaps you can run your Rack app behind a web server that sanitizes such things?

Owner

raggi commented Apr 29, 2013

Heroku folks can't. I spoke with Terrence about this again today, but I'm not sure if it'll happen soon. We ideally should handle most inputs in a sane way.

I'll consider it.

bwilk commented Apr 30, 2013

I'm glad to hear that. Thanks for updating the thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment