Rack fails to find multipart boundary. #518

Closed
bwilk opened this Issue Feb 14, 2013 · 5 comments

3 participants

@bwilk

The method fast_forward_to_first_boundary of the multipart parser: rack / lib / rack / multipart / parser.rb fails to find boundary if it is is terminated by "\n" (not the EOL = "\r\n"). As a result the parts of request cannot be identified at all. Is it intended behaviour?

The following line is affected:
return if read_buffer == full_boundary

@chneukirchen
Official Rack repositories member

AFAICT the HTTP RFC enforces use of CRLF.

@bwilk

Well, I totally agree. Just for your consideration - although being strict is great when you are the active side (client) of the protocol, a rigor on the passive side (server) may cause some clients (not so well implemented) not fuctioning - eg. I failed using http://restclient.net/. The reason of failure is not so easy to detect while debugging the request processing flow.

@chneukirchen
Official Rack repositories member

The problem is that lax handling of line terminators opens the door to a lot of injection attacks.

Perhaps you can run your Rack app behind a web server that sanitizes such things?

@raggi
Official Rack repositories member

Heroku folks can't. I spoke with Terrence about this again today, but I'm not sure if it'll happen soon. We ideally should handle most inputs in a sane way.

I'll consider it.

@bwilk

I'm glad to hear that. Thanks for updating the thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment