Skip to content
This repository

Rack fails to find multipart boundary. #518

Closed
bwilk opened this Issue February 13, 2013 · 5 comments

3 participants

bwilk Christian Neukirchen James Tucker
bwilk

The method fast_forward_to_first_boundary of the multipart parser: rack / lib / rack / multipart / parser.rb fails to find boundary if it is is terminated by "\n" (not the EOL = "\r\n"). As a result the parts of request cannot be identified at all. Is it intended behaviour?

The following line is affected:
return if read_buffer == full_boundary

Christian Neukirchen

AFAICT the HTTP RFC enforces use of CRLF.

bwilk

Well, I totally agree. Just for your consideration - although being strict is great when you are the active side (client) of the protocol, a rigor on the passive side (server) may cause some clients (not so well implemented) not fuctioning - eg. I failed using http://restclient.net/. The reason of failure is not so easy to detect while debugging the request processing flow.

Christian Neukirchen

The problem is that lax handling of line terminators opens the door to a lot of injection attacks.

Perhaps you can run your Rack app behind a web server that sanitizes such things?

Christian Neukirchen chneukirchen closed this April 23, 2013
James Tucker
Owner
raggi commented April 29, 2013

Heroku folks can't. I spoke with Terrence about this again today, but I'm not sure if it'll happen soon. We ideally should handle most inputs in a sane way.

I'll consider it.

bwilk
bwilk commented April 30, 2013

I'm glad to hear that. Thanks for updating the thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.