Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Handle EOFError exception from malformed multipart in MethodOverride middleware #282

Merged
merged 2 commits into from

2 participants

@cgriego

Rack::Request#POST will raise an EOFError when parsing invalid multipart form data (which Rack::Request#params will handle and ignore), but the MethodOverride middleware, which calls Request#POST, doesn't handle the exception, usually letting it propagate out to the server/handler.

@raggi raggi merged commit 4a9e22d into rack:master
@raggi
Owner

My bad! good catch! Thank you for your contribution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
View
2  lib/rack/directory.rb
@@ -90,7 +90,7 @@ def list_directory
basename = F.basename(node)
ext = F.extname(node)
- url = F.join(*url_head + [Rack::Utils.escape basename])
+ url = F.join(*url_head + [Rack::Utils.escape(basename)])
size = stat.size
type = stat.directory? ? 'directory' : Mime.mime_type(ext)
size = stat.directory? ? '-' : filesize_format(size)
View
14 lib/rack/methodoverride.rb
@@ -11,10 +11,7 @@ def initialize(app)
def call(env)
if env["REQUEST_METHOD"] == "POST"
- req = Request.new(env)
- method = req.POST[METHOD_OVERRIDE_PARAM_KEY] ||
- env[HTTP_METHOD_OVERRIDE_HEADER]
- method = method.to_s.upcase
+ method = method_override(env)
if HTTP_METHODS.include?(method)
env["rack.methodoverride.original_method"] = env["REQUEST_METHOD"]
env["REQUEST_METHOD"] = method
@@ -23,5 +20,14 @@ def call(env)
@app.call(env)
end
+
+ def method_override(env)
+ req = Request.new(env)
+ method = req.POST[METHOD_OVERRIDE_PARAM_KEY] ||
+ env[HTTP_METHOD_OVERRIDE_HEADER]
+ method.to_s.upcase
+ rescue EOFError
+ ""
+ end
end
end
View
15 test/spec_methodoverride.rb
@@ -55,4 +55,19 @@
req.env["rack.methodoverride.original_method"].should.equal "POST"
end
+
+ should "not modify REQUEST_METHOD when given invalid multipart form data" do
+ input = <<EOF
+--AaB03x\r
+content-disposition: form-data; name="huge"; filename="huge"\r
+EOF
+ env = Rack::MockRequest.env_for("/",
+ "CONTENT_TYPE" => "multipart/form-data, boundary=AaB03x",
+ "CONTENT_LENGTH" => input.size,
+ :method => "POST", :input => input)
+ app = Rack::MethodOverride.new(lambda{|envx| Rack::Request.new(envx) })
+ req = app.call(env)
+
+ req.env["REQUEST_METHOD"].should.equal "POST"
+ end
end
Something went wrong with that request. Please try again.