develooper Front page | perl.libwww | Postings from July 2017

form-date with newline in filename

Thread Next
From:
Bill Moseley
Date:
July 4, 2017 20:42
Subject:
form-date with newline in filename
Message ID:
CAKhN_m7EcgF+=iooTqcWx83NwreTpnWXaFrNAuj=TSOFHVWUnQ@mail.gmail.com
I'm trying to understand if the Perl code is doing the right thing by
placing a newline directly in the double-quoted filename in the
Content-Disposition header.

Even though it's probably a bad thing to do, POSIX allows newlines in
filenames. Receiving systems, of course, must be careful how that filename
is used -- but in this case it's never actually used in a filesystem (i.e.
it's just considered metadata).

The code below does a full round-trip successfully (meaning the newline in
the filename is preserved), but that's all within Perl.

I'm POSTing to a service written in Golang and that library is complaining
about malformed headers.

My question: Is HTTP::Request not escaping correctly or is Golang library
not parsing correctly?

use strict;
use warnings;
use HTTP::Request::Common;
use HTTP::Response;
use HTTP::Body;
use Data::Dumper;

my $filename = "name with\na newline";

my $req = POST(
    'http://example.com/post',
    content_type => 'form-data',
    Content => [
        file => [
            $0,
            $filename,
        ],
        one => 1,
        two => 2,
    ],
);

my $res = HTTP::Response->parse( $req->as_string );
my $body = HTTP::Body->new( join( ' ' ,$res->content_type),
$res->content_length );
$body->add( $res->decoded_content );
print Dumper $body->upload;

Above returns:

$VAR1 = {
          'file' => {
                      'filename' => 'name with
a newline',
                      'tempname' =>
'/var/folders/sz/w4rntlpx76vcy5xrp441m0qw0000gn/T/6QNv98gd5B',
                      'size' => 561,
                      'headers' => {
                                     'Content-Disposition' => 'form-data;
name="file"; filename="name with
a newline"',
                                     'Content-Type' => 'text/plain'
                                   },
                      'name' => 'file'
                    }
        };

It seems like header folding is no longer allowed, but I'm not clear that
this is a case of header-folding:

https://stackoverflow.com/questions/521275/how-to-escape-a-line-break-literal-in-the-http-header


Or asked another way, is Perl or Golang breaking Postel's law
<https://en.wikipedia.org/wiki/Robustness_principle>?


-- 
Bill Moseley
moseley@hank.org

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About