develooper Front page | perl.libwww | Postings from July 2017

Re: form-date with newline in filename

Thread Previous | Thread Next
From:
Olaf Alders
Date:
July 5, 2017 03:36
Subject:
Re: form-date with newline in filename
Message ID:
7ED7CB1D-5698-4F2F-9ABE-D5EB267F6937@wundersolutions.com

> On Jul 4, 2017, at 4:41 PM, Bill Moseley <moseley@hank.org> wrote:
> 
> I'm trying to understand if the Perl code is doing the right thing by placing a newline directly in the double-quoted filename in the Content-Disposition header.
> 
> Even though it's probably a bad thing to do, POSIX allows newlines in filenames. Receiving systems, of course, must be careful how that filename is used -- but in this case it's never actually used in a filesystem (i.e. it's just considered metadata). 
> 
> The code below does a full round-trip successfully (meaning the newline in the filename is preserved), but that's all within Perl. 
> 
> I'm POSTing to a service written in Golang and that library is complaining about malformed headers. 
> 
> My question: Is HTTP::Request not escaping correctly or is Golang library not parsing correctly?
> 
> use strict;
> use warnings;
> use HTTP::Request::Common;
> use HTTP::Response;
> use HTTP::Body;
> use Data::Dumper;
> 
> my $filename = "name with\na newline";
> 
> my $req = POST(
>     'http://example.com/post',
>     content_type => 'form-data',
>     Content => [
>         file => [
>             $0,
>             $filename,
>         ],
>         one => 1,
>         two => 2,
>     ],
> );
> 
> my $res = HTTP::Response->parse( $req->as_string );
> my $body = HTTP::Body->new( join( ' ' ,$res->content_type), $res->content_length );
> $body->add( $res->decoded_content );
> print Dumper $body->upload;
> 
> Above returns:
> 
> $VAR1 = {
>           'file' => {
>                       'filename' => 'name with
> a newline',
>                       'tempname' => '/var/folders/sz/w4rntlpx76vcy5xrp441m0qw0000gn/T/6QNv98gd5B',
>                       'size' => 561,
>                       'headers' => {
>                                      'Content-Disposition' => 'form-data; name="file"; filename="name with
> a newline"',
>                                      'Content-Type' => 'text/plain'
>                                    },
>                       'name' => 'file'
>                     }
>         };
> 
> It seems like header folding is no longer allowed, but I'm not clear that this is a case of header-folding:
> 
> https://stackoverflow.com/questions/521275/how-to-escape-a-line-break-literal-in-the-http-header
> 
> Or asked another way, is Perl or Golang breaking Postel's law?

Hi Bill,

Is it possible for you to print the actual outgoing headers?  With the newlines being involved, the order of the headers could make a difference here.

Best,

Olaf

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About