php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #9930 only small psubset of rfc1867 accepted
Submitted: 2001-03-22 11:34 UTC Modified: 2001-05-01 21:22 UTC
From: andreas at erestor dot f2s dot com Assigned:
Status: Closed Package: HTTP related
PHP Version: 4.0.4pl1 OS: any
Private report: No CVE-ID: None
 [2001-03-22 11:34 UTC] andreas at erestor dot f2s dot com
 Hello,
 the documentation tells in chapter 19: "PHP is capable of receiving file uploads from any RFC-1867 compliant browser (...).". If the implementation does not, I think it is a bug. So I submit a bug-report, not a feature-request.
 The code, which should handle RFC-1867 compliant POST-bodies, is in the file main/rfc1867.c. But it do not accept many possiblilities, which are allowed by RFC-1867, RFC-2045 and RFC-822, in its version 1.60.
 First, it anly allows one Header-field in every part of the POST-body. (see also Bugid 7685)
 Second, it still do not handle atoms as parameter-values correctly. (see also Bugid 8486)
 Third, it does not accept whitespaces at all allowed places (around the '=' in the parameter).
 Fourth, it does not recognize folded headerfields as been folded.
 Fifth, it does not handle comments at all.

 The first two should be handled correctly, if a PHP-script should be usable from Lynx. I have changed the file rfc1867.c in a way, that more POST-bodies are accepted, but also my version is still not accepting all RFC-1867 compliant POST-bodies. It misses all changes to the part of handling the filename-parameter and do not handle comments at all.

 Here is a context-diff between the version 1.60 of your CVS and my version:

*** rfc1867.c.v1.60     Thu Mar 22 14:42:35 2001
--- rfc1867.c   Thu Mar 22 17:10:43 2001
***************
*** 151,184 ****
                                } else {
                                        Done = 1;
                                }
                                break;
                        case 1:                 /* Check content-disposition */
!                               if (strncasecmp(ptr, "Content-Disposition: form-data;", 31)) {
                                        if (rem < 31) {
                                                SAFE_RETURN;
                                        }
!                                       php_error(E_WARNING, "File Upload Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2), *(ptr + 3), *(ptr + 4));
!                                       SAFE_RETURN;
                                }
                                loc = memchr(ptr, '\n', rem);
                                name = strstr(ptr, " name=");
                                if (name && name < loc) {
                                        name += 6;
!                                       s = memchr(name, '\"', loc - name);
!                                       if ( name == s ) {
                                                name++;
                                                s = memchr(name, '\"', loc - name);
                                                if(!s) {
                                                        php_error(E_WARNING, "File Upload Mime headers garbled name: [%c%c%c%c%c]", *name, *(name + 1), *(name + 2), *(name + 3), *(name + 4));
                                                        SAFE_RETURN;
                                                }
-                                       } else if(!s) {
-                                               s = loc;
                                        } else {
!                                               php_error(E_WARNING, "File Upload Mime headers garbled name: [%c%c%c%c%c]", *name, *(name + 1), *(name + 2), *(name + 3), *(name + 4));
!                                               SAFE_RETURN;
                                        }
                                        if (namebuf) {
                                                efree(namebuf);
                                        }
                                        namebuf = estrndup(name, s-name);
--- 151,193 ----
                                } else {
                                        Done = 1;
                                }
                                break;
                        case 1:                 /* Check content-disposition */
!                               while (strncasecmp(ptr, "Content-Disposition: form-data;", 31)) {
                                        if (rem < 31) {
                                                SAFE_RETURN;
                                        }
!                                       if (ptr[1] == '\n') {
!                                                 /* empty line as end of header found */
!                                               php_error(E_WARNING, "File Upload Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2), *(ptr + 3), *(ptr + 4));
!                                               SAFE_RETURN;
!                                         }
!                                       /* some other headerfield found, skip it */
!                                         loc = (char *) memchr(ptr, '\n', rem)+1;
!                                       while (*loc == ' ' || *loc == '\t')
!                                               /* other field is folded, skip it */
!                                               loc = (char *) memchr(loc, '\n', rem-(loc-ptr))+1;
!                                       rem -= (loc - ptr);
!                                       ptr = loc;
                                }
                                loc = memchr(ptr, '\n', rem);
+                               while (loc[1] == ' ' || loc[1] == '\t')
+                                       /* field is folded, look for end */
+                                       loc = memchr(loc+1, '\n', rem-(loc-ptr)-1);
                                name = strstr(ptr, " name=");
                                if (name && name < loc) {
                                        name += 6;
!                                       if ( *name == '\"' ) {
                                                name++;
                                                s = memchr(name, '\"', loc - name);
                                                if(!s) {
                                                        php_error(E_WARNING, "File Upload Mime headers garbled name: [%c%c%c%c%c]", *name, *(name + 1), *(name + 2), *(name + 3), *(name + 4));
                                                        SAFE_RETURN;
                                                }
                                        } else {
!                                               s = strpbrk(name, "     ()<>@,;:\\\"/[]?=\r\n");
                                        }
                                        if (namebuf) {
                                                efree(namebuf);
                                        }
                                        namebuf = estrndup(name, s-name);
***************
*** 185,197 ****
                                        if (lbuf) {
                                                efree(lbuf);
                                        }
                                        lbuf = emalloc(s-name + MAX_SIZE_OF_INDEX + 1);
                                        state = 2;
!                                       loc2 = memchr(loc + 1, '\n', rem);
!                                       rem -= (loc2 - ptr) + 1;
!                                       ptr = loc2 + 1;
                                        /* is_arr_upload is true when name of file upload field
                                         * ends in [.*]
                                         * start_arr is set to point to 1st [
                                         * end_arr points to last ]
                                         */
--- 194,210 ----
                                        if (lbuf) {
                                                efree(lbuf);
                                        }
                                        lbuf = emalloc(s-name + MAX_SIZE_OF_INDEX + 1);
                                        state = 2;
!                                       loc2 = loc;
!                                       while (loc2[2] != '\n') {
!                                               /* empty line as end of header not yet found */
!                                               loc2 = memchr(loc2 + 1, '\n', rem-(loc2-ptr)-1);
!                                       }
!                                       rem -= (loc2 - ptr) + 3;
!                                       ptr = loc2 + 3;
                                        /* is_arr_upload is true when name of file upload field
                                         * ends in [.*]
                                         * start_arr is set to point to 1st [
                                         * end_arr points to last ]
                                         */


 I have tried some POST-bodies, one of them shown here:
--xnyLAaB03X^M
Content-Type: text/plain;^M
 charset=iso-8859-1^M
Content-Disposition: form-data;^M
 name=postarg;^M
 x-info="Andreas Pistoor"^M
^M
input^M
--xnyLAaB03X--^M

 Kind regards
 Andreas Pistoor

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-23 05:30 UTC] andreas at erestor dot f2s dot com
 One comment to the listing of the diff, above:
The second argument to the function strpbrk starts with a blank and a tabulator. This is not (easily) recognized in that listing.

 Andreas
 [2001-03-26 16:28 UTC] sniper@php.net
Could you please create an unified diff?
ie. using 'diff -u' and send it (as an attachment) to php-dev@lists.php.net ?

--Jani

 [2001-03-29 04:53 UTC] andreas at erestor dot f2s dot com
 Hello Jani,
 have you recieved my email?
 I have replyed to yours, as it came from php-dev@lists.php.net and you asked me, to send the diff to this address. But the footer of your email is a little bit confusing :-) : "ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=9930&edit=2"

 Greetings Andreas
 [2001-05-01 21:21 UTC] sniper@php.net
Patch committed. Thanks!

--Jani

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 16:01:25 2019 UTC