Merge pull request #1422 from fatkodima/content-disposition-spaces

Robust separation of Content-Disposition fields
rack · Nov 29, 2019 · 04467b2 · 04467b2
2 parents 93dfcdf + 2a8aa75
commit 04467b2
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
@@ -16,10 +16,10 @@ module Multipart
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
-    BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
-    BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
+    BROKEN_QUOTED = /^#{CONDISP}.*;\s*filename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
+    BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*\s+name=(#{VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
     ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}

diff --git a/test/multipart/robust_field_separation b/test/multipart/robust_field_separation
@@ -0,0 +1,6 @@
+--AaB03x
+Content-Disposition: form-data;name="text"
+Content-Type: text/plain
+
+contents
+--AaB03x--
diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
@@ -306,6 +306,12 @@ def initialize(*)
     params["files"][:filename].must_equal "flowers.exe\u0000.jpg"
   end
 
+  it "is robust separating Content-Disposition fields" do
+    env = Rack::MockRequest.env_for("/", multipart_fixture(:robust_field_separation))
+    params = Rack::Multipart.parse_multipart(env)
+    params["text"].must_equal "contents"
+  end
+
   it "not include file params if no file was selected" do
     env = Rack::MockRequest.env_for("/", multipart_fixture(:none))
     params = Rack::Multipart.parse_multipart(env)