Is a boundary delimiter-only body an invalid request? #2103
Assignees
Comments
|
For RFC 2046, it appears invalid:
If you consider the updated RFC (RFC 7578), it still appears invalid because RFC 7578 references section 5.1 of RFC 2046:
RFC 7578 does not state that zero parts are allowed as a change from RFC2046. That being said, it doesn't appear to be just an issue with Chrome, I see identical behavior with Firefox. So while not blessed by the RFCs, as a practical matter, I'm open to supporting this and having the multipart parser return an empty value (e.g. |
alpaca-tc
added a commit
to alpaca-tc/rack
that referenced
this issue
Aug 2, 2023
Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
alpaca-tc
added a commit
to alpaca-tc/rack
that referenced
this issue
Aug 3, 2023
Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
alpaca-tc
added a commit
to alpaca-tc/rack
that referenced
this issue
Aug 3, 2023
Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
alpaca-tc
added a commit
to alpaca-tc/rack
that referenced
this issue
Aug 3, 2023
Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
ioquatix
pushed a commit
that referenced
this issue
Aug 3, 2023
…er. (#2104) Fixed: #2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
alpaca-tc
added a commit
to alpaca-tc/rack
that referenced
this issue
Sep 12, 2023
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
alpaca-tc
added a commit
to alpaca-tc/rack
that referenced
this issue
Sep 13, 2023
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
ioquatix
pushed a commit
that referenced
this issue
Sep 13, 2023
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: #2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
JoeDupuis
pushed a commit
to JoeDupuis/rack
that referenced
this issue
Mar 20, 2024
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
JoeDupuis
pushed a commit
to JoeDupuis/rack
that referenced
this issue
Mar 20, 2024
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: rack#2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
jeremyevans
pushed a commit
that referenced
this issue
Mar 20, 2024
Return empty when parsing a multi-part POST with only one end delimiter. Fixed: #2103 Sending the following request in a browser generates a request with with only one end delimiter. ```javascript const formData = new FormData(); const request = new Request('http://127.0.0.1:8080/', { method: 'POST', body: formData, }); const response = fetch(request); ``` ``` curl 'http://127.0.0.1:8080/' \ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR1LC4tR6ayskIXJm' \ --data-raw $'------WebKitFormBoundaryR1LC4tR6ayskIXJm--\r\n' ``` This request is not compliant RFC7578, but is generated by major browsers such as FireFox and Chrome. Supporting this request will cause the multipart parser to return an empty value.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sending the following request in a chrome browser will generate a boundary request with only delimiter-line.
This request causes
Rack::Multipart::EmptyContentErrorin rack application.As @jeremyevans mentions, it doesn't seem to match the RFC2046 specification.
#1603 (comment)
Unlike #1603 (comment), the body described in this issue is not completely empty and contains a delimiter.
I am creating this issue because I think there is a possibility that delimiter-only requests have not been considered before.
But as far as I read RFC2046, is it a bug in chromium?
The text was updated successfully, but these errors were encountered: