[pve-devel] [PATCH v3 http-server 1/3] multipart upload: fix upload of files starting with newlines

Daniel Tschlatscher d.tschlatscher at proxmox.com
Mon Dec 12 17:05:38 CET 2022


Testing this series in the Browser, with curl and postman, I couldn't
find any issues anymore, more details below. Code looks good to me as well.


Tested-by: Daniel Tschlatscher <d.tschlatscher at proxmox.com>
Reviewed-by: Daniel Tschlatscher <d.tschlatscher at proxmox.com>


Browser/GUI:

✅ Uploading files with 0B, 1B, 1kB, 17kB, 1MB, 1GB, 10GB
✅ Uploading file with a SHA256 checksum

In curl and Postman:

✅ Changing the extension in the first boundary (error)
✅ Adding additional headers leading or trailing (ignored)
✅ Specifying no headers in first boundary (error)
✅ Inconsistent boundary parameter in the Content-Type header (error)
✅ Inconsistent boundary in the body (error)
✅ Whitespaces at the beginning of the file are not discarded
✅ Arbitrary input after the last boundary
✅ Nothing after last boundary
✅ Mixed \n and \r\n in body


On 12/12/22 16:07, Matthias Heiserer wrote:
> Currently, if a file starts with a newline, it gets removed
> and the uploda succeeds (provided no hash is given).
> 
> Signed-off-by: Matthias Heiserer <m.heiserer at proxmox.com>
> ---
>  src/PVE/APIServer/AnyEvent.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
> index f397a8c..545c122 100644
> --- a/src/PVE/APIServer/AnyEvent.pm
> +++ b/src/PVE/APIServer/AnyEvent.pm
> @@ -1217,7 +1217,7 @@ sub file_upload_multipart {
>  	    if ($hdl->{rbuf} =~
>  		s/^${delim_re}
>  		Content-Disposition:\ (.*?);\ name="(.*?)";\ filename="([^"]+)"${newline_re}
> -		Content-Type:\ \S*\s+
> +		Content-Type:\ \S*${newline_re}{2}
>  		//sxx
>  	    ) {
>  		assert_form_disposition($1);





More information about the pve-devel mailing list