[pve-devel] [PATCH http-server 1/1] fix #4344: http-server: ignore unused multipart headers

[Matthias Heiserer]

Thanks for the patch! I must have overlooked that in my original patch. 
Didn't think to test with proxmoxer :)

In case you haven't do so already, please submit the contributor license 
agreement. We require that in order to use your patch.
https://www.proxmox.com/en/proxmox-ve/get-involved

On 14.11.2022 00:48, John Hollowell wrote:
> Signed-off-by: John Hollowell <jhollowe at johnhollowell.com>
> ---
>   src/PVE/APIServer/AnyEvent.pm | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
> index f397a8c..d958642 100644
> --- a/src/PVE/APIServer/AnyEvent.pm
> +++ b/src/PVE/APIServer/AnyEvent.pm
> @@ -1215,15 +1215,15 @@ sub file_upload_multipart {
>   	    $extract_form_disposition->('checksum');
> 
>   	    if ($hdl->{rbuf} =~
> -		s/^${delim_re}
> -		Content-Disposition:\ (.*?);\ name="(.*?)";\ filename="([^"]+)"${newline_re}
> -		Content-Type:\ \S*\s+
> -		//sxx
> +		s/^${delim_re}Content-Disposition:\ (.*?);\ name="(.*?)";\ filename="([^"]+)"//sxx
We should drop the xx and escaping of spaces, it's not needed for the 
single line.
>   	    ) {
>   		assert_form_disposition($1);
>   		die "wrong field name '$2' for file upload, expected 'filename'" if $2 ne "filename";
>   		$rstate->{phase} = 2;
>   		$rstate->{params}->{filename} = trim($3);
> +
> +		# remove any remaining multipart "headers" like Content-Type
> +		$hdl->{rbuf} =~ s/^.*?${newline_re}{2}//s
I'm thinking of whether it would be better to include this line in the 
other one, or not. Probably more clearer the way it is now.
>   	    }
>   	}
> 
> --
> 2.30.2
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> Reviewed-by: Matthias Heiserer <m.heiserer at proxmox.com>
Tested-by: Matthias Heiserer <m.heiserer at proxmox.com>