From mboxrd@z Thu Jan  1 00:00:00 1970
Delivered-To: chneukirchen@gmail.com
Received: by 10.229.96.67 with SMTP id g3csp260009qcn; Mon, 7 May 2012
 08:04:29 -0700 (PDT)
Return-Path: <rack-devel+bncCIPDxrOWBhD8yJ_9BBoEHoAQAQ@googlegroups.com>
Received-SPF: pass (google.com: domain of
 rack-devel+bncCIPDxrOWBhD8yJ_9BBoEHoAQAQ@googlegroups.com designates
 10.68.229.168 as permitted sender) client-ip=10.68.229.168;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of
 rack-devel+bncCIPDxrOWBhD8yJ_9BBoEHoAQAQ@googlegroups.com designates
 10.68.229.168 as permitted sender)
 smtp.mail=rack-devel+bncCIPDxrOWBhD8yJ_9BBoEHoAQAQ@googlegroups.com;
 dkim=pass header.i=rack-devel+bncCIPDxrOWBhD8yJ_9BBoEHoAQAQ@googlegroups.com
Received: from mr.google.com ([10.68.229.168]) by 10.68.229.168 with SMTP id
 sr8mr5370395pbc.5.1336403068699 (num_hops = 1); Mon, 07 May 2012 08:04:28
 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com;
 s=beta; h=x-beenthere:mime-version:date:in-reply-to:references:user-agent
 :x-http-useragent:message-id:subject:from:to:x-original-sender
 :x-original-authentication-results:reply-to:precedence:mailing-list
 :list-id:x-google-group-id:list-post:list-help:list-archive:sender
 :list-subscribe:list-unsubscribe:content-type :content-transfer-encoding;
 bh=Y2Z88AfObUR3hCkK87pPeJVXa2UTcfI/RxMt0rWMpn4=;
 b=qOQjdGUH1UPLDbgi/f1IZ1kTtRW6RZMTodFI5uZwnXajjV4R9aeZpXXFTG3N//YYU5
 nCeHuOUqKrkpE1IjRJnpQijHFKlB3Sr+jqpIeXWcOA8sV0l7mDl16s4kl891tY2GjSPN
 KZ/IPMsZtiis8cc4UtPnLM30bO04c3mUgFI9E=
Received: by 10.68.229.168 with SMTP id sr8mr874556pbc.5.1336403068646; Mon,
 07 May 2012 08:04:28 -0700 (PDT)
X-BeenThere: rack-devel@googlegroups.com
Received: by 10.68.229.197 with SMTP id ss5ls2631496pbc.2.gmail; Mon, 07 May
 2012 08:04:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.218.10 with SMTP id pc10mr1724600pbc.8.1336403068157; Mon,
 07 May 2012 08:04:28 -0700 (PDT)
Received: by l5g2000pbo.googlegroups.com with HTTP; Mon, 7 May 2012 08:04:28
 -0700 (PDT)
Date: Mon, 7 May 2012 08:04:28 -0700 (PDT)
In-Reply-To: <DDB223C8-A00C-4EB5-9121-D370EA9264AF@gmail.com>
References:
 <eac87456-daa9-4544-a0d8-4538b7059559@o3g2000pby.googlegroups.com>
 <20120504233415.GA25832@dcvr.yhbt.net>
 <DDB223C8-A00C-4EB5-9121-D370EA9264AF@gmail.com>
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8)
 AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1068.1
 Safari/536.3,gzip(gfe)
Message-ID:
 <d2ddf45d-a232-4def-8633-88a4bf5c0f5e@l5g2000pbo.googlegroups.com>
Subject: Re: bug report and unit test for infinite loop parsing
 Content-Disposion header
From: Paul Rogers <pmr16366@gmail.com>
To: Rack Development <rack-devel@googlegroups.com>
X-Original-Sender: pmr16366@gmail.com
X-Original-Authentication-Results: ls.google.com; spf=pass (google.com:
 domain of pmr16366@gmail.com designates internal as permitted sender)
 smtp.mail=pmr16366@gmail.com; dkim=pass header.i=@gmail.com
Reply-To: rack-devel@googlegroups.com
Precedence: list
Mailing-list: list rack-devel@googlegroups.com; contact
 rack-devel+owners@googlegroups.com
List-ID: <rack-devel.googlegroups.com>
X-Google-Group-Id: 486215384060
List-Post: <http://groups.google.com/group/rack-devel/post?hl=en_US>,
 <mailto:rack-devel@googlegroups.com>
List-Help: <http://groups.google.com/support/?hl=en_US>,
 <mailto:rack-devel+help@googlegroups.com>
List-Archive: <http://groups.google.com/group/rack-devel?hl=en_US>
Sender: rack-devel@googlegroups.com
List-Subscribe:
 <http://groups.google.com/group/rack-devel/subscribe?hl=en_US>,
 <mailto:rack-devel+subscribe@googlegroups.com>
List-Unsubscribe:
 <http://groups.google.com/group/rack-devel/subscribe?hl=en_US>,
 <mailto:googlegroups-manage+486215384060+unsubscribe@googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Thanks for the responses, and sorry for the double posting, not sure
what happened there.

I also found I can quote the filename which passes the tests. The app
Im using this in is a mock for another service, and I'll have to check
if the real service accepts a quoted string.

I'll also try these fixes in case that works better for me

Thanks

Paul

On May 6, 6:39=A0pm, Lawrence Pit <lawrence....@gmail.com> wrote:
> Given the value of DISPPARM must always have at least 1 character (accord=
ing to RFC2183 and RFC2045) that fix seems correct to me.
>
> In addition I would make the TOKEN regexp non-greedy (for the BROKEN_UNQU=
OTED case):
>
> =A0 =A0 TOKEN =3D /[^\s()<>,;:\\"\/\[\]?=3D]+?/
>
> Also, why is the "@" character accepted as part of a TOKEN? It is part of=
 the tspecials (in RFC2045), so I think it should not be accepted as a vali=
d token character.
>
> Cheers,
> Lawrence
>
>
>
>
>
>
>
> > I think the following should fix your issue (but I'm not sure it's
> > correct):
>
> > diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
> > index 3777106..6849248 100644
> > --- a/lib/rack/multipart.rb
> > +++ b/lib/rack/multipart.rb
> > @@ -12,7 +12,7 @@ module Rack
> > =A0 =A0 MULTIPART =3D %r|\Amultipart/.*boundary=3D\"?([^\";,]+)\"?|n
> > =A0 =A0 TOKEN =3D /[^\s()<>,;:\\"\/\[\]?=3D]+/
> > =A0 =A0 CONDISP =3D /Content-Disposition:\s*#{TOKEN}\s*/i
> > - =A0 =A0DISPPARM =3D /;\s*(#{TOKEN})=3D("(?:\\"|[^"])*"|#{TOKEN})*/
> > + =A0 =A0DISPPARM =3D /;\s*(#{TOKEN})=3D("(?:\\"|[^"])*"|#{TOKEN})/
> > =A0 =A0 RFC2183 =3D /^#{CONDISP}(#{DISPPARM})+$/i
> > =A0 =A0 BROKEN_QUOTED =3D /^#{CONDISP}.*;\sfilename=3D"(.*?)"(?:\s*$|\s=
*;\s*#{TOKEN}=3D)/i
> > =A0 =A0 BROKEN_UNQUOTED =3D /^#{CONDISP}.*;\sfilename=3D(#{TOKEN})/i