From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 542FAEBCF for ; Mon, 12 Dec 2022 14:14:55 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3D0A75026 for ; Mon, 12 Dec 2022 14:14:55 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 12 Dec 2022 14:14:54 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 0ED0542DD9 for ; Mon, 12 Dec 2022 14:14:54 +0100 (CET) From: Matthias Heiserer To: pve-devel@lists.proxmox.com Date: Mon, 12 Dec 2022 14:14:44 +0100 Message-Id: <20221212131445.129378-1-m.heiserer@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.169 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH v2 http-server 1/2] fix multipart upload: ignore additional headers X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2022 13:14:55 -0000 Reported in the forum: https://forum.proxmox.com/threads/image-upload-fails-after-upgrading-from-7-1-to-7-3.119051/#post-516517 When additional headers existed in the request body, the upload failed. With this patch, all additional headers get ignored. Example: The following upload would fail because no headers were expected after Content-Disposition. ``` --EPIHyQJFC5ftgoXHMe8-Jc6E7FqA4oMb0QBfOTz Content-Disposition: form-data; name="content" Content-Type: text/plain; charset=ISO-8859-1 iso ``` would fail. These headers now also get ignored, as we don't use them. Also, upload now works when the Content-Disposition header isn't the first, i.e. ``` --XVH95dt1-A3J8mWiLCmHCW4roSC7-gBntjATBy-- Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: form-data; name="content" ``` Fixed upload was tested using * Curl * GUI * Apache HttpClient 5 Signed-off-by: Matthias Heiserer --- Changes from v1: * wait for delimiter before handling data, as reported in forum * squash ignore order of headers patch src/PVE/APIServer/AnyEvent.pm | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm index f397a8c..63b61a9 100644 --- a/src/PVE/APIServer/AnyEvent.pm +++ b/src/PVE/APIServer/AnyEvent.pm @@ -1201,11 +1201,19 @@ sub file_upload_multipart { $rstate->{phase} = 1; } + my $remove_until_data = sub { + my ($hdl) = @_; + # remove any remaining multipart "headers" like Content-Type + $hdl->{rbuf} =~ s/^.*?${newline_re}{2}//s; + }; + my $extract_form_disposition = sub { my ($name) = @_; - if ($hdl->{rbuf} =~ s/^${delim_re}Content-Disposition: (.*?); name="$name"(.*?)($delim_re)/$3/s) { + if ($hdl->{rbuf} =~ s/^${delim_re}.*?Content-Disposition: (.*?); name="$name"(.*?${delim_re})/$2/s) { assert_form_disposition($1); - $rstate->{params}->{$name} = trim($2); + $remove_until_data->($hdl); + $hdl->{rbuf} =~ s/^(.*?)(${delim_re})/$2/s; + $rstate->{params}->{$name} = trim($1); } }; -- 2.30.2