From d7471c136901e1955547a20d7bfa126d47d81b56 Mon Sep 17 00:00:00 2001 From: Patrick Monnerat Date: Sat, 18 Apr 2020 16:50:20 +0200 Subject: [PATCH] mime: properly check Content-Type even if it has parameters New test 669 checks this fix is effective. Fixes #5256 Closes #5258 Reported-by: thanhchungbtc on github --- lib/mime.c | 21 ++++++++++++-- tests/data/Makefile.inc | 2 +- tests/data/test669 | 64 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+), 3 deletions(-) create mode 100644 tests/data/test669 diff --git a/lib/mime.c b/lib/mime.c index b72732310..e13d92e94 100644 --- a/lib/mime.c +++ b/lib/mime.c @@ -1778,6 +1778,23 @@ const char *Curl_mime_contenttype(const char *filename) return NULL; } +static bool content_type_match(const char *contenttype, const char *target) +{ + size_t len = strlen(target); + + if(contenttype && strncasecompare(contenttype, target, len)) + switch(contenttype[len]) { + case '\0': + case '\t': + case '\r': + case '\n': + case ' ': + case ';': + return TRUE; + } + return FALSE; +} + CURLcode Curl_mime_prepare_headers(curl_mimepart *part, const char *contenttype, const char *disposition, @@ -1829,7 +1846,7 @@ CURLcode Curl_mime_prepare_headers(curl_mimepart *part, boundary = mime->boundary; } else if(contenttype && !customct && - strcasecompare(contenttype, "text/plain")) + content_type_match(contenttype, "text/plain")) if(strategy == MIMESTRATEGY_MAIL || !part->filename) contenttype = NULL; @@ -1905,7 +1922,7 @@ CURLcode Curl_mime_prepare_headers(curl_mimepart *part, curl_mimepart *subpart; disposition = NULL; - if(strcasecompare(contenttype, "multipart/form-data")) + if(content_type_match(contenttype, "multipart/form-data")) disposition = "form-data"; for(subpart = mime->firstpart; subpart; subpart = subpart->nextpart) { ret = Curl_mime_prepare_headers(subpart, NULL, disposition, strategy); diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index aa2883929..aabe1e6d9 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -87,7 +87,7 @@ test626 test627 test628 test629 test630 test631 test632 test633 test634 \ test635 test636 test637 test638 test639 test640 test641 test642 \ test643 test644 test645 test646 test647 test648 test649 test650 test651 \ test652 test653 test654 test655 test656 test658 test659 test660 test661 \ -test662 test663 test664 test665 test666 test667 test668 \ +test662 test663 test664 test665 test666 test667 test668 test669 \ test670 test671 test672 test673 \ \ test700 test701 test702 test703 test704 test705 test706 test707 test708 \ diff --git a/tests/data/test669 b/tests/data/test669 new file mode 100644 index 000000000..aaae2c51d --- /dev/null +++ b/tests/data/test669 @@ -0,0 +1,64 @@ + + + +HTTP +HTTP POST +HTTP MIME POST +HTTP FORMPOST + + +# Server-side + + +HTTP/1.0 200 OK swsclose +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake + +blablabla + + + + +# Client-side + + +http + + +HTTP custom Content-Type with parameter + + +http://%HOSTIP:%HTTPPORT/we/want/669 -H 'Content-type: multipart/form-data; charset=utf-8' -F name=daniel -F tool=curl + + + + +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +s/^--------------------------[a-z0-9]*/------------------------------/ +s/boundary=------------------------[a-z0-9]*/boundary=----------------------------/ + + +POST /we/want/669 HTTP/1.1 +User-Agent: curl/7.10.4 (i686-pc-linux-gnu) libcurl/7.10.4 OpenSSL/0.9.7a ipv6 zlib/1.1.3 +Host: %HOSTIP:%HTTPPORT +Accept: */* +Content-Length: 242 +Content-Type: multipart/form-data; charset=utf-8; boundary=---------------------------- + +------------------------------ +Content-Disposition: form-data; name="name" + +daniel +------------------------------ +Content-Disposition: form-data; name="tool" + +curl +-------------------------------- + + +