Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't remove whitespace before every newline character. Support no CR… #5

Merged
merged 2 commits into from
Dec 20, 2024

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Dec 6, 2024

This fixes some parsing issues I've been having while working on SCCM. Specifically:

  • Whitespace followed by newline characters was deleted. I believe the intent of this was to remove whitespace at the end of a part's content. However because the regex $ matches any newline, even in the middle of the content, this corrupted binary data, wherein every "\x0A" character had a small-but-reasonable chance of being preceded by whitespace of some description, and having that whitespace deleted.
  • In addition, consider what happens if you actually want your content to end in CRLF. The existing code was over-aggressive in stripping it. The correct behaviour (per RFC2046) is to treat the final CRLF before a boundary as "part of the boundary", and then (to quote the spec), "Body parts that must be considered to end with line breaks, therefore, must have two CRLFs preceding the boundary delimiter line, the first of which is part of the preceding body part, and the second of which is part of the encapsulation boundary." We should therefore only remove one CRLF, otherwise there's a 1-in-65536 chance that any arbitrary random binary data happens to end in "\x0D\x0A", which would be incorrectly stripped. This is why I've modified the "allows to populate parts contents from argument" test case, which I believe was incorrect.
  • If the final --boundary-- didn't have CRLF after it (as is the case from an SCCM server), it would not recognise that as a valid boundary.

@adfoster-r7 adfoster-r7 marked this pull request as ready for review December 6, 2024 11:52
@adfoster-r7 adfoster-r7 marked this pull request as draft December 6, 2024 12:25
@adfoster-r7
Copy link
Contributor

If you rebase against master this will run the automated tests 👍

… part's content (per the RFC2046 spec). Added binary test.
@smashery smashery marked this pull request as ready for review December 9, 2024 03:10
@smcintyre-r7 smcintyre-r7 self-assigned this Dec 20, 2024
@smcintyre-r7 smcintyre-r7 merged commit 7e8b35e into rapid7:master Dec 20, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

3 participants