From f854f9fe3eee76fee7bb55ee5de83961d8077f63 Mon Sep 17 00:00:00 2001 From: yas99en Date: Sat, 13 Nov 2021 22:44:02 +0900 Subject: [PATCH 1/2] RFC2045 does not ensure spaces between semicolon and boundary. See https://tools.ietf.org/html/rfc2045#section-5.1 --- lib/webrick/httprequest.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb index ff2c8a8..5254aec 100644 --- a/lib/webrick/httprequest.rb +++ b/lib/webrick/httprequest.rb @@ -585,7 +585,7 @@ def parse_query() @query = HTTPUtils::parse_query(@query_string) elsif self['content-type'] =~ /^application\/x-www-form-urlencoded/ @query = HTTPUtils::parse_query(body) - elsif self['content-type'] =~ /^multipart\/form-data; boundary=(.+)/ + elsif self['content-type'] =~ /^multipart\/form-data; *boundary=(.+)/ boundary = HTTPUtils::dequote($1) @query = HTTPUtils::parse_form_data(body, boundary) else From 9000d4b4bd8aea38d8c86751a7696f51f305bcf5 Mon Sep 17 00:00:00 2001 From: yas99en Date: Sat, 13 Nov 2021 22:46:45 +0900 Subject: [PATCH 2/2] RFC2046 does not ensure CRLF after last boundary. see https://tools.ietf.org/html/rfc2046#section-5.1.1 --- lib/webrick/httputils.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/webrick/httputils.rb b/lib/webrick/httputils.rb index 05597f9..7249960 100644 --- a/lib/webrick/httputils.rb +++ b/lib/webrick/httputils.rb @@ -404,7 +404,7 @@ def parse_query(str) # Parses form data in +io+ with the given +boundary+ def parse_form_data(io, boundary) - boundary_regexp = /\A--#{Regexp.quote(boundary)}(--)?#{CRLF}\z/ + boundary_regexp = /\A--#{Regexp.quote(boundary)}(--|#{CRLF}|--#{CRLF})\z/ form_data = Hash.new return form_data unless io data = nil