Home Original page

Content-type parameter "boundary" is not case-insensitive in HTTP uploads

Bug #48190 Content-type parameter "boundary" is not case-insensitive in HTTP uploads
Submitted: 2009-05-08 13:46 UTC Modified: 2009-12-29 15:58 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: carsten_sttgt at gmx dot de Assigned: garretts (profile)
Status: Closed Package: HTTP related
PHP Version: 5.*, 6 OS: *
Private report: No CVE-ID: None

 [2009-05-08 13:46 UTC] carsten_sttgt at gmx dot de

Description:
------------
Hello,

PHP does not work correctly with POST requests and a Content-Type of MULTIPART/form-data, if the parameter name "BOUNDARY" is in uppercase.

According to RFC2045, matching of media type, subtype and parameter (attributes) is always case-insensitive.

(only the value of the BOUNDARY parameter is compared case-sensitive)

Tested on Windows with 5.2-dev, 5.3-dev and 6.0-dev. CGI and Apache module.

Regards,
Carsten



Reproduce code:
---------------
Put this textfile in your PHP directory:
**************** test.txt ******************
--250-16659-1241787336=:9320
Content-Type: TEXT/plain; CHARSET=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-Disposition: form-data; name=nick

php-faq
--250-16659-1241787336=:9320
Content-Type: TEXT/plain; CHARSET=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-Disposition: form-data; name=desc

post demo script
--250-16659-1241787336=:9320--
********************************************

Put this phpfile in your PHP directory:
**************** test.php ******************
<?php
var_dump($_POST);
?>
********************************************

Open a command prompt, go to your PHP dir and execute:
# set REQUEST_METHOD=POST
# set REDIRECT_STATUS=1
# set SCRIPT_FILENAME=test.php
# set CONTENT_LENGTH=391
# set CONTENT_TYPE=MULTIPART/form-data; BOUNDARY="250-16659-1241787336=:9320"
# type test.text | php-cgi.exe

if you set CONTENT_TYPE in this way, you have the correct result:
# set CONTENT_TYPE=MULTIPART/form-data; boundary="250-16659-1241787336=:9320"

Regards,
Carsten

BTW:
e.g. the IMAP-Module from PHP is using/generating BOUNDARY in uppercase.


Expected result:
----------------
Content-type: text/html

array(2) {
  ["nick"]=>
  string(7) "php-faq"
  ["desc"]=>
  string(16) "post demo script"
}


Actual result:
--------------
Content-type: text/html

<br />
<b>Warning</b>:  Missing boundary in multipart/form-data POST data in <b>Unknown
</b> on line <b>0</b><br />
array(0) {
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2009-05-08 21:41 UTC] carsten_sttgt at gmx dot de

In my first post I have refereed to RFC2045, but RFC2616 is also very clear about this [1]:
| The type, subtype, and parameter attribute names are
| case- insensitive. Parameter values might or might
| not be case-sensitive, depending on the semantics
| of the parameter name.

type = MULTIPART
subtype = form-data
parameter attribute name = BOUNDARY
parameter value = 250-16659-1241787336=:9320

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7

 [2009-05-08 22:05 UTC] jani@php.net

Just curious, but what client actually uses uppercase/mixed case 
"boundary" parameter name? (and

 [2009-05-08 23:23 UTC] carsten_sttgt at gmx dot de

> Just curious, but what client actually uses
> uppercase/mixed case "boundary" parameter name?

I'm using imap_mail_compose() to build the 'header' and 'content' keys in the stream_context_create() options array. And then using this context with e.g. file_get_contents() to make the POST request.

BTW: The above example is a HTTP POST request without a file upload.

 [2009-05-09 04:08 UTC] jani@php.net

Yes, I know it's not an upload per se, but the code that handles is one 
that most of the time takes care of file uploads. :)

Problem is in rfc1867.c:804, strstr() should be replaced with something 
that does the same but case-insensitively.

 [2009-10-07 22:28 UTC] garretts@php.net

I'm testing a fix I've built for this right now.

 [2009-12-29 15:58 UTC] iliaa@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.