h2c --data-binary output should be escaped

--data-binary output should be escaped

Open salty-horse opened this issue 6 years ago • 3 comments

Similar to the -F multipart bugs, the strings after --data-bianry are not escaped.

Given this input:

POST / HTTP/1.1
Host: localhost:8000
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 5
Content-Type: application/x-www-form-urlencoded

$PATH

h2c outputs: curl --http1.1 --user-agent "curl/7.47.0" --data-binary "$PATH" https://localhost:8000/

A POSIX shell will expand $PATH.

Apr 15 '18 07:04 salty-horse

The same is true for other fields, such as user agent.

Apr 16 '18 13:04 salty-horse

Yes, and other headers too.

Apr 17 '18 21:04 bagder

Binary data (specifically non-printable characters) should also be escaped and written as \x##.

Aug 12 '18 09:08 salty-horse