lua-resty-upload icon indicating copy to clipboard operation
lua-resty-upload copied to clipboard

Published 20 hours ago verified publisher icon openresty

Feature: Lf line break

Open suikabreaker opened this issue 2 years ago • 6 comments

Fix #61

suikabreaker avatar Jan 12 '22 08:01 suikabreaker

@zhuizhuhaomeng Also, can you review this PR? I will rebase later PR to the earlier accepted one.

suikabreaker avatar Jan 25 '22 07:01 suikabreaker

According to rfc 7578 section 4.1, the boundary must:

constructed using CRLF, "--", and the value of the "boundary" parameter

It looks like it is not meeting the standard

xiaocang avatar Mar 13 '22 10:03 xiaocang

According to rfc 7578 section 4.1, the boundary must:

constructed using CRLF, "--", and the value of the "boundary" parameter

It looks like it is not meeting the standard

I am aware of the RFC's requirements. But the fact is that Apache(mod_upload) and Nginx(upload module) (and maybe many other platforms) are compatible with requests using LF as line breaks, which may be a de facto standard compared to the RFC. To use OpenResty and resty.upload to act as a WAF filtering request body will be cheated by a malicious request that intentionally uses LF line breaks.

suikabreaker avatar Mar 23 '22 06:03 suikabreaker

@suikabreaker could you modify the code style by referring to another PR (#63) and rebase the latest master

xiaocang avatar Apr 07 '22 15:04 xiaocang

@suikabreaker could you modify the code style by referring to another PR (#63) and rebase the latest master

Not quite sure about the code style but I've checked for typos and added documentation.

suikabreaker avatar Apr 08 '22 08:04 suikabreaker

The old bug shows again... Sorry but I don't have much time for it recently. Eventually I will fix that.

suikabreaker avatar Apr 08 '22 13:04 suikabreaker