From 4f15681097997bd3f8b4f9ce1a7db296724e921a Mon Sep 17 00:00:00 2001 From: Jeremy Evans Date: Fri, 28 Apr 2023 17:05:27 -0700 Subject: Limit max size and number of parameters parsed for Content-Disposition Not strictly necessary, but this limits the damage in pathological cases. These limits are probably already too generous, we could probably get by with 8 params and 1024 bytes. One of tests uses more than 1024 bytes, though. Still, it seems unlikely any legitimate requests would exceed these limits. We could make the limits configurable via an accessor method, if desired. --- test/spec_multipart.rb | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'test/spec_multipart.rb') diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb index c36fe50c..6acdeeaf 100644 --- a/test/spec_multipart.rb +++ b/test/spec_multipart.rb @@ -311,6 +311,32 @@ describe Rack::Multipart do x["file\\-xfoo"][:name].must_equal "file\\-xfoo" end + it "parse up to 16 content-disposition params" do + x = content_disposition_parse.call("#{14.times.map{|x| "a#{x}=b;"}.join} filename=\"bar\"; name=\"file\"") + x.keys.must_equal ["file"] + x["file"][:filename].must_equal "bar" + x["file"][:name].must_equal "file" + end + + it "stop parsing content-disposition after 16 params" do + x = content_disposition_parse.call("#{15.times.map{|x| "a#{x}=b;"}.join} filename=\"bar\"; name=\"file\"") + x.keys.must_equal ["bar"] + x["bar"][:filename].must_equal "bar" + x["bar"][:name].must_equal "bar" + end + + it "allow content-disposition values up to 1536 bytes" do + x = content_disposition_parse.call("a=#{'a'*1480}; filename=\"bar\"; name=\"file\"") + x.keys.must_equal ["file"] + x["file"][:filename].must_equal "bar" + x["file"][:name].must_equal "file" + end + + it "ignore content-disposition values over to 1536 bytes" do + x = content_disposition_parse.call("a=#{'a'*1510}; filename=\"bar\"; name=\"file\"") + x.must_equal "text/plain"=>[""] + end + it 'raises an EOF error on content-length mismatch' do env = Rack::MockRequest.env_for("/", multipart_fixture(:empty)) env['rack.input'] = StringIO.new -- cgit v1.2.1