[interchange] Disallow name="" in Content-Disposition header.

Daniel Browning interchange-cvs at icdevgroup.org
Sat Apr 2 21:09:25 UTC 2011


commit be6337367beca9c93c426cf8b6c2665cb95cd49a
Author: Daniel Browning <db at kavod.com>
Date:   Sat Apr 2 14:04:32 2011 -0700

    Disallow name="" in Content-Disposition header.
    
    Jon Jensen noticed that the last commit (b29f34f5) introduced a new
    problem by relaxing the constraint a little too much and allowing
    empty strings. This patch by Mike Heins goes back to requiring at
    least one character, while still allowing 0.

 lib/Vend/Server.pm |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/lib/Vend/Server.pm b/lib/Vend/Server.pm
index a6620f5..5baf109 100644
--- a/lib/Vend/Server.pm
+++ b/lib/Vend/Server.pm
@@ -478,7 +478,7 @@ sub parse_multipart {
 			}
 
 #::logDebug("Content-Disposition: " .  $header{'Content-Disposition'});
-			my($param)= $header{'Content-Disposition'}=~/ name="?([^\";]*)"?/;
+			my($param)= $header{'Content-Disposition'}=~/ name="?([^\";]+)"?/;
 
 			# Bug:  Netscape doesn't escape quotation marks in file names!!!
 			my($filename) = $header{'Content-Disposition'}=~/ filename="?([^\";]*)"?/;



More information about the interchange-cvs mailing list