You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Earl Hood <ea...@earlhood.com> on 2004/03/23 20:23:28 UTC
Fixes for FileUploadBase.java
Attached is a patch to FileUploadBase.java that fixes a couple of bugs:
1. Handle correctly a boundary parameter value surrounded by quotes.
2. Case-insensitive matching of content-type values and parameter names.
For example, MULTIPART/FORM-DATA and multipart/form-data are the
same thing.
I was going to do charset stuff, but noticed that the latest CVS version
does handle this now, so the patch provided is against a recent nightly
build.
There is a change where some stricter formating is enforced. For example,
if a part does not define a content-disposition, and exception is thrown.
There is a comment asking if this is desired. It is not clear from
looking at the code and conformant a post should be. IMO, it should
be, or, conformance should be configurable. Malformed data can
indicate application errors (and possible security issues), so quietly
ignoring errors should probably be avoided.
=====
Re: Fixes for FileUploadBase.java
Posted by Earl Hood <ea...@earlhood.com>.
--- Joe Germuska <Jo...@Germuska.com> wrote:
> At 11:23 AM -0800 3/23/04, Earl Hood wrote:
> >There is a change where some stricter formating is enforced. For example,
> >if a part does not define a content-disposition, and exception is thrown.
> >There is a comment asking if this is desired.
...
> I'd suggest that this be switchable, and default to not throwing an
> exception, for backwards compatibility reasons. Also, you're
> ultimately relying on browser authors to implement the spec
> perfectly, and given the variability I've seen in things like
> assigning content-types, I think it's best to allow for browser
> variation in how dispositions are handled also.
Agreed. It then raises two questions:
* Which errors always raise exception? For example, is a missing
content-disposition always raise or error, or only when in strict
mode? If not always raise, need to define behavior (e.g. quietly
ignore?).
For simplicitly, in non-strict mode, any format errors are ignored,
which may include completely ignoring an entity (of course, fatal
errors should always throw an exception like a missing boundary
delimiter).
In strict-mode, if there is data that does not conform to the RFCs
will raise an exception.
* How can strictness be specified? Via a system property or some
method call? Or both? It appears that if done via a method call,
it would be a method on the FileUploadBase class.
For more flexibility, it may be useful to support an exception callback
handler. For example, someone may want to have non-strict parsing, but
still receive messages when there are parsing errors. I'd probably
use this to hook into a logger so i can log the problems and see
which clients are sending malformed data to see how common non-standard
posts are.
If there are no objections, I can take a stab at making some modifications
and submit a new patch. However, if some of the items are not appropriate
for the project, or someone else prefers to make the changes, I will make a
local variation of fileupload for what I need.
--ewh
=====
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: Fixes for FileUploadBase.java
Posted by Joe Germuska <Jo...@Germuska.com>.
At 11:23 AM -0800 3/23/04, Earl Hood wrote:
>There is a change where some stricter formating is enforced. For example,
>if a part does not define a content-disposition, and exception is thrown.
>There is a comment asking if this is desired. It is not clear from
>looking at the code and conformant a post should be. IMO, it should
>be, or, conformance should be configurable. Malformed data can
>indicate application errors (and possible security issues), so quietly
>ignoring errors should probably be avoided.
I'd suggest that this be switchable, and default to not throwing an
exception, for backwards compatibility reasons. Also, you're
ultimately relying on browser authors to implement the spec
perfectly, and given the variability I've seen in things like
assigning content-types, I think it's best to allow for browser
variation in how dispositions are handled also.
Thanks (from another user) for providing a patch, though!
Joe
--
Joe Germuska
Joe@Germuska.com
http://blog.germuska.com
"Imagine if every Thursday your shoes exploded if you tied them
the usual way. This happens to us all the time with computers, and
nobody thinks of complaining."
-- Jef Raskin
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org