You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apreq-dev@httpd.apache.org by Matt Hahnfeld <ma...@everysoft.com> on 2009/09/28 03:12:51 UTC
[Patch] Apache2::Request fails with POST requests containing fields
with a blank name field
I have found that forms POSTed with nameless fields cause
Apache2::Request to die, throwing a APR_EBADARG to the error logs:
"Missing parameter for the specified command line option". To
reproduce, add a form field to a form as follows:
<input type="hidden" name="" value="no_name">
Then submit it using a typical POST
(application/x-www-form-urlencoded) using a browser line Firefox.
Depending on the version of Apache you are using, you will receive a
500 error or form fields will simply not be parsed. Either condition
is probably not desirable, especially if you don't necessarily have
control over the data being submitted.
I have patched the parser and updated the tests to allow blank name
fields to occur with no adverse effects:
--- cut here ---
diff -Naur libapreq2-2.12/library/parser_urlencoded.c
libapreq2-2.12-patched/library/parser_urlencoded.c
--- libapreq2-2.12/library/parser_urlencoded.c 2009-03-05
19:39:07.000000000 -0500
+++ libapreq2-2.12-patched/library/parser_urlencoded.c 2009-09-25
12:38:16.000000000 -0400
@@ -60,9 +60,6 @@
apr_size_t mark;
apreq_charset_t charset;
- if (nlen == 0)
- return APR_EBADARG;
-
param = apreq_param_make(pool, NULL, nlen, NULL, vlen);
*(const apreq_value_t **)&v = ¶m->v;
diff -Naur libapreq2-2.12/library/t/parsers.c
libapreq2-2.12-patched/library/t/parsers.c
--- libapreq2-2.12/library/t/parsers.c 2009-03-05 19:39:07.000000000 -0500
+++ libapreq2-2.12-patched/library/t/parsers.c 2009-09-25
12:30:59.000000000 -0400
@@ -26,7 +26,7 @@
static apr_pool_t *p;
-static char url_data[] = "alpha=one&beta=two;omega=last%2";
+static char url_data[] = "noval=&=noname&alpha=one&beta=two;omega=last%2";
static char form_data[] =
"--AaB03x" CRLF /* 10 chars
@@ -167,6 +167,8 @@
rv = apreq_parser_run(parser, body, bb);
AT_int_eq(rv, APR_SUCCESS);
+ AT_str_eq(apr_table_get(body,"noval"), "");
+ AT_str_eq(apr_table_get(body,""), "noname");
AT_str_eq(apr_table_get(body,"alpha"), "one");
AT_str_eq(apr_table_get(body,"beta"), "two");
AT_str_eq(apr_table_get(body,"omega"),"last+last");
@@ -519,7 +521,7 @@
dAT;
at_test_t test_list [] = {
dT(locate_default_parsers, 3),
- dT(parse_urlencoded, 5),
+ dT(parse_urlencoded, 7),
dT(parse_multipart, sizeof form_data),
dT(parse_disable_uploads, 5),
dT(parse_generic, 4),
--- cut here ---
GET forms don't seem to have the same problem. Some browsers may
choose not to send fields with a blank name, so this is also not an
issue for those browsers.
Any chance of getting this fixed in the next version?
Matt Hahnfeld
matth@everysoft.com