You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apreq-dev@httpd.apache.org by Matt Hahnfeld <ma...@everysoft.com> on 2009/09/28 03:12:51 UTC

[Patch] Apache2::Request fails with POST requests containing fields with a blank name field

I have found that forms POSTed with nameless fields cause
Apache2::Request to die, throwing a APR_EBADARG to the error logs:
"Missing parameter for the specified command line option".  To
reproduce, add a form field to a form as follows:

<input type="hidden" name="" value="no_name">

Then submit it using a typical POST
(application/x-www-form-urlencoded) using a browser line Firefox.
Depending on the version of Apache you are using, you will receive a
500 error or form fields will simply not be parsed.  Either condition
is probably not desirable, especially if you don't necessarily have
control over the data being submitted.

I have patched the parser and updated the tests to allow blank name
fields to occur with no adverse effects:

--- cut here ---

diff -Naur libapreq2-2.12/library/parser_urlencoded.c
libapreq2-2.12-patched/library/parser_urlencoded.c
--- libapreq2-2.12/library/parser_urlencoded.c	2009-03-05
19:39:07.000000000 -0500
+++ libapreq2-2.12-patched/library/parser_urlencoded.c	2009-09-25
12:38:16.000000000 -0400
@@ -60,9 +60,6 @@
     apr_size_t mark;
     apreq_charset_t charset;

-    if (nlen == 0)
-        return APR_EBADARG;
-
     param = apreq_param_make(pool, NULL, nlen, NULL, vlen);
     *(const apreq_value_t **)&v = &param->v;

diff -Naur libapreq2-2.12/library/t/parsers.c
libapreq2-2.12-patched/library/t/parsers.c
--- libapreq2-2.12/library/t/parsers.c	2009-03-05 19:39:07.000000000 -0500
+++ libapreq2-2.12-patched/library/t/parsers.c	2009-09-25
12:30:59.000000000 -0400
@@ -26,7 +26,7 @@

 static apr_pool_t *p;

-static char url_data[] = "alpha=one&beta=two;omega=last%2";
+static char url_data[] = "noval=&=noname&alpha=one&beta=two;omega=last%2";

 static char form_data[] =
 "--AaB03x" CRLF                                           /* 10 chars
@@ -167,6 +167,8 @@
     rv = apreq_parser_run(parser, body, bb);
     AT_int_eq(rv, APR_SUCCESS);

+    AT_str_eq(apr_table_get(body,"noval"), "");
+    AT_str_eq(apr_table_get(body,""), "noname");
     AT_str_eq(apr_table_get(body,"alpha"), "one");
     AT_str_eq(apr_table_get(body,"beta"), "two");
     AT_str_eq(apr_table_get(body,"omega"),"last+last");
@@ -519,7 +521,7 @@
     dAT;
     at_test_t test_list [] = {
         dT(locate_default_parsers, 3),
-        dT(parse_urlencoded, 5),
+        dT(parse_urlencoded, 7),
         dT(parse_multipart, sizeof form_data),
         dT(parse_disable_uploads, 5),
         dT(parse_generic, 4),

--- cut here ---

GET forms don't seem to have the same problem.  Some browsers may
choose not to send fields with a blank name, so this is also not an
issue for those browsers.

Any chance of getting this fixed in the next version?

Matt Hahnfeld
matth@everysoft.com