WebServer: Ignore extra headers within multipart forms #9253
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of Change
This Pull Request provides a fix for the WebServer library to ignore additional headers that may appear in
multipart/form-data
uploads. The current code assumes thatContent-Disposition
headers can only possibly be followed by aContent-Type
header, and while that is what the standard (RFC7578) intends, it is also required that any other headers be ignored (see related link).Currently, when extra header(s) are present the WebServer library will fail to properly locate the start of the submitted data. To fix this, the
Content-Type
check is simply wrapped in awhile
loop to skip over any additional headers.Tests scenarios
I have tested my Pull Request on Arduino-esp32 core v2.0.11 with an ESP32C3 Dev Module with this scenario:
Content-Length
:Content-Length
header and assume that the file data begins on the empty line that ends the header section, i.e. the WebServer will prepend the newline sequence0x0D 0x0A
to the received file data.With the provided fix, the header is ignored and the file upload is successful.
Related links
RFC 7578's requirement to ignore other header fields: https://www.rfc-editor.org/rfc/rfc7578#section-4.8
okhttp's fix, not yet in a stable release: square/okhttp#2604 (comment)