Comments (6)
I was trying to build a minimal repro script, but this is a Rack error not Rails.
This behavior is intended.
That being said, there is a difference between the Rack ticket example and the example in this issue. The example in the Rack ticket doesn't pass the ending boundary, which is definitely invalid.
This ticket example does pass the ending boundary. Here's a curl version triggering the error:
curl 'http://localhost:3000/hello' \
-H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryy8DrMokPrH5xA9X2' \
--data-raw $'------WebKitFormBoundaryy8DrMokPrH5xA9X2--\r\n'
I feel like this is a different case. It's not passing any fields, but it is passing a body, with the final boundary. I would expect a parser to parse this without crashing. I was trying to look what the spec says about this, but haven't found a quick answer. I'll look into it this week.
from rails.
Hi @JoeDupuis , thank you for letting me know. I confirmed the latest "2-2-stable" resolved this issue. I appreciate your support!
from rails.
I am not yet 100% sure what the 1*
means in BNF notation, but I would assume one or more. If that's the case, an empty request, even with the final boundary, would not be valid.
From https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html
boundary := 0*69<bchars> bcharsnospace
bchars := bcharsnospace / " "
bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" /
"_"
/ "," / "-" / "." / "/" / ":" / "=" / "?"
Overall, the body of a multipart entity may be specified as follows:
multipart-body := preamble 1*encapsulation
close-delimiter epilogue
encapsulation := delimiter CRLF body-part
delimiter := CRLF "--" boundary ; taken from Content-Type
field.
; when content-type is
multipart
; There must be no space
; between "--" and boundary.
close-delimiter := delimiter "--" ; Again, no space before
"--"
preamble := *text ; to be ignored upon
receipt.
epilogue := *text ; to be ignored upon
receipt.
body-part = <"message" as defined in RFC 822,
with all header fields optional, and with the
specified delimiter not occurring anywhere in
the message body, either on a line by itself
or as a substring anywhere. Note that the
semantics of a part differ from the semantics
of a message, as described in the text.>
1*encapsulation
suggest one or more encapsulation (where encapsulation is a delimiter + a body part).
If I read that correctly I doubt a PR to change Rack's behavior would be accepted.
I think the fix here is to open an issue or a PR on Axios' repo to stop sending empty multi part as they are not valid in the spec.
from rails.
Thank you for your investigation. I opened an issue on Axios:
axios/axios#6289
from rails.
I was able to confirm that the spec does require at least one part.
.
Turns out, the browser implementations of fetch do send this invalid request. It is not an axios issue.
The spec does warn against being too rigid in parsing. It is not this specific section, but it makes me think that this is worth the discussion.
I believe the RFC is too restrictive (see my comment in the linked issue) and/or that it should be the job of the browsers to prevent sending the invalid request on an empty form data:
await (await fetch('https://httpbin.org/post', {method: 'post', body: new FormData()})).json()
But realistically the fix here would be to relax Rack's parsing or to change your application code to account for this. I'll look into it a bit more this week.
from rails.
Hi @JunichiIto, I am not sure how I missed it the first time I looked, but turns out this issue is already fixed In Rack, but the fix wasn't included in the last release.
I asked the Rack maintainers if they could cut a release with the fix, but you don't have to wait.
If you point your Gemfile to the Rack repo, you can use the new version today.
To do so replace (or add) the Rack gem in your Gemfile with either:
gem "rack", github: 'rack/rack', branch: "2-2-stable"
(for version 2)
or gem "rack", github: 'rack/rack', branch: "main"
( for version 3)
Then run bundle update rack
That should fix the error.
from rails.
Related Issues (20)
- ActiveRecord.upset generates a databases warning with MySQL 8
- ActionText::RichText attachments not cleaned up when content made empty HOT 1
- add a better interface to the issues tab on this repo HOT 1
- Unnecessary auto save is triggered for polymorphic has_one defined in child class using single-table inheritance HOT 3
- ActiveStorage ProxyController sets Cache-Control headers on errors like FileNotFoundError HOT 3
- Using preload with composite keys can cause too many records to be read HOT 3
- Incompatible with nio4r 2.5.8 gem when running Bundle Install (Rails version 7.0.5.1) HOT 2
- Can't use Model.exists? with composite primary keys HOT 1
- Missing Active Record encryption credential when using ActiveRecord::Encryption.without_encryption HOT 1
- Forked child processes created through rails runner throw error from ActiveRecord when exiting HOT 3
- Add .default method to ActiveSupport::ParameterFilter (syntax sugar) HOT 2
- RedisCacheStore not fault tolerant (as I expected) HOT 3
- Doc have typo? HOT 3
- `ActiveRecord::Migration::check_all_pending!` resets connection pool when in use in other threads HOT 2
- migrate `migrate` folder to `migrations` HOT 3
- Using a secret_key_base from `secrets.yml` should raise a deprecation warning in development HOT 1
- Autoloaded classes raise NameError when accessed in parent's on_load hook during load
- Active Storage bug HOT 3
- [Question]`mark_for_destruction` not destroying records when loading using `find_by` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rails.