[PATCH v2 3/4] Check that key/value parameters in HTTP headers are quoted in needed.

Sat, 28 Oct 2023 03:46:05 -0700 

If the value has a space, it should be quoted. In headers with a simple
list of strings, the parser would not stop for space, but
“key=value and value;” parameters must be quoted, otherwise the parser
will expect “and” to be a new token.

* test-suite/tests/web-http.test ("general headers"): Test it on
Content-Disposition.
[Cache-Control test]: Adjust for round-trip.
---
 module/web/http.scm            | 3 ++-
 test-suite/tests/web-http.test | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/module/web/http.scm b/module/web/http.scm
index b34159aab..195265dfd 100644
--- a/module/web/http.scm
+++ b/module/web/http.scm
@@ -498,7 +498,8 @@ as an ordered alist."
 (define (default-val-writer k val port)
   (if (or (string-index val #\;)
           (string-index val #\,)
-          (string-index val #\"))
+          (string-index val #\")
+          (string-index val #\space))
       (write-qstring val port)
       (put-string port val)))
 
diff --git a/test-suite/tests/web-http.test b/test-suite/tests/web-http.test
index 06dd9479c..b73d72ced 100644
--- a/test-suite/tests/web-http.test
+++ b/test-suite/tests/web-http.test
@@ -242,7 +242,7 @@
   (pass-if-parse cache-control "max-stale=10" '((max-stale . 10)))
   (pass-if-round-trip "Cache-Control: acme-cache-extension\r\n")
   (pass-if-round-trip "Cache-Control: acme-cache-extension=20\r\n")
-  (pass-if-round-trip "Cache-Control: acme-cache-extension=100 quux\r\n")
+  (pass-if-round-trip "Cache-Control: acme-cache-extension=\"100 quux\"\r\n")
   (pass-if-round-trip "Cache-Control: acme-cache-extension=\"100, quux\"\r\n")
 
   (pass-if-parse connection "close" '(close))
@@ -295,6 +295,8 @@
   (pass-if-parse allow "foo, bar" '(foo bar))
   (pass-if-parse content-disposition "form-data; name=\"file\"; 
filename=\"q.go\""
                  '(form-data (name . "file") (filename . "q.go")))
+  (pass-if-parse content-disposition "form-data; name=\"file with space\"; 
filename=\"q.go\""
+                 '(form-data (name . "file with space") (filename . "q.go")))
   (pass-if-parse content-encoding "qux, baz" '(qux baz))
   (pass-if-parse content-language "qux, baz" '("qux" "baz"))
   (pass-if-parse content-length "100" 100)
-- 
2.41.0

Reply via email to