[Libwebsockets] Post argument parser problem?

Marco Gratzke marco at mcx-home.de
Tue Apr 27 11:29:50 CEST 2021


Hi everybody,

my name is Marco and this is my first post here on the list.
I am using libwebsockets for a while now and i am still quite impressed
about its efficiency. But i might have found an issue. Below i am
referring to LWS 4.0.20-2 as delivered with Debian 11 (bullseye).

According to RFC 7578, last updated July 2015, in section 4.7 for a
multipart/form-data body no other header than "Content-Type" and
"Content-Disposition" is allowed. However, they state that the
deprecated "Content-Transfer-Encoding" header may appear in limited
circumstances. Well, i have such a case here in a commercial third-party
network support library which always inserts this deprecated header
field. There is no option to disable it. The library is out of
maintenance but still in use.

Now i have the situation that at LWS the post argument parser seems to
have a problem with unexpected headers. For example, if i submit a file
using multipart/form-data containing that "Content-Transfer-Encoding"
header, nothing but the events LWS_UFS_OPEN and LWS_UFS_CLOSE are
provided to the upload callback function. A deeper investigation brought
me to the point that the parser accidently consumes the delimiting
0x0a\0x0d of the header field and then gets "out of sync". The remaining
body is then consumed while searching for the next field or content,
without providing any content to the callback function nor reporting a
parsing error.

IMHO headers unknown to the SPA should be ignored and the body should be
processed in a normal way. A possible future RFC, superseeding 7578, may
introduce other header fields and i would expect that LWS will not fail
on it.

I've created a patch that provides a working solution for me, assuming
that this described behaviour is not intendet:

==============
diff --git a/lib/roles/http/server/lws-spa.c
b/lib/roles/http/server/lws-spa.c
index fdf146de..73cfe69f 100644
--- a/lib/roles/http/server/lws-spa.c
+++ b/lib/roles/http/server/lws-spa.c
@@ -438,11 +438,11 @@ done:
 		case MT_IGNORE3:
 			if (*in == '\x0d')
 				s->state = MT_IGNORE1;
-			if (*in == '-') {
+			else if (*in == '-') {
 				s->state = MT_COMPLETED;
 				s->wsi->http.rx_content_remain = 0;
 			}
-			in++;
+			else in++;
 			break;
 		case MT_COMPLETED:
 			break;

===============


What is your opinion about dealing with non-conform multipart-form headers?

Sincerally

Marco Gratzke


More information about the Libwebsockets mailing list