Ralph Mitchell wrote:
> The '@' character is hex 40, so you could try that. Curl shouldn't
> interpret %40 as the '@', but I think the server ought to
> back-translate everything %xx that it sees.
I suspect that won't work, but I'll try it. multipart/form-data is sent MIME
encoded, not URL encoded, so whatever is interpreting the post data at the other
end will probably just see '%', '4' and '0'.
Thanks for the speedy reply though.
> Ralph Mitchell
> On Wed, 23 Feb 2005 11:47:21 +1100, David Houlder
> <david.houlder_at_anu.edu.au> wrote:
>> curl --form name=value http://somewhere.org
>>there is a bit of special syntax that applies to the value part in that if I say
>> curl --form name=@filename http://somewhere.org
>>it does a multipart form post, and transfers the contents of filename.
>>OK then: how do I transfer a literal value that starts with '@'. Is there any
>>way of sending a literal 'name=@some-string'? As far as I can tell from reading
>>the curl man page, the 'value' part isn't supposed to be URL encoded, so '@' is
>>a perfectly valid character that you might want to send.
>>I suppose I'm really approaching this from a security point of view - you might
>>have a case where 'value' is captured from a user, and there needs to be a way
>>of ensuring that what they type gets sent verbatim without the possibility of
>>opening some file and sending its contents. The same '@' trick works in
>>curl_setopt() in PHP too, and the same vulnerability arises.
>> David.Houlder_at_anu.edu.au ANU Supercomputer Facility
>> Phone: +61 2 6125 0578 and APAC National Facility
>> Fax: +61 2 6125 8199 Leonard Huxley Bldg (No. 56)
>> Australian National University
>> Canberra, ACT, 0200, Australia
David.Houlder_at_anu.edu.au ANU Supercomputer Facility
Phone: +61 2 6125 0578 and APAC National Facility
Fax: +61 2 6125 8199 Leonard Huxley Bldg (No. 56)
Australian National University
Canberra, ACT, 0200, Australia
Received on 2005-02-23