Bugs item #2525347, was opened at 2009-01-21 02:24
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2525347&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Brian Wilson (brianwski)
Assigned to: Daniel Stenberg (bagder)
Summary: CURLOPT_READFUNCTION/CURLFORM_STREAM overwrites MIME boundry

Initial Comment:
On Windows Vista32 (but reproducible on Linux and Macintosh platforms), libCURL 7.19.3, I just started using CURLFORM_STREAM and the CURLOPT_READFUNCTION with a Multi-Part Mime POST of HTTPS, and the CURLOPT_READFUNCTION callback function is continued to be called past the end of the specified CURLFORM_CONTENTSLENGTH amount of data. It is called *EXACTLY* enough to overwrite the ending "\r\n-----mimeboundary----\r\n" section and if I continue filling data in that spot the resulting HTTPS POST arrives at the destination server with my extra over-written data exactly where the MIME boundary should have been (and no extra bytes, just exactly enough to not crash but to over-write the MIME boundary and stop).

I was able to work around this easily by having my code remember the CURLFORM_CONTENTSLENGTH in my own private variable and stop filling data at the correct moment when I had filled out exactly CURLFORM_CONTENTSLENGTH and returning "0" after that when the CURLOPT_READFUNCTION callback is called again (as specified in the libCURL manual when you want to prematurely stop a current transfer).

Below are snippets of code I think show how I am calling libCURL to reproduce this. As a side note, I LOVE libCURL, thanks so much for the good work! And this bug report is not a complaint, as I mentioned my bugs are all worked around, just trying to contribute back a little.

-- Brian

------- CUT HERE for code snippets -------

struct curl_httppost *thePost=NULL;
struct curl_httppost *theLast=NULL;
...
curl_easy_setopt(ch, CURLOPT_READDATA, &myReadData);
curl_easy_setopt(ch, CURLOPT_READFUNCTION, myCallback);
....
curl_formadd(&thePost, &theLast,
    CURLFORM_COPYNAME, "oneMimePart",
    CURLFORM_COPYCONTENTS, "example1", CURLFORM_END);
curl_formadd(&thePost, &theLast,
    CURLFORM_COPYNAME, "twoMimePart",
    CURLFORM_COPYCONTENTS, "example2", CURLFORM_END);
curl_formadd(&thePost, &theLast,
    CURLFORM_COPYNAME, "finalMimePart",
    CURLFORM_CONTENTTYPE, "binary",
    CURLFORM_FILENAME, "foo.zip",
    CURLFORM_STREAM, &myReadData,
    CURLFORM_CONTENTSLENGTH, numBytesInDataToPost,
    CURLFORM_END);

curl_easy_setopt(ch, CURLOPT_HTTPPOST, thePost);
curl_easy_perform(ch);

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-01-26 14:33

Message:
I can't repeat the problem. I uploaded "dump-2525347" that shows the output
when I run it against my localhost and all mime boundaries are in there...

----------------------------------------------------------------------

Comment By: Brian Wilson (brianwski)
Date: 2009-01-23 01:23

Message:
Final version, I promise. I forgot to declare one variable in the test
code. -- BrianW
File Added: 2525347_brianw_fixed_final.c

----------------------------------------------------------------------

Comment By: Brian Wilson (brianwski)
Date: 2009-01-23 01:20

Message:
Removing bad source code example -- BrianW

----------------------------------------------------------------------

Comment By: Brian Wilson (brianwski)
Date: 2009-01-23 01:19

Message:
Wait, don't use the previous one, I fixed up one more thing and here is the
correct file. -- BrianW
File Added: 2525347_brianw_fixed.c

----------------------------------------------------------------------

Comment By: Brian Wilson (brianwski)
Date: 2009-01-23 01:16

Message:
I added just a few lines to your code example that show the problem (see
newly attached source file). You can search for "brianw" in the code. I
added a global counter showing how many bytes had been copied by your
example showing it goes way over the 400 byte buffer. I then added
(commented out in the code) my work-around
that when it reaches the correct 400 byte limit it stops. -- BrianW
File Added: 2525347_brianw.c

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2009-01-21 23:23

Message:
Well, I tried to write up a complete example that repeats this as far as
I've understood it but failed. My app code is now attached to this report.

Can you please edit/adjust/extend that code so that it repeats this
problem? It'll help me understand it properly and make the right fixes.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2525347&group_id=976
Received on 2009-01-26