20668 2008-09-05 09:58:18 -0700 multipart/form-data does not always include Content-type for submitted files 2008-09-08 09:23:53 -0700 1 1 1 Unclassified WebKit Forms 525.x (Safari 3.1) All All RESOLVED FIXED P2 Normal --- 1 z3gator ap ap oldest_to_newest 90277 0 z3gator 2008-09-05 09:58:18 -0700 This was observed using Safari on Mac OS X 10.4 and Windows XP, and Google Chrome on Windows XP, so it is believed to be common to all platforms. The fundamental problem is that the Content-type for a file submitted using input type=file is not set if the file type (extension?) is not "recognized" (sorry, but I don't know what determines exactly when it will be set and when it will not). For example, submitting an Excel (*.xls) file from a client that does not have Excel installed results in the file data being sent with no Content-type specified. Other browsers set the Content-type to application/octec-stream in this case, and my interpretation of the spec implies that is the correct behavior. One serious implication of this flaw is that the Struts2 FileUploadInterceptor expects the Content-type to be set for each uploaded file, and when it is missing, the interceptor emits an error and fails to set any of the parameters that are later expected/used by the Struts2 action class to process the file(s). The net result is that users using applications built on Struts2 are not able to upload files using webkit-based browsers. 90279 1 z3gator 2008-09-05 10:06:06 -0700 (In reply to comment #0) > ... application/octec-stream ... should read application/octet-stream 90507 2 ap 2008-09-08 04:53:07 -0700 Are there any examples of such applications on he Web to test with? Would it be possible for you to make a test case? 90527 3 z3gator 2008-09-08 06:46:08 -0700 I'm sorry, but the application I'm working with now is not exposed externally, and I don't have a framework to test webkit. I was hoping webkit contained some existing tests for multipart/form-data inputs that could be extended to test this situation (i.e. send a file of "unknown" content-type to confirm that Content-type: application/octet-stream is not sent for that file). 90539 4 23259 ap 2008-09-08 07:54:13 -0700 Created attachment 23259 test case (a CGI for Apache) Unfortunately, I don't think that we have any infrastructure for testing file uploads yet. I made a custom test, and can confirm the issue. 90542 5 23261 ap 2008-09-08 08:03:51 -0700 Created attachment 23261 proposed fix 90543 6 23261 darin 2008-09-08 08:29:19 -0700 Comment on attachment 23261 proposed fix r=me I wish there was a cleaner idiom for "not empty". 90547 7 ap 2008-09-08 09:23:53 -0700 Committed in <http://trac.webkit.org/changeset/36269>. 23259 2008-09-08 07:54:13 -0700 2008-09-08 07:54:13 -0700 test case (a CGI for Apache) 20668.cgi text/plain 402 ap IyEvdXNyL2Jpbi9wZXJsIC13CgpwcmludCAiQ29udGVudC10eXBlOiB0ZXh0L2h0bWxcblxuIjsg CgppZiAoJEVOVnsnUkVRVUVTVF9NRVRIT0QnfSBlcSAiUE9TVCIpIHsKICAgIHJlYWQoU1RESU4s ICRyZXF1ZXN0LCAkRU5WeydDT05URU5UX0xFTkdUSCd9KSB8fCBkaWUgIkNvdWxkIG5vdCBnZXQg cXVlcnlcbiI7CiAgICBwcmludCAiPHByZT4kcmVxdWVzdDwvcHJlPiI7Cn0gZWxzZSB7CiAgICBw cmludCA8PEVPRgo8Zm9ybSBhY3Rpb249InBvc3QtZWNoby5jZ2kiIG1ldGhvZD1wb3N0IGVuY3R5 cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiPgo8aW5wdXQgdHlwZT1maWxlIG5hbWU9ZmlsZT4KPGlu cHV0IHR5cGU9dGV4dCBuYW1lPXRleHQ+CjxpbnB1dCB0eXBlPXN1Ym1pdD4KPC9mb3JtPgpFT0YK fSAK 23261 2008-09-08 08:03:51 -0700 2008-09-08 08:29:19 -0700 proposed fix 20668r1_patch.txt text/plain 1832 ap SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAzNjI2OCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTcgQEAKKzIwMDgtMDktMDggIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEB3ZWJr aXQub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMDY2OAorICAgICAgICBt dWx0aXBhcnQvZm9ybS1kYXRhIGRvZXMgbm90IGFsd2F5cyBpbmNsdWRlIENvbnRlbnQtdHlwZSBm b3Igc3VibWl0dGVkIGZpbGVzCisKKyAgICAgICAgQ2Fubm90IGJlIHRlc3RlZCB3aXRoIERSVCBv ciBtYW51YWwgdGVzdHMuCisKKyAgICAgICAgKiBwbGF0Zm9ybS9NSU1FVHlwZVJlZ2lzdHJ5LmNw cDoKKyAgICAgICAgKFdlYkNvcmU6OmluaXRpYWxpemVTdXBwb3J0ZWROb25JbWFnZU1pbWVUeXBl cyk6IEZpeCBzcGFjaW5nLgorICAgICAgICAoV2ViQ29yZTo6TUlNRVR5cGVSZWdpc3RyeTo6Z2V0 TUlNRVR5cGVGb3JQYXRoKTogRGVmYXVsdCB0byBhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0gZm9y CisgICAgICAgIHVua25vd24gZXh0ZW5zaW9ucywgbm90IGp1c3QgbWlzc2luZyBvbmVzLgorCiAy MDA4LTA5LTA4ICBTaW1vbiBIYXVzbWFubiAgPGhhdXNtYW5uQHdlYmtpdC5vcmc+CiAKICAgICAg ICAgQnVpbGQgZml4IGZvciB0aGUgUXQvV2luZG93cyBidWlsZCwgZGVmaW5lIFVTRV9KU0MgdG8K SW5kZXg6IFdlYkNvcmUvcGxhdGZvcm0vTUlNRVR5cGVSZWdpc3RyeS5jcHAKPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gV2ViQ29yZS9wbGF0Zm9ybS9NSU1FVHlwZVJlZ2lzdHJ5LmNwcAkocmV2aXNpb24gMzYyNjQp CisrKyBXZWJDb3JlL3BsYXRmb3JtL01JTUVUeXBlUmVnaXN0cnkuY3BwCSh3b3JraW5nIGNvcHkp CkBAIC0xODksMTAgKzE4OSwxMCBAQCBzdGF0aWMgdm9pZCBpbml0aWFsaXplU3VwcG9ydGVkTm9u SW1hZ2VNCiAgICAgICAgICJhcHBsaWNhdGlvbi9yc3MreG1sIiwKICAgICAgICAgImFwcGxpY2F0 aW9uL2F0b20reG1sIiwKICNpZiBFTkFCTEUoU1ZHKQotICAgICAgImltYWdlL3N2Zyt4bWwiLAor ICAgICAgICAiaW1hZ2Uvc3ZnK3htbCIsCiAjZW5kaWYKICNpZiBFTkFCTEUoRlRQRElSKQotICAg ICAgImFwcGxpY2F0aW9uL3gtZnRwLWRpcmVjdG9yeSIsCisgICAgICAgICJhcHBsaWNhdGlvbi94 LWZ0cC1kaXJlY3RvcnkiLAogI2VuZGlmCiAgICAgICAgICJtdWx0aXBhcnQveC1taXhlZC1yZXBs YWNlIgogICAgIH07CkBAIC0yMjgsNyArMjI4LDkgQEAgU3RyaW5nIE1JTUVUeXBlUmVnaXN0cnk6 OmdldE1JTUVUeXBlRm9yUAogICAgIGludCBwb3MgPSBwYXRoLnJldmVyc2VGaW5kKCcuJyk7CiAg ICAgaWYgKHBvcyA+PSAwKSB7CiAgICAgICAgIFN0cmluZyBleHRlbnNpb24gPSBwYXRoLnN1YnN0 cmluZyhwb3MgKyAxKTsKLSAgICAgICAgcmV0dXJuIGdldE1JTUVUeXBlRm9yRXh0ZW5zaW9uKGV4 dGVuc2lvbik7CisgICAgICAgIFN0cmluZyByZXN1bHQgPSBnZXRNSU1FVHlwZUZvckV4dGVuc2lv bihleHRlbnNpb24pOworICAgICAgICBpZiAocmVzdWx0Lmxlbmd0aCgpKQorICAgICAgICAgICAg cmV0dXJuIHJlc3VsdDsKICAgICB9CiAgICAgcmV0dXJuICJhcHBsaWNhdGlvbi9vY3RldC1zdHJl YW0iOwogfQo=