aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/MANUAL7
-rw-r--r--docs/curl.16
-rw-r--r--src/main.c21
-rw-r--r--tests/data/test3912
4 files changed, 38 insertions, 8 deletions
diff --git a/docs/MANUAL b/docs/MANUAL
index 26bb8f65a..86449d7d3 100644
--- a/docs/MANUAL
+++ b/docs/MANUAL
@@ -299,6 +299,13 @@ POST (HTTP)
curl -F "docpicture=@dog.gif" -F "catpicture=@cat.gif"
+ To send a field value literally without interpreting a leading '@'
+ or '<', or an embedded ';type=', use --form-string instead of
+ -F. This is recommended when the value is obtained from a user or
+ some other unpredictable source. Under these circumstances, using
+ -F instead of --form-string would allow a user to trick curl into
+ uploading a file.
+
REFERRER
A HTTP request has the option to include information about which address
diff --git a/docs/curl.1 b/docs/curl.1
index 3b6fb3ce1..f216db68f 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -388,6 +388,12 @@ setting filename=, like this:
See further examples and details in the MANUAL.
This option can be used multiple times.
+.IP "--form-string <name=string>"
+(HTTP) Similar to \fI--form\fP except that the value string for the named
+parameter is used literally. Leading \&'@' and \&'<' characters, and the
+\&';type=' string in the value have no special meaning. Use this in
+preference to \fI--form\fP if there's any possibility that the string value
+may accidentally trigger the \&'@' or \&'<' features of \fI--form\f{.
.IP "-g/--globoff"
This option switches off the "URL globbing parser". When you set this option,
you can specify URLs that contain the letters {}[] without having them being
diff --git a/src/main.c b/src/main.c
index 0565abd42..298d40153 100644
--- a/src/main.c
+++ b/src/main.c
@@ -355,6 +355,7 @@ static void help(void)
" --ftp-pasv Use PASV instead of PORT (F)",
" --ftp-ssl Enable SSL/TLS for the ftp transfer (F)",
" -F/--form <name=content> Specify HTTP multipart POST data (H)",
+ " --form-string <name=string> Specify HTTP multipart POST data (H)",
" -g/--globoff Disable URL sequences and ranges using {} and []",
" -G/--get Send the -d data with a HTTP GET (H)",
" -h/--help This help text",
@@ -774,6 +775,9 @@ static void list_engines (const struct curl_slist *engines)
* Specify files to upload with 'name=@filename'. Supports specified
* given Content-Type of the files. Such as ';type=<content-type>'.
*
+ * If literal_value is set, any initial '@' or '<' in the value string
+ * loses its special meaning, as does any embedded ';type='.
+ *
* You may specify more than one file for a single name (field). Specify
* multiple files by writing it like:
*
@@ -804,7 +808,8 @@ static void list_engines (const struct curl_slist *engines)
static int formparse(char *input,
struct curl_httppost **httppost,
- struct curl_httppost **last_post)
+ struct curl_httppost **last_post,
+ bool literal_value)
{
/* nextarg MUST be a string in the format 'name=contents' and we'll
build a linked list with the info */
@@ -829,7 +834,7 @@ static int formparse(char *input,
}
contp = contents;
- if('@' == contp[0]) {
+ if('@' == contp[0] && !literal_value) {
struct multi_files *multi_start = NULL, *multi_current = NULL;
/* we use the @-letter to indicate file name(s) */
contp++;
@@ -974,7 +979,7 @@ static int formparse(char *input,
else {
struct curl_forms info[4];
int i = 0;
- char *ct = strstr(contp, ";type=");
+ char *ct = literal_value? NULL: strstr(contp, ";type=");
info[i].option = CURLFORM_COPYNAME;
info[i].value = name;
@@ -987,7 +992,7 @@ static int formparse(char *input,
ct[0]=0; /* zero terminate here */
}
- if( contp[0]=='<' ) {
+ if( contp[0]=='<' && !literal_value) {
info[i].option = CURLFORM_FILECONTENT;
info[i].value = contp+1;
i++;
@@ -1280,6 +1285,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
{"Eg","capath ", TRUE},
{"f", "fail", FALSE},
{"F", "form", TRUE},
+ {"Fs","form-string", TRUE},
{"g", "globoff", FALSE},
{"G", "get", FALSE},
{"h", "help", FALSE},
@@ -1361,8 +1367,10 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
do {
/* we can loop here if we have multiple single-letters */
- if(!longopt)
+ if(!longopt) {
letter = parse?(char)*parse:'\0';
+ subletter='\0';
+ }
else {
letter = parse[0];
subletter = parse[1];
@@ -1833,7 +1841,8 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
to sort this out slowly and carefully */
if(formparse(nextarg,
&config->httppost,
- &config->last_post))
+ &config->last_post,
+ subletter=='s')) /* 's' means literal string */
return PARAM_BAD_USE;
if(SetHTTPrequest(HTTPREQ_POST, &config->httpreq))
return PARAM_BAD_USE;
diff --git a/tests/data/test39 b/tests/data/test39
index 29f6cc398..7c0028762 100644
--- a/tests/data/test39
+++ b/tests/data/test39
@@ -19,7 +19,7 @@ http
HTTP RFC1867-type formposting with filename= and type=
</name>
<command>
-http://%HOSTIP:%HTTPPORT/we/want/39 -F name=daniel -F tool=curl -F "file=@log/test39.txt;filename=fakerfile;type=moo/foobar" -F file2=@log/test39.txt
+http://%HOSTIP:%HTTPPORT/we/want/39 -F name=daniel -F tool=curl --form-string "str1=@literal" --form-string "str2=<verbatim;type=xxx/yyy" -F "file=@log/test39.txt;filename=fakerfile;type=moo/foobar" -F file2=@log/test39.txt
</command>
# We create this file before the command is invoked!
<file name="log/test39.txt">
@@ -41,7 +41,7 @@ User-Agent: curl/7.10.4 (i686-pc-linux-gnu) libcurl/7.10.4 OpenSSL/0.9.7a ipv6 z
Host: 127.0.0.1:%HTTPPORT
Pragma: no-cache
Accept: */*
-Content-Length: 594
+Content-Length: 810
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------24e78000bd32
@@ -54,6 +54,14 @@ Content-Disposition: form-data; name="tool"
curl
------------------------------24e78000bd32
+Content-Disposition: form-data; name="str1"
+
+@literal
+------------------------------24e78000bd32
+Content-Disposition: form-data; name="str2"
+
+<verbatim;type=xxx/yyy
+------------------------------24e78000bd32
Content-Disposition: form-data; name="file"; filename="fakerfile"
Content-Type: moo/foobar