does not preserve Content-type of multipart non-file data

Ok, that sounds a bit complex, but basically if you have data such as

POST https://someurl
Content-Length: 503
Content-Type: multipart/form-data; boundary=xYzZY

Content-Disposition: form-data; name=”someFile”; filename=”somefile”
Content-Type: text/plain

lines in

Content-Disposition: form-data; name=”otherFile”; filename=”otherfile”
Content-Type: text/plain

lines in


Content-Disposition: form-data; name=”RegularData”
Content-Type: text/xml

<Parameter2>value number two</Parameter2>

and you use to process it, there is NO WHERE in the query object returned by CGI->new that stores the fact that RegularData is Content-type: text/xml. You can see this in the code here:

if ( ( !defined($filename) || $filename eq '' ) && !$multipart ) {
my($value) = $buffer->readBody;
$value .= $TAINTED;

The only place that knew about the Content-type: text/xml was in %header, a local variable that goes out of scope when we go to the next parameter.

Not a huge deal, but sometimes it matters...could patch, use some other method of parsing the multipart data, or guess the format by inspection...probably I'll be lazy and inspect the data.

This is for version 3.51 and 3.60

Leave a Reply