diff --git a/utils.lua b/utils.lua index 193aed0..0884aee 100644 --- a/utils.lua +++ b/utils.lua @@ -77,21 +77,29 @@ end --- file upload for the type of the uploaded file. --- - Fourthly we assume a field name can't contain a double quote _m.parse_form_entry = function(entry) + if #entry < 10 then return "", nil, "" end local cursor = 3 local name, ctype while true do + local oldcursor = cursor if entry:sub(cursor, cursor) == "\r" then cursor = cursor + 2 break elseif entry:sub(cursor, cursor+18) == 'Content-Disposition' then cursor = cursor + 38 name = string.match(entry, "(.*)\"", cursor) - cursor = cursor + #name + 1 --[[ the closing quote ]] + 2 --[[ CRLF ]] + cursor = cursor + #name + 1 --[[ the closing quote ]] + -- Find the end of line + while entry:sub(cursor, cursor) ~= "\r" do cursor = cursor + 1 end + cursor = cursor + 2 elseif entry:sub(cursor, cursor+11) == 'Content-Type' then cursor = cursor + 14 ctype = string.match(entry, "(.*)\r", cursor) - cursor = cursor + #ctype + 2 --[[ CRLF ]] + cursor = cursor + #ctype + while entry:sub(cursor, cursor) ~= "\r" do cursor = cursor + 1 end + cursor = cursor + 2 --[[ CRLF ]] end + if cursor == oldcursor then print(entry) os.exit(1); end end return name, ctype, entry:sub(cursor, -1) end