cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: How to send a form field value that begins with '@'?

From: David Houlder <david.houlder_at_anu.edu.au>
Date: Fri, 04 Mar 2005 10:29:07 +1100

Kjell Ericson wrote:

> No solution of these are 100% backward compatible. The question is
> which solution that might not be in use:
>
> 1. Is someone posting the string "\@bla"?
> 2. Does someone have a file that starts with the character "@" (my
> cookiefiles contains this letter and is therefor possible).
> 3. Is someone posting quote marks?

Exactly. You can't be sure that they aren't, so probably best to assume that
someone is. The bugs/exploits resulting from this sort of accidental triggering
of escape mechanisms are really hard to track down too, because it typically
only happens to one person, and then only sporadically. My vote is "don't go there".

>
> For backward-compatibility I think about a new flag like this:
>
> curl --form-string name=@string http://somewhere.org
> curl --form-file name=filename http://somewhere.org
>
> Any thoughts?

That's pretty close to what I was thinking. I was thinking something like this

1. Introduce two new options
--literal name=value
--file name=filename

e.g.
curl --form --literal foo1=$bar1 --literal foo2=$bar2 \
    --file foo3contents=$foofile http://somewhere.org

which leaves current usage unaffected. If you don't supply --literal or --file,
the current name=value behaviour applies. The idea is that name=value following
--literal will never honour the escapes. name=value following --file will always
assume that 'value' is a filename (no '@' required). And if you want the current
behaviour, don't use --literal or --file.

2. Introduce flags like
--escapesoff
and
--escapeson
which you can use anywhere to disable and enable the '@' mechanism in a
left-to-right fashion. By default, escapes are on.
e.g.
curl --form --escapesoff foo1=$value_from_user \
    --escapeson foo3contents=@$foofile http://somewhere.org

This might be a bit more succinct. Idea #1 might mean you have heaps of
--literal options in the command line in typical usage.

>
> For backward-compatibility I think about a new flag like this:
>
> curl --form-string name=@string http://somewhere.org
> curl --form-file name=filename http://somewhere.org

Am I right in thinking --form-string never honours the '@'escapes? Sounds OK. I
think you'd want some way of expressing several name=value pairs, some of which
may be files and some of which may be strings, hence my preference for sticking
with --form and qualifying the name=value with --literal or -file (or whatever
option names you think are appropriate)

Any thoughts?
Cheers
David.

-- 
    David.Houlder_at_anu.edu.au         ANU Supercomputer Facility
    Phone: +61 2 6125 0578           and APAC National Facility
    Fax:   +61 2 6125 8199           Leonard Huxley Bldg (No. 56)
                                     Australian National University
                                     Canberra, ACT, 0200, Australia
Received on 2005-03-04