curl-users
Re: curl damages form data if read from stdin
Date: Thu, 16 Jul 2009 20:43:06 +0200
On 16 July 2009, Ralph Mitchell wrote with possible deletions:
> On Thu, Jul 16, 2009 at 9:05 AM, Stefan Klinger <all-lists_at_stefan-klinger.de
> > I observe the following strange behavior: When form data is passed via
> > stdin, a full-stop '.' is appended. This did not happen in a previous
> > version. Hard to track down if you pass the password this way.
> >
> > $ echo foontastic | curl --trace-ascii /tmp/trace -o /tmp/response -F
> > 'foo=<-' -F 'bar=barracuda' [url removed]
> >
> > $ cat /tmp/trace
> > [...]
> > 00d4: Content-Type: multipart/form-data; boundary=--------------------
> > 0114: --------6fff571500e0
> > 012a:
> > <= Recv header, 23 bytes (0x17)
> > 0000: HTTP/1.1 100 Continue
> > => Send data, 250 bytes (0xfa)
> > 0000: ------------------------------6fff571500e0
> > 002c: Content-Disposition: form-data; name="foo"
> > 0058:
> > 005a: foontastic.
> > 0067: ------------------------------6fff571500e0
> > 0093: Content-Disposition: form-data; name="bar"
> > 00bf:
> > 00c1: barracuda
> > 00cc: ------------------------------6fff571500e0--
> > [...]
> Are you sure that's a full-stop and not just a non-printable character, such
> as a newline?? I tried your curl command line and got the same results, but
> when I told 'echo' not to output the trailing newline, I saw 'foontastic'
> without the full-stop.
>
> echo -n foontastic | curl ...........
>
> Ralph Mitchell
You are right, it's the newline. This can be seen by using '--trace' instead of '--trace-ascii'. Sorry for that.
$ echo foontastic | curl --trace /tmp/trace -o /tmp/response -F'foo=<-' -F 'bar=barracuda' [...]
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
119 478 0 228 125 250 3364 3689 --:--:-- --:--:-- --:--:-- 5681
$ cat /tmp/trace
[...]
0050: 3d 22 66 6f 6f 22 0d 0a 0d 0a 66 6f 6f 6e 74 61 ="foo"....foonta
0060: 73 74 69 63 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d stic...---------
[...]
And, yes, it is perfectly sane to add this newline to the output data.
I stumbled over this because I used to pass a password to some site this way, and it suddenly stopped working, complaining about invalid login. So either these guys are now more picky about a trailing newline in the password, or this newline-adding is new in curl. But anyway, I have fixed my script now, omitting the trailing newline. Thanks!
Thakn you!
Stefan
-- Stefan Klinger o/klettern /\/ bis zum send plaintext only - max size 32kB - no spam \ Abfallen http://stefan-klinger.de ------------------------------------------------------------------- List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users FAQ: http://curl.haxx.se/docs/faq.html Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2009-07-16