Avoid searching for boundary in file content

Making the boundary string very unlikely to collide with the file to upload allows Dillo to assume it would never be found and avoids the expensive memmem() check. Even if major implementations tend to add several '-' characters to multipart/form-data boundaries, this is not enforced by RFC 2046, so it can be increase to 70 random characters. See: https://lists.mailman3.com/hyperkitty/list/dillo-dev@mailman3.com/thread/VUB5PIOPJZ2VTCVGQPBZMGOYEISTXCFX/
author: Xavier Del Campo Romero <xavi.dcr@tutanota.com> 2024-08-26 01:10:16 +0200
committer: Rodrigo Arias Mallo <rodarima@gmail.com> 2024-09-02 00:21:23 +0200
commit: 38d1620529866dbf638c6fd8a3e8e438b3c6a43c (patch)
tree: ea5e7cda52114c67640636471fafaaf05cbb572d /src
parent: 8a360e32ac3136494a494379a6dbbacef6f95da2 (diff)
2 files changed, 21 insertions, 10 deletions
diff --git a/src/dialog.cc b/src/dialog.cc
index ac007315..0137472b 100644
--- a/src/dialog.cc
+++ b/src/dialog.cc
@@ -14,6 +14,7 @@
  */
 
 #include <math.h> // for rint()
+#include <string.h>
 
 #include <FL/fl_ask.H>
 #include <FL/Fl_Window.H>
diff --git a/src/form.cc b/src/form.cc
index 93bd4864..6e81edf6 100644
--- a/src/form.cc
+++ b/src/form.cc
@@ -1246,6 +1246,24 @@ Dstr *DilloHtmlForm::buildQueryData(DilloHtmlInput *active_submit)
    return DataStr;
 }
 
+static void generate_boundary(Dstr *boundary)
+{
+   for (int i = 0; i < 70; i++) {
+      /* Extracted from RFC 2046, section 5.1.1. */
+      static const char set[] = "abcdefghijklmnopqrstuvwxyz"
+         "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+         "0123456789"
+         "'()+_,-./:=? ";
+      char s[sizeof " "] = {0};
+
+      do {
+         *s = rand();
+      } while (!strspn(s, set));
+
+      dStr_append(boundary, s);
+   }
+}
+
 /**
  * Generate a boundary string for use in separating the parts of a
  * multipart/form-data submission.
@@ -1253,7 +1271,6 @@ Dstr *DilloHtmlForm::buildQueryData(DilloHtmlInput *active_submit)
 char *DilloHtmlForm::makeMultipartBoundary(iconv_t char_encoder,
                                            DilloHtmlInput *active_submit)
 {
-   const int max_tries = 10;
    Dlist *values = dList_new(5);
    Dstr *DataStr = dStr_new("");
    Dstr *boundary = dStr_new("");
@@ -1294,15 +1311,8 @@ char *DilloHtmlForm::makeMultipartBoundary(iconv_t char_encoder,
       }
    }
 
-   /* generate a boundary that is not contained within the data */
-   for (int i = 0; i < max_tries && !ret; i++) {
-      // Firefox-style boundary
-      dStr_sprintf(boundary, "---------------------------%d%d%d",
-                   rand(), rand(), rand());
-      dStr_truncate(boundary, 70);
-      if (dStr_memmem(DataStr, boundary) == NULL)
-         ret = boundary->str;
-   }
+   generate_boundary(boundary);
+   ret = boundary->str;
    dList_free(values);
    dStr_free(DataStr, 1);
    dStr_free(boundary, (ret == NULL));
author	Xavier Del Campo Romero <xavi.dcr@tutanota.com>	2024-08-26 01:10:16 +0200
committer	Rodrigo Arias Mallo <rodarima@gmail.com>	2024-09-02 00:21:23 +0200
commit	38d1620529866dbf638c6fd8a3e8e438b3c6a43c (patch)
tree	ea5e7cda52114c67640636471fafaaf05cbb572d /src
parent	8a360e32ac3136494a494379a6dbbacef6f95da2 (diff)