I'm studying about Content-Type header and in multipart section, I could find this sentence from developer.mozilla(link).
boundary
For multipart entities the boundary directive is required, which consists of 1 to 70 characters from a set of characters known to be very robust through email gateways, and not ending with white space. It is used to encapsulate...
As I know, "email gateway" is a type of email server that protects server. And I cannot understand what does robust through email gateway means. What does it mean?
Related
I am writing an email DKIM signature verifier program in java. My problem is a special case:
1 – I don't have any issue in creating body hash. My problem is in signing canonicalized header.
2 – I use a gmail account to created test emails and I verify their header signature properly in many cases. But only some special scenarios fail. I do many tests and recognized when 'h' tag in ' DKIM-Signature' header has 2 lines, signature verification fails.
This is an example of failing header:
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc;
...
For clarification I guess my problem is here :
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc;
Every time 'h' tag unfolded to 2 lines verification fails. I am familiar with line unfolding rules and I can correctly verify signature of headers that unfolded in other positions.
After header canonicalization, the content that should verify signature is:
...
dkim-signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to:cc; bh=pr1Zv1pbjuW/HrdQ6zZ5mYq51Bi+uidXLGOQ265rvEs=; b=
I test many scenarios to modify signing content, hope to correctly verification, include inserting a 'space' in line folding position and signing content become such as :
... h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; ...
I know my question is very specific. But hope someone have experience in DKIM signing and its special cases.
Note that the DKIM header you posted is incomplete (bh and b tag missing).
But the second (relaxed) canonicalization of the DKIM header there you added a space in ...:to :cc;... should be correct. If it still does not verify, take a closer look at the rest of the signed headers too. Maybe there is another error.
The unfolding itself does not remove any whitespace besides the CRLF. From https://www.rfc-editor.org/rfc/rfc5322#section-2.2.3
Unfolding is accomplished by simply removing any CRLF
that is immediately followed by WSP.
So after the unfloding, you are left with ...:to :cc;...
In the next step, this is reduced to a single space,
as per https://www.rfc-editor.org/rfc/rfc6376#section-3.4.2
Convert all sequences of one or more WSP characters to a single SP character.
I am using MSXML2.XMLHTTP60 to send text messages via VBA using a web server. I cannot understand why the € symbol is not displayed when receiving a text message. Other special characters, such as ò,à,è etc are displayed after a conversion function I wrote (for example à is encoded as "%E0"). I suppose that web server is expecting charset iso 8859-1 which doe not support € symbol. Therefore how can I solve this problem?
If your request is a POST request then you can specify header for Content-Type with encoding e.g. like this:
objHTTP.Open "POST", ...
objHTTP.setRequestHeader "Content-Type", "text/html; charset=utf-8"
But for GET request the URL with possible query string parameters will be encoded as ASCII. Read e.g. this post.
Using UTF-8 as your character encoding should solve such problems. It may also remove the need for your conversion function. I'm not sure how to set the encoding in your web server, but that's usually well documented.
I am coding some test software to simulate something like a router. It will send URL requests on behalf of multiple users.
Is there any HTTP GET header field which I can send which the receiving server will always send back to me unchanged in the response so that I can associate the response with a user?
This is test software for use on a local LAN only, so I don't mind misusing a field, just as long as I get it returned unchanged.
according to http 1.1 rfc, response is:
Response = Status-Line ; Section 6.1
*(( general-header ; Section 4.5
| response-header ; Section 6.2
| entity-header ) CRLF) ; Section 7.1
CRLF
[ message-body ] ; Section 7.2
and here is notation:
*rule
The character "*" preceding an element indicates repetition. The
full form is "<n>*<m>element" indicating at least <n> and at most
<m> occurrences of element. Default values are 0 and infinity so
that "*(element)" allows any number, including zero; "1*element"
requires at least one; and "1*2element" allows one or two.
[rule]
Square brackets enclose optional elements; "[foo bar]" is
equivalent to "*1(foo bar)".
so, the only requirement for server is to respond with status code, other components are optional, always, which effectively means there is no requirement to send any header back
also, this contains list of all possible headers, none of them meet your requirements
I'm not sure about http 2.0, maybe somebody could add information about it
I've read conflicting and somewhat ambiguous replies to the question "How is a multipart HTTP request content length calculated?". Specifically I wonder:
What is the precise content range for which the "Content-length" header is calculated?
Are CRLF ("\r\n") octet sequences counted as one or two octets?
Can someone provide a clear example to answer these questions?
How you calculate Content-Length doesn't depend on the status code or media type of the payload; it's the number of bytes on the wire. So, compose your multipart response, count the bytes (and CRLF counts as two), and use that for Content-Length.
See: http://httpwg.org/specs/rfc7230.html#message.body.length
The following live example should hopefully answer the questions.
Perform multipart request with Google's OAuth 2.0 Playground
Google's OAuth 2.0 Playground web page is an excellent way to perform a multipart HTTP request against the Google Drive cloud. You don't have to understand anything about Google Drive to do this -- I'll do all the work for you. We're only interested in the HTTP request and response. Using the Playground, however, will allow you to experiment with multipart and answer other questions, should the need arise.
Create a test file for uploading
I created a local text file called "test-multipart.txt", saved somewhere on my file system. The file is 34 bytes large and looks like this:
We're testing multipart uploading!
Open Google's OAuth 2.0 Playground
We first open Google's OAuth 2.0 Playground in a browser, using the URL https://developers.google.com/oauthplayground/:
Fill in Step 1
Select the Drive API v2 and the "https://www.googleapis.com/auth/drive", and press "Authorize APIs":
Fill in Step 2
Click the "Exchange authorization code for tokens":
Fill in Step 3
Here we give all relevant multipart request information:
Set the HTTP Method to "POST"
There's no need to add any headers, Google's Playground will add everything needed (e.g., headers, boundary sequence, content length)
Request URI: "https://www.googleapis.com/upload/drive/v2/files?uploadType=multipart"
Enter the request body: this is some meta-data JSON required by Google Drive to perform the multipart upload. I used the following:
{"title": "test-multipart.txt", "parents": [{"id":"0B09i2ZH5SsTHTjNtSS9QYUZqdTA"}], "properties": [{"kind": "drive#property", "key": "cloudwrapper", "value": "true"}]}
At the bottom of the "Request Body" screen, choose the test-multipart.txt file for uploading.
Press the "Send the request" button
The request and response
Google's OAuth 2.0 Playground miraculously inserts all required headers, computes the content length, generates a boundary sequence, inserts the boundary string wherever required, and shows us the server's response:
Analysis
The multipart HTTP request succeeded with a 200 status code, so the request and response are good ones we can depend upon. Google's Playground inserted everything we needed to perform the multipart HTTP upload. You can see the "Content-length" is set to 352. Let's look at each line after the blank line following the headers:
--===============0688100289==\r\n
Content-type: application/json\r\n
\r\n
{"title": "test-multipart.txt", "parents": [{"id":"0B09i2ZH5SsTHTjNtSS9QYUZqdTA"}], "properties": [{"kind": "drive#property", "key": "cloudwrapper", "value": "true"}]}\r\n
--===============0688100289==\r\n
Content-type: text/plain\r\n
\r\n
We're testing multipart uploading!\r\n
--===============0688100289==--
There are nine (9) lines, and I have manually added "\r\n" at the end of each of the first eight (8) lines (for readability reasons). Here are the number of octets (characters) in each line:
29 + '\r\n'
30 + '\r\n'
'\r\n'
167 + '\r\n'
29 + '\r\n'
24 + '\r\n'
'\r\n'
34 + '\r\n' (although '\r\n' is not part of the text file, Google inserts it)
31
The sum of the octets is 344, and considering each '\r\n' as a single one-octet sequence gives us the coveted content length of 344 + 8 = 352.
Summary
To summarize the findings:
The multipart request's "Content-length" is computed from the first byte of the boundary sequence following the header section's blank line, and continues until, and includes, the last hyphen of the final boundary sequence.
The '\r\n' sequences should be counted as one (1) octet, not two, regardless of the operating system you're running on.
If an http message has Content-Length header, then this header indicates exact number of bytes that follow after the HTTP headers. If anything decided to freely count \r\n as one byte then everything would fall apart: keep-alive http connections would stop working, as HTTP stack wouldn't be able to see where the next HTTP message starts and would try to parse random data as if it was an HTTP message.
\n\r are two bytes.
Moshe Rubin's answer is wrong. That implementation is bugged there.
I sent a curl request to upload a file, and used WireShark to specifically harvest the exact actual data sent by my network. A methodology that everybody should agree is more valid than on online application somewhere gave me a number.
--------------------------de798c65c334bc76\r\n
Content-Disposition: form-data; name="file"; filename="requireoptions.txt"\r\n
Content-Type: text/plain\r\n
\r\n
Pillow
pyusb
wxPython
ezdxf
opencv-python-headless
\r\n--------------------------de798c65c334bc76--\r\n
Curl, which everybody will agree likely implemented this correctly:
Content-Length: 250
> len("2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d646537393863363563333334626337360d0a436f6e74656e742d446973706f736974696f6e3a20666f726d2d646174613b206e616d653d2266696c65223b2066696c656e616d653d22726571756972656f7074696f6e732e747874220d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a0d0a50696c6c6f770d0a70797573620d0a7778507974686f6e0d0a657a6478660d0a6f70656e63762d707974686f6e2d686561646c6573730d0a2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d646537393863363563333334626337362d2d0d0a")
500
(2x250 = 500, copied the hex stream out of WireShark.)
I took the actual binary there. The '2d' is --- which starts the boundary.
Please note, giving the wrong count to the server treating 0d0a as 1 rather than 2 octets (which is insane they are octets and cannot be compound), actively rejected the request as bad.
Also, this answers the second part of the question. The actual Content Length is everything here. From the first boundary to the last with the epilogue --\r\n, it's all the octets left in the wire.
In an iOS 7 app I'm using NSHTTPCookieStorage to store cookies in the sharedHTTPCookieStorage.
One of the cookies I'm receiving has a name value with the non-ASCII word "Søren" in it. I can see the cookie being set in an HTTP trace, but the cookie held in sharedHTTPCookieStorage is truncated after the "S" in "Søren". None of the subsequent cookies being set in the HTTP response header are stored in sharedCookieStorage. In fact the offending cookie is stored in truncated form twice, almost as if the framework tries to parse it again and then gives up.
RFC2965 states:
NAME=VALUE
REQUIRED. The name of the state information ("cookie") is NAME,
and its value is VALUE. NAMEs that begin with $ are reserved and
MUST NOT be used by applications.
The VALUE is opaque to the user agent and may be anything the
origin server chooses to send, possibly in a server-selected
printable ASCII encoding. "Opaque" implies that the content is of
interest and relevance only to the origin server. The content
may, in fact, be readable by anyone that examines the Set-Cookie2
header.
I'm configuring NSHTTPCookieStorage as follows:
NSHTTPCookieStorage *sharedCookieStorage = [NSHTTPCookieStorage sharedHTTPCookieStorage];
[sharedCookieStorage setCookieAcceptPolicy:(NSHTTPCookieAcceptPolicyAlways)];
I presume this is related to NSHTTPCookieStorage, rather than NSURLResponse. Do I need to do anything additional to handle a UTF-8 cookie name value?