#Email will always be plain #text.

But some companies ...

Return-Path: <bounces-456@bouncesp.monster.com>
Received: [...]
Subject: [...]
To: [...]
Content-Type: multipart/alternative; boundary="_----9kSRfd7Enun64iOZEIFzXw===_B6/5E-12157-1C57EE76"
[...]

--_----9kSRfd7Enun64iOZEIFzXw===_B6/5E-12157-1C57EE76
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

--_----9kSRfd7Enun64iOZEIFzXw===_B6/5E-12157-1C57EE76
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org=
[...]

Well played, Monster / monster.com.

#PlainText #rfc822 #MIME #multipart #incompetence #testing #rfc2822 #rfc2045 #rfc2046 #rfc1341 #MultipartAlternative

TIL Network protocols Sans I/O ⚡

“… network protocol implementations written in Python that perform no I/O (this means libraries that operate directly on text or bytes; this excludes libraries that just abstract out I/O).” 🤯

Read the reference page 👇
https://sans-io.readthedocs.io/

#Reusability #Python #FastCGI #HTTP2 #H11 #IRC #OAuth2 #OAuthLib #WebSocket #SOCKS5 #RFC2217 #SerialOverIP #EPICS #FIX #QUIC #LanguageServerProtocol #SMTP #DBus #ThorlabsAPT #Matrix #SSL #TLS #CPython #multipart #formdata

My #Python #multipart form-data #parser #benchmark got an upgrade: new test scenario, new library, and lots of version updates -> https://github.com/defnull/multipart_bench#benchmark-for-python-multipartform-data-parsers

Video on the latest research of @themiddle.

https://youtu.be/CxLPZDtr-d0

#cybersecurity #security #infosec #hacking #appsec #applicationsecurity #waf #webapplicationfirewall #multipart #fileupload #bypass

Breaking Down Multipart Parsers: File upload validation bypass - @themiddle

https://blog.sicuranext.com/breaking-down-multipart-parsers-validation-bypass/

#cybersecurity #security #infosec #hacking #appsec #applicationsecurity #waf #webapplicationfirewall #multipart #fileupload #bypass

I get the feeling that many web #API designers avoid #multipart file uploads because in most frameworks and also client libraries, it sucks. But it does not have to. It's actually the best we have to transfer multiple files in one request and also quite efficient when using a sane parser or modern browsers. It just has a bad reputation from complicated and slow parsers written for emails that have to carry decades of technical depth. Modern HTML5 multipart/form-data is not the same thing.

A mówiłem sobie, że będę pisał ogólnie o problemach, zamiast pokazywać palcami konkretne projekty, ale takie podejście zdaje się mieć więcej sensu przy pomyłkach niż przy celowym, szkodliwym zachowaniu. Tak więc…

Tasiemiec się ciągnie. Dwie paczki na #PyPI, #multipart i python-multipart, roszczą sobie prawa do nazwy modułu Pythona "multipart". Autorzy obydwu argumentują, każdy na swoją korzyść, żaden nie chce ustąpić, a ostatecznie proponują ten sam kompromis: włączanie zależności w kod. Z tą tylko różnicą, że jeden sugeruje, że kiedyś włączy swoją wersję w swoją popularną paczkę (w bliżej nieokreślonej przyszłości), a drugi sugeruje, by inne paczki w międzyczasie włączały potrzebną im wersję.

Mamy tu całkiem sporą szkodę. Najpierw ludzie zaczynają używać w swoim projekcie jednej z paczek. Następnie dowiadują się, że właśnie wprowadzili konflikt zależności. I jedyne wyjście z sytuacji, to włączyć jakąś wersję jednej z paczek. A pewnego dnia powstały bajzel będzie trzeba uprzątnąć.

Rzecz jasna, pojawia się już poszukiwanie rozwiązań technicznych na ten problem natury osobowej. Myślę, że sam zmienię nazwę w #Gentoo, i połatam wsteczne zależności, żeby już teraz móc zacząć pozbywać się włączanych zależności. Co za bajzel.

Na marginesie: jeżeli używacie teraz #starlette, możecie chcieć rozważyć bardziej przyjazne dla ekosystemu alternatywy.

https://github.com/pypa/packaging-problems/issues/818

#Python

I've told myself that I'm going to point out generic issues rather than point fingers at specific projects, but I guess that makes more sense for mistakes rather than deliberate harmful behavior, so…

The drama continues. The #multipart and python-multipart #PyPI packages both claim the #Python import name of "multipart". Both have arguments for their claims, both refuse to step down, and unsurprisingly, both reach the same compromise: vendoring. Except that one says they're eventually going to vendor it in their popular package (at some future time), while the other tells everyone to vendor the other package in the meantime.

The damage is quite deep here. First, people start using one of the packages. Then they learn that they've just introduced a potential dependency conflict. And the only thing that they can do now is start vendoring an arbitrary version of the package. And one day, someone will have to clean this mess up.

And of course, people are now looking for technical solutions to this disturbing social problem. In fact, I'll probably end up going for the rename-and-patch approach in #Gentoo to start unvendoring immediately. What a mess.

The bottom line is: if you're using #starlette, you may want to reconsider.

https://github.com/pypa/packaging-problems/issues/818

I rewrote my #foss implementation of a #python #multipart form data parser as a #sansio (push based #nonblocking ) parser, and it is now not only suitable for #async applications, but also 2x to10x faster than the old (blocking) implementation. Was a ton of work, but totally worth it. Release will follow later this week.

https://github.com/defnull/multipart/pull/52

How to patch Polka¹ so you can use express-busboy² with it:

https://github.com/lukeed/polka/issues/193

¹ https://www.npmjs.com/package/polka
² https://www.npmjs.com/package/express-busboy

#NodeJS #Polka #expressBusboy #JavaScript #JS #form #multipart

#TodayILearned that the new #Java11 #java.net.http #HttpClient and #HttpRequest are not equipped to handle multipart/form-data out of the box. One has to generate and add their own form boundaries.

This is a problem for those of us who never needed to know the #HTTP/1.1 and #Multipart RFCs by heart, and had hoped that the tools built into the programming language's ecosystem would handle common use cases.

Which HTTP component do you use for multipart/form-data?