Re: Problem uploading (some) HTML files with PL/SQL Gateway

From: Mark C. Stock <mcstockX_at_Xenquery>
Date: Tue, 27 Jan 2004 16:53:22 -0500
Message-ID: <3oOdnWYfp_lyQIvdRVn-jA_at_comcast.com>


[Quoted] [Quoted] "Andy Hardy" <junkmail_at_[127.0.0.1]> wrote in message news:AAT8sLBU$rFAFwCv_at_[127.0.0.1]...
| In message <n7KdncvOQY3BDIjdRVn-sA_at_comcast.com> , Mark C. Stock
| <mcstockX_at_Xenquery.com> writes
| >It appears that the PL/SQL gateway document upload cannot (or will not)
| >upload a file that appears to have an HTML anchor in it (although extra
| >whitespace does spoof it, if indeed, it's rejecting the file on purpose.
| >
| >After a lot of testing, I ended up with this fragment of HTML that causes
| >the PL/SQL Gateway upload routine to fail:
| >
| ><a href="javascript:alert('set
all');"><small><em>All</em></small></a></td>
| >
| >get rid of the '<' or the '=', and the file loads with no problem.
| >
| >Has anybody else experienced this or is anybody aware of any documention
on
| >this?
| >
|
| In what way does it 'fail'? I've not had the same problems, but have
| been surprised at the 'document parts' not being uploaded - the
| documentation makes it sound as if the embedded links turn up as
| documents in their own right into the 'documents parts' table... but
| they don't...
|
| --
| Andy Hardy. PGP ID: 0xA62A4849

[Quoted] well, it fails totally and gracelessly --

here's the test proc modified from the PL/SQL Gateway manual's example:




[Quoted] procedure simple_upload_test (

[Quoted]     file in varchar2 default null
    )
is
begin

[Quoted]  htp.p('<html>');
 htp.p('<head>');
 htp.p('<title>test upload</title>');
 htp.p('</head>');
 htp.p('<body>');

 if file is not null
 then
[Quoted]   htp.p('<p>File uploaded: ' || file ||'</p>');  end if;

[Quoted]  htp.p('<FORM enctype="multipart/form-data"');
 htp.p('action="simple_upload_test"');
 htp.p('method="POST">');
 htp.p('<table>');
 htp.p('<tr><td>File to upload:<td><INPUT type="file" name="file">');
 htp.p('<tr><td><td><INPUT type="submit" value="Upload">');
 htp.p('</table>');
 htp.p('</FORM>');
 htp.p('</body>');
 htp.p('</html>');

end simple_upload_test;




[Quoted] [Quoted] notice that the procedure calls itself via the form action

[Quoted] if you create a file with the content noted in the OP, it will result in HTTP 404, referencing 'simple_upload_test' in the URL -- which is the gateway's way of telling you that either the file upload procedure failed or [Quoted] [Quoted] the call to the specified URL had incorrect parameters or was just totally bogus.

[Quoted] however, taking out the '<' in the '<a....>' tag or the '=' in the 'href' [Quoted] attribute allows the file to be uploaded without incident

versions:

[Quoted] mod_plsql v3.0.9.0.7 in the 8.1.7 (local w2k test environment) and above (sorry, can't get the exact version on my client's server until thursday -- [Quoted] but i believe it's 9iAS r2, database is 9.2.0.2.0)

  • mcs
Received on Tue Jan 27 2004 - 22:53:22 CET

Original text of this message