-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ambiguous definition of Upload-Metadata #124
Comments
Good idea!
The protocol does not define how the metadata values should be used or interpreted. Typically they will be converted to a string but in theory a server could also handle the raw byte array, even though I don't see a practical reason for that.
Both, it's a way for the server to get additional details about an upload from the client as well as a tool for the client to store information together with the upload. |
Ok, understood. However, this does raise the question on what encoding the server (and client) is to expect: if there's nothing specified on how to interpret these bytes, then it must be agreed, probably out-of-band, how the encoding should be. Trying to interpret a Cp1252 encoded string as UTF-8 does not give the expected results and as such it should be possible for the server to tell the client that it has rejected or invalidated the provided metadata.
Ok, aside the encoding question, this does open up a potential other problem: the amount of metadata a client can send. There are no official limitations to the length of a HTTP header, but passing in "any" amount of data that is to be controlled from the client is a potential can of worms. It might be a good idea to limit the maximum length of metadata a client can send to the server. |
You are correct, the client and server should agree on the details outside of the tus protocol. To provide more context: metadata is meant to pass application-specific data from the client to the server. It's not necessarily designed to allow an arbitrary pair of client and server to exchange meta data (that's also why we don't specific and meta data values, such as filename or filetype).
The server can reject the upload creation POST request by responding with a 4XX status code, indicating that the request is invalid.
I am not much concerned about this. Every proper webserver/proxy I am aware of has a limit on how big headers may be which is enabled by default. This should represent a good enough protection against such attacks. |
I find that a bit disappointing. I think at least it should be spec'ed how to indicate the encoding of the value and spec a default encoding. Imagine, the client and server agreed on a metadata key named I think the TUS protocol should refine the definition of the |
I can understand where that opinion is coming from but I don't fully agree with you. Let me try to explain: The entire idea behind the Furthermore, and I am completely open here, I don't know enough about different encoding methods and how they are handled in various environments. Would it be enough to say that they are always UTF-8 encoded? What if we want to transport a bytestream which cannot be UTF-8 encoded? I don't see myself as competent enough to answer those questions and in the past I haven't heard of a single problem that arose from metadata encoding incompatibility. Of course, I am always happy to discuss this and improve the protocol. |
The
Upload-Metadata
header is a bit ill-defined with respect to its encoding: first, it tells that values must be base64 encoded, but there are several variants of base64 encoding. From the code I can deduce that it is using base64 encoding as defined in RFC4648 section 4. To aid interoperability, it might be good to add this detail.In addition, the value represents an array of bytes encoded as base64. How should we interpret this byte array? Is it to be interpreted by the TUS server or only considered of something of value for the TUS client?
The text was updated successfully, but these errors were encountered: