teohm.dev

I enjoy life, and make stuff for people I care about :)

UTF-8 Param Name Issue in Rails Multipart Form

I first stumbled upon this issue when Yasith (@meaningful) showed me a strange bug in a Rails project. Here’s what happened:

Issue

When submit a multipart form that contains Unicode parameter name e.g.

1
2
3
4
<form method="post" enctype="multipart/form-data" action="">
  <input name="Iñtërnâtiônàlizætiøn_name"
         value="Iñtërnâtiônàlizætiøn_value" />
</form>

Rails controller returns the param value "Iñtërnâtiônàlizætiøn_value" as expected.

But the param name becomes: "I\xC3\xB1t\xC3\xABrn\xC3\xA2ti\xC3\xB4n\xC3\xA0liz\xC3\xA6ti\xC3\xB8n_name".

It makes life miserable, if you are not expecting this to happen:

1
2
params["Iñtërnâtiônàlizætiøn_name"] # => nil
params["I\xC3\xB1t\xC3\xABrn\xC3\xA2ti\xC3\xB4n\xC3\xA0liz\xC3\xA6ti\xC3\xB8n_name"] # => "Iñtërnâtiônàlizætiøn_value"

What happened?

When Rack returns multipart form data to Rails, it returns:

1
2
{ "I\xC3\xB1t\xC3\xABrn\xC3\xA2ti\xC3\xB4n\xC3\xA0liz\xC3\xA6ti\xC3\xB8n_name" =>
  "I\xC3\xB1t\xC3\xABrn\xC3\xA2ti\xC3\xB4n\xC3\xA0liz\xC3\xA6ti\xC3\xB8n_value" }

However, ActionDispatch::Http::Parameters#encode_params in Rails decided to only encode parameter values, but not parameter names. As a result, we get:

1
2
{ "I\xC3\xB1t\xC3\xABrn\xC3\xA2ti\xC3\xB4n\xC3\xA0liz\xC3\xA6ti\xC3\xB8n_name" =>
  "Iñtërnâtiônàlizætiøn_value" }

Solutions?

  1. Don’t use Unicode param name.
  2. Patch Rails source code. I added a fix in my forked branch, and reported the issue. Hopefully it will get fixed soon in the coming release.

Comments