RFC1867 HTTP file upload

Published 1999-05-04

RFC1867 is the standard definition of that "Browse..." button that you use to upload files to a Web server. It introduced the INPUT field type="file", which is that button, and also specified a multipart form encoding which is capable of encapsulating files for upload along with all the other fields on an upload form.

It's not easy to find documentation on how to work with this stuff, though. Partly this is because if you're writing a Perl CGI it's really rather easy to work with, and partly it's due to the fact that Microsoft IIS ASP doesn't (exactly) support RFC1867 file upload. So on the one hand the Unixheads think it's too trivial to document, while the ASP script kiddies think that file upload is the exclusive preserve of genius and guru alike. I.e. Bill doesn't think you need to use it.

If that last sounds overly bitter, it's because I just finished up a really horrible job that involved uploading files to an IIS server. It would have been nice had somebody at Microsoft found file upload a sufficiently significant function to design competently. As it is, IIS 5.0 now provides a "Request.ReadBinary" method that gives you the whole request in plaintext, and graciously allows you to design your own object to read it. Note that VBS has no (easy) ability to read this binary data.

So let's assume for the time being that you're working with some reasonable non-IIS server. How do you really deal with file upload? It turns out to be easy. First, you design your form so that it will actually do an upload. In short, do this:

<form action=/mycode.cgi method=post enctype=multipart/form-data>
  <input type="file">
</form>

In case you were wondering, the standard encoding type for a form is application/x-www-form-urlencoded, and if you leave the multipart enctype out of your form, then Netscape, for one, will not upload the file, it'll just include the filename. If that's what you actually want, this is pretty useful. (However, the RFC leaves behavior in this situation undefined, so you shouldn't rely on any particular behavior. I haven't looked to see what IE does in this situation. Undoubtedly something different.)

So this much information I already knew going into my horrible project, or at least knew of it. That's why I assumed that the server end was just as simple. And as I mentioned, in Perl it isn't much more difficult than retrieving normal posted data is already. It's just that IIS doesn't support multipart/form-data posts, that's all. Oh, Microsoft has a solution of sorts, called the something-or-other manager, and IIS 5.0 is so powerful that this manager thingy is now included right in the service pack with, gee, at least a kilobyte of documentation.

Yeesh. I'm off-track again, aren't I?

OK, so when this post gets to the server, what does it look like? Well, first of all the Content-type header of the request is set to multipart/form-data; boundary=[some stuff]. This is how you can ascertain that you're really dealing with a properly encoded upload post. The boundary value is probably of the form --------------------------------1878979834, where the digits are randomly generated. This boundary is a MIME boundary; it's guaranteed not to appear anywhere in the data except between the multiple parts of the data.

The data itself appears in blocks that are made up of lines separated by CR/LF pairs. It looks like this, more or less:

-------------------------------18788734234
Content-Disposition: form-data; name="nonfile_field"

value here
-------------------------------18788734234
Content-Disposition: form-data; name="myfile"; filename="ad.gif"
Content-Type: image/gif

[ooh -- file contents!]
-------------------------------18788734234--

As you can see, this post isn't from the form I listed above, because I threw in a non-upload field just to show what it looks like. Anyway, you can see where everything is. Note that you get the originating local filename of the document for free in this format, meaning that you can use this to develop a document management system. Actual implementation is left as an exercise for the reader. I'll write more later on this topic, especially if you ask me any questions. Hint, hint.

So a Perl reader for this guy is simple: you iterate on the lines of the input and break on your boundary. Do things with the parts as you find them. I have an extensive example that you can read and use, which you can see here. It works (I'm using it daily) and it's well-documented.

And thus concludes the lesson for today. Go forth and upload files.

LINKS