Skip to content

Comments

fixed how array fields are sent in multipart form POSTs#249

Open
ben5516 wants to merge 1 commit intoopenai:mainfrom
ben5516:fix-array-multipart-form-fields
Open

fixed how array fields are sent in multipart form POSTs#249
ben5516 wants to merge 1 commit intoopenai:mainfrom
ben5516:fix-array-multipart-form-fields

Conversation

@ben5516
Copy link

@ben5516 ben5516 commented Feb 20, 2026
edited
Loading

This is a naive approach to properly supporting array fields in multipart encoded POST requests.

The issue I was having was that this code was not correctly sending timestamp_granularities to the server (see example):

response = client.audio.transcriptions.create(
          model:                    "whisper-1",
          file:                     File.open(mp3_filepath.to_s, "rb"),
          response_format:          :verbose_json,
          timestamp_granularities:  [ :word, :segment ],
          language:                 "en"
 )

The server is expecting an array field, where the key is timestamp_granularities[]. However, the url_encode sanitization pass encodes the square brackets and the server doesn't decode it. Sanitization should be less aggressive, and only escape LF, CR, ", and \ I believe.

@ben5516
fixed how array fields are sent in multipart form POSTs
9d94e79 
It’s not necessary to url_encode the field keys, and that breaks timestamp_granularities[], among other things
@ben5516 ben5516 requested a review from a team as a code owner February 20, 2026 21:16
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 20, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9d94e79a2b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

lib/openai/internal/util.rb
unless key.nil?
name = ERB::Util.url_encode(key.to_s)
y << "; name=\"#{name}\""
y << "; name=\"#{key}\""
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Escape multipart field names before writing Content-Disposition

Writing key directly into the quoted name parameter allows keys containing ", \, or CR/LF to break the Content-Disposition header syntax and potentially inject extra multipart headers/content when body keys are user-controlled. This line used to percent-encode keys, so the regression is introduced by this commit; even if [] should stay literal, the value still needs header-safe escaping (or CR/LF rejection) before interpolation.

Useful? React with 👍 / 👎.

Copy link
Author

@ben5516 ben5516 Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, this was a naive implementation. A safer fix would just be to unencode square brackets after url_encoding everything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ben5516