Skip to content

escape quotes and strip line breaks in rfc7578 multipart parameters#845

Merged
ok2c merged 1 commit into
apache:masterfrom
dxbjavid:rfc7578-multipart-header-injection
Jul 8, 2026
Merged

escape quotes and strip line breaks in rfc7578 multipart parameters#845
ok2c merged 1 commit into
apache:masterfrom
dxbjavid:rfc7578-multipart-header-injection

Conversation

@dxbjavid

@dxbjavid dxbjavid commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

In EXTENDED mode the RFC 7578 writer builds the Content-Disposition line itself rather than going through MimeField.getBody(), and for parameters other than filename (in practice the form field name) it writes the value straight out with no quoting. So a field name that contains a double quote or a CR/LF ends up breaking out of the quoted string and injecting extra header lines into the part, which matters when the name comes from somewhere untrusted. The STRICT and LEGACY writers already avoid this because they escape quotes and strip line breaks; this just brings the RFC 7578 path in line by backslash-escaping quotes and replacing line breaks the same way. Added a small regression test in HttpRFC7578MultipartTest covering a name with an embedded quote and CRLF.

@ok2c ok2c merged commit da6f1b2 into apache:master Jul 8, 2026
3 checks passed
@dxbjavid

dxbjavid commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

TY!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants