Skip to content

escape quotes and strip line breaks in rfc7578 multipart parameters#845

Open
dxbjavid wants to merge 1 commit into
apache:masterfrom
dxbjavid:rfc7578-multipart-header-injection
Open

escape quotes and strip line breaks in rfc7578 multipart parameters#845
dxbjavid wants to merge 1 commit into
apache:masterfrom
dxbjavid:rfc7578-multipart-header-injection

Conversation

@dxbjavid

@dxbjavid dxbjavid commented Jul 5, 2026

Copy link
Copy Markdown

In EXTENDED mode the RFC 7578 writer builds the Content-Disposition line itself rather than going through MimeField.getBody(), and for parameters other than filename (in practice the form field name) it writes the value straight out with no quoting. So a field name that contains a double quote or a CR/LF ends up breaking out of the quoted string and injecting extra header lines into the part, which matters when the name comes from somewhere untrusted. The STRICT and LEGACY writers already avoid this because they escape quotes and strip line breaks; this just brings the RFC 7578 path in line by backslash-escaping quotes and replacing line breaks the same way. Added a small regression test in HttpRFC7578MultipartTest covering a name with an embedded quote and CRLF.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant