Skip to content

net/http: multipart form should not include directory path in filename #45789

Closed
@katiehockman

Description

@katiehockman

When parsing a multipart form, the parsed filename could include directory path information (e.g. "../../foobar.txt). This is not allowed by RFC 7578 Section 4.2, which states:

If a "filename" parameter is supplied, the requirements of Section 2.3 of [RFC2183] for the "receiving MUA" (i.e., the receiving Mail User Agent) apply to receivers of multipart/form-data as well: do not use the file name blindly, check and possibly change to match local file system conventions if applicable, and do not use directory path information that may be present.

This off-spec behavior makes the code easy to misuse, but does not explicitly introduce a vulnerability, so this will not be fixed in a security release.

Thanks to Sebastiaan van Stijn for reporting this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions