net/http: do not decode multipart form parts containing Content-Transfer-Encoding headers #63855
Labels
NeedsFix
The path to resolution is known, but the work has not been done.
Milestone
A
multipart/form-data
form consists of a series of parts, separated by a boundary. As originally specified in RFC 2388, each part may contain aContent-Transfer-Encoding
header as defined in RFC 2045 Section 6.RFC 7578, Section 4.7, which updates and obsoletes RFC 2388, deprecates the use of
Content-Transfer-Encoding
in contexts which support binary data, specifically including HTTP.http.Request.ParseMultipartForm will parse form parts containing a
Content-Transfer-Encoding
header. To use an example from RFC 7578,ParseMultipartForm
will parse this form part as containing the body "Joe owes €100.":This can act as a content smuggling vector, since other implementations generally do not decode quoted-printable form parts in HTTP
multipart/form-data
responses. As a hardening measure, we should consider not decoding encoded parts inParseMultipartForm
. RFC 7578 indicates that implementations that send such bodies are uncommon to nonexistent.The text was updated successfully, but these errors were encountered: