Security fixes for release 6.5.5#3584
Merged
bdarnell merged 3 commits intotornadoweb:masterfrom Mar 10, 2026
Merged
Conversation
The new default limits prevent a DoS vulnerability involving requests with many multipart parts. It also adds a defense-in-depth limit on the size of multipart headers, which would have mitigated the vulnerability fixed in 6.5.3. New data structures are added to allow users to configure these limits, and to disable multipart parsing entirely if they choose. However, due to the complexity of the plumbing required to pass these configuration options through the stack, the only configuration provided in this commit is the ability to set a global default.
Our previous control character check was missing a check for U+007F, and also semicolons, which are only allowed in quoted parts of values. This commit checks all attributes and updates the set of disallowed characters.
I think these were omitted due to quirks of an older version of the parsing code. Linefeeds are already effectively prohibited within header values since they are interpreted as delimiters, so the net effect of this change is to prohibit bare carriage returns within header values. This RE is used only when parsing headers inside multipart/form-data bodies; for HTTP headers CR was already prohibited.
vzhestkov
added a commit
to openSUSE/salt
that referenced
this pull request
Mar 12, 2026
Co-authored-by: Ben Darnell <ben@bendarnell.com>
3 tasks
vzhestkov
added a commit
to openSUSE/salt
that referenced
this pull request
Mar 12, 2026
Co-authored-by: Ben Darnell <ben@bendarnell.com>
vzhestkov
added a commit
to openSUSE/salt
that referenced
this pull request
Mar 12, 2026
Co-authored-by: Ben Darnell <ben@bendarnell.com>
vzhestkov
added a commit
to openSUSE/salt
that referenced
this pull request
Mar 12, 2026
Co-authored-by: Ben Darnell <ben@bendarnell.com>
vzhestkov
added a commit
to openSUSE/salt
that referenced
this pull request
Mar 13, 2026
Co-authored-by: Ben Darnell <ben@bendarnell.com>
vzhestkov
added a commit
to openSUSE/salt
that referenced
this pull request
Mar 13, 2026
Co-authored-by: Ben Darnell <ben@bendarnell.com>
vzhestkov
added a commit
to openSUSE/salt
that referenced
this pull request
Mar 17, 2026
Co-authored-by: Ben Darnell <ben@bendarnell.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.