diff options
| author | Damien Neil <dneil@google.com> | 2025-09-25 13:24:01 -0700 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2025-09-26 09:04:26 -0700 |
| commit | 41cba31e66c979c413a4368c4f3d82ebadf0fb5b (patch) | |
| tree | 3abb3516fe8d1e510307387bfd0fd69b8a892e78 /src/runtime/testdata | |
| parent | dd1d597c3ac049de7865a9cb98627fde0baacc69 (diff) | |
| download | go-41cba31e66c979c413a4368c4f3d82ebadf0fb5b.tar.xz | |
mime/multipart: percent-encode CR and LF in header values to avoid CRLF injection
When provided with a field or file name containing newlines,
multipart.FileContentDisposition and other header-producing functions
could create an invalid header value.
In some scenarios, this could permit a malicious input to perform
a CRLF injection attack:
field := "field"
evilFile := "name\"\r\nEvil-Header: \"evil"
fmt.Printf("Content-Disposition: %v\r\n", multipart.FileContentDisposition(field, evilFile))
// Prints:
// Content-Disposition: form-data; name="field"; filename="name"
// Evil-Header: "evil"
Percent-endode \r and \n characters in headers, as recommended by
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart/form-data-encoding-algorithm
The above algorithm also recommends using percent-encoding for quotes,
but preserve the existing backslash-escape behavior for now.
Empirically, browsers understand backslash-escape in attribute values.
Fixes #75557
Change-Id: Ia203df6ef45a098070f3ebb17f9b6cf80c520ed4
Reviewed-on: https://go-review.googlesource.com/c/go/+/706677
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Diffstat (limited to 'src/runtime/testdata')
0 files changed, 0 insertions, 0 deletions