Skip to content

fix: buffer overflow in multipart body proc #3546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
airween merged 5 commits into from
Apr 21, 2026
+59 −3
Merged

fix: buffer overflow in multipart body proc #3546

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
164de0f
fix: buffer overflow in multipart body proc
airween Apr 12, 2026
b9fb213
cast argument as unsigned
airween Apr 12, 2026
f9248f9
Check if filename arg is quoted and it has the trailing quote
airween Apr 13, 2026
9b33b2e
Change conditions' order; cast isdigit()'s argument
airween Apr 19, 2026
3b8b094
Merge branch 'v3/master' into v3/multipartbofix
airween Apr 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions src/request_body_processor/multipart.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,11 +362,11 @@ int Multipart::parse_content_disposition(const char *c_d_value, int offset) {
const char* start_of_filename = p;
while ((*p != '\0') && (*p != ';')) {
if (*p == '%') {
if ((*(p+1) == '\0') || (!isxdigit(*(p+1))) || (!isxdigit(*(p+2)))) {
if ((*(p+1) == '\0') || (!isxdigit(*(p+1))) || (*(p+2) == '\0') || (!isxdigit(static_cast<unsigned char>(*(p+2))))) {
Comment thread
airween marked this conversation as resolved.
Outdated
Comment thread
theseion marked this conversation as resolved.
Outdated
return -18;
}
p += 3;
} else if (isalnum(*p) || strchr(attr_char_special, *p)) {
} else if (isalnum(static_cast<unsigned char>(*p)) || strchr(attr_char_special, *p)) {
p++;
} else {
return -19;
Expand Down Expand Up @@ -415,7 +415,12 @@ int Multipart::parse_content_disposition(const char *c_d_value, int offset) {
value.append((p++), 1);
}

p++; /* go over the quote at the end */
if (*p == quote) {
p++; /* go over the quote at the end */
Comment thread
fzipi marked this conversation as resolved.
} else {
m_flag_invalid_quoting = 1;
return -15; /* closing quote not found */
}

Comment thread
airween marked this conversation as resolved.
} else {
/* not quoted */
Expand Down
51 changes: 51 additions & 0 deletions test/test-cases/regression/request-body-parser-multipart.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3417,5 +3417,56 @@
"SecruleEngine On",
"SecRule REQBODY_PROCESSOR_ERROR \"@eq 1\" \"phase:2,deny,status:403,id:500077\""
]
},
{
"enabled": 1,
"version_min": 300000,
"title": "multipart parser (invalid part header - missing trailing quote)",
"client": {
"ip": "200.249.12.31",
"port": 123
},
"server": {
"ip": "200.249.12.31",
"port": 80
},
"request": {
"headers": {
"Host": "localhost",
"User-Agent": "curl/7.38.0",
"Accept": "*/*",
"Content-Length": "145",
"Content-Type": "multipart/form-data; boundary=a",
"Expect": "100-continue"
},
"uri": "/",
"method": "POST",
"body": [
"--a\r\n",
"Content-Disposition: form-data; name=\"file\"; filename=\"1.jsp\r\n",
"\r\n",
"Some content\r\n",
"--a--\r\n"
]
},
"response": {
"headers": {
"Date": "Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified": "Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type": "text/html",
"Content-Length": "8"
},
"body": [
"no need."
]
},
"expected": {
"debug_log": "Multipart: Invalid Content-Disposition header \\(-15\\): form-data; name=\"file\"; filename=\"1.jsp",
"http_code": 403
},
"rules": [
"SecruleEngine On",
"SecRule REQBODY_PROCESSOR_ERROR \"@eq 1\" \"phase:2,deny,status:403,id:500077\""
]
}
]
Loading