Skip to content

fix: buffer overflow in multipart body proc #3546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
airween wants to merge 5 commits into
base: v3/master
Choose a base branch
from
+59 −3
Open

fix: buffer overflow in multipart body proc #3546

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
164de0f
fix: buffer overflow in multipart body proc
airween Apr 12, 2026
b9fb213
cast argument as unsigned
airween Apr 12, 2026
f9248f9
Check if filename arg is quoted and it has the trailing quote
airween Apr 13, 2026
9b33b2e
Change conditions' order; cast isdigit()'s argument
airween Apr 19, 2026
3b8b094
Merge branch 'v3/master' into v3/multipartbofix
airween Apr 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions src/request_body_processor/multipart.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,11 +362,11 @@ int Multipart::parse_content_disposition(const char *c_d_value, int offset) {
const char* start_of_filename = p;
while ((*p != '\0') && (*p != ';')) {
if (*p == '%') {
if ((*(p+1) == '\0') || (!isxdigit(*(p+1))) || (!isxdigit(*(p+2)))) {
if ((*(p+1) == '\0') || (*(p+2) == '\0') || (!isxdigit(static_cast<unsigned char>(*(p+1)))) || (!isxdigit(static_cast<unsigned char>(*(p+2))))) {
return -18;
}
p += 3;
} else if (isalnum(*p) || strchr(attr_char_special, *p)) {
} else if (isalnum(static_cast<unsigned char>(*p)) || strchr(attr_char_special, *p)) {
p++;
} else {
return -19;
Expand Down Expand Up @@ -415,7 +415,12 @@ int Multipart::parse_content_disposition(const char *c_d_value, int offset) {
value.append((p++), 1);
}

p++; /* go over the quote at the end */
if (*p == quote) {
p++; /* go over the quote at the end */
Comment thread
fzipi marked this conversation as resolved.
} else {
m_flag_invalid_quoting = 1;
return -15; /* closing quote not found */
}

Comment on lines +418 to 424
Copy link

Copilot AI Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR addresses out-of-bounds reads in Content-Disposition parsing; adding regression cases for (1) filename* values ending with an incomplete percent-escape (e.g. trailing %A) and (2) quoted values missing a terminating quote would help ensure this remains fixed (especially under ASAN/UBSAN).

Suggested change
if (*p == quote) {
p++; /* go over the quote at the end */
}
if (*p == '\0') {
/* missing terminating quote */
return -7;
}
p++; /* go over the quote at the end */

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Member Author

@airween airween Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this is a valid case, multipart header can contain urlencoded text, but the parser's task process it as is.

This suggestion removes that very important condition, I'm afraid that could make the parser wrong.

Copy link
Copy Markdown
Collaborator

@theseion theseion Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You only get here if a opening quote was observed, so a closing quote is expected. If the closing quote is URL encoded, then that looks like an evasion attempt. If the opening quote is also URL encoded, we won't end up here anyway (I think), so I think it's valid to say that the quote is missing.

I don't think we should set invalid_quoting in this case, the semantics are different.

I don't understand what difference it makes for you whether the return value is -7 or -15. The previous suggestion would behave the same, just with a different return code.

Copy link
Copy Markdown
Member Author

@airween airween Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think here we should split up the suggestions into two parts:

  • handling url-encoded characters
  • handling missing quote at the end

First item: not relevant, the parser does not handle the url encoded quotes at all, this is why I wrote that the suggestion from Copilot is not a valid case.

Second: the missing quote is handled correctly with this, I added a new test case; I checked this test without this modification, which was failed.

I don't understand what difference it makes for you whether the return value is -7 or -15. The previous suggestion would behave the same, just with a different return code.

I think this is why we shouldn't change anything here 😃.

} else {
/* not quoted */
Expand Down
51 changes: 51 additions & 0 deletions test/test-cases/regression/request-body-parser-multipart.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3417,5 +3417,56 @@
"SecruleEngine On",
"SecRule REQBODY_PROCESSOR_ERROR \"@eq 1\" \"phase:2,deny,status:403,id:500077\""
]
},
{
"enabled": 1,
"version_min": 300000,
"title": "multipart parser (invalid part header - missing trailing quote)",
"client": {
"ip": "200.249.12.31",
"port": 123
},
"server": {
"ip": "200.249.12.31",
"port": 80
},
"request": {
"headers": {
"Host": "localhost",
"User-Agent": "curl/7.38.0",
"Accept": "*/*",
"Content-Length": "145",
"Content-Type": "multipart/form-data; boundary=a",
"Expect": "100-continue"
},
"uri": "/",
"method": "POST",
"body": [
"--a\r\n",
"Content-Disposition: form-data; name=\"file\"; filename=\"1.jsp\r\n",
"\r\n",
"Some content\r\n",
"--a--\r\n"
]
},
"response": {
"headers": {
"Date": "Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified": "Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type": "text/html",
"Content-Length": "8"
},
"body": [
"no need."
]
},
"expected": {
"debug_log": "Multipart: Invalid Content-Disposition header \\(-15\\): form-data; name=\"file\"; filename=\"1.jsp",
"http_code": 403
},
"rules": [
"SecruleEngine On",
"SecRule REQBODY_PROCESSOR_ERROR \"@eq 1\" \"phase:2,deny,status:403,id:500077\""
]
}
]
Loading