You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A multipart/form-data form consists of a series of parts, separated by a boundary. As originally specified in RFC 2388, each part may contain a Content-Transfer-Encoding header as defined in RFC 2045 Section 6.
RFC 7578, Section 4.7, which updates and obsoletes RFC 2388, deprecates the use of Content-Transfer-Encoding in contexts which support binary data, specifically including HTTP.
http.Request.ParseMultipartForm will parse form parts containing a Content-Transfer-Encoding header. To use an example from RFC 7578, ParseMultipartForm will parse this form part as containing the body "Joe owes €100.":
This can act as a content smuggling vector, since other implementations generally do not decode quoted-printable form parts in HTTP multipart/form-data responses. As a hardening measure, we should consider not decoding encoded parts in ParseMultipartForm. RFC 7578 indicates that implementations that send such bodies are uncommon to nonexistent.
The text was updated successfully, but these errors were encountered:
A
multipart/form-data
form consists of a series of parts, separated by a boundary. As originally specified in RFC 2388, each part may contain aContent-Transfer-Encoding
header as defined in RFC 2045 Section 6.RFC 7578, Section 4.7, which updates and obsoletes RFC 2388, deprecates the use of
Content-Transfer-Encoding
in contexts which support binary data, specifically including HTTP.http.Request.ParseMultipartForm will parse form parts containing a
Content-Transfer-Encoding
header. To use an example from RFC 7578,ParseMultipartForm
will parse this form part as containing the body "Joe owes €100.":This can act as a content smuggling vector, since other implementations generally do not decode quoted-printable form parts in HTTP
multipart/form-data
responses. As a hardening measure, we should consider not decoding encoded parts inParseMultipartForm
. RFC 7578 indicates that implementations that send such bodies are uncommon to nonexistent.The text was updated successfully, but these errors were encountered: