The Abused Header has multiple name ( avatar & foo ) fields and the "filename" has been rewritten from *.txt to *.sh .
These problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request.
I have confirmed that the attack succeeds, at least in the following frameworks
Spring (Java)
Ktor (Kotlin)
Ruby on Rails (Ruby)
The cause of this problem is the lack of escaping of the " (Double-Quote) character in Content-Disposition > filename.
For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.
Patches
As noted at the beginning of this section, encoding must be done as described in the HTML Spec.
For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.
Therefore, it is recommended that Content-Disposition be modified by either of the following
Also, as for \r, \n, URL Encode is not done, but it is not newlines, so it seemed to be OK.
However, since there may be omissions, it is safer to URL encode these as well, if possible.
( \r to %0A and \d to %0D )
jnunemaker/httparty (httparty)
### [`v0.21.0`](https://togithub.com/jnunemaker/httparty/blob/HEAD/Changelog.md#0210)
[Compare Source](https://togithub.com/jnunemaker/httparty/compare/v0.20.0...v0.21.0)
- [escape filename in the multipart/form-data Content-Disposition header](https://togithub.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e)
- [Fix request marshaling](https://togithub.com/jnunemaker/httparty/pull/767)
- [Replace `mime-types` with `mini_mime`](https://togithub.com/jnunemaker/httparty/pull/769)
### [`v0.20.0`](https://togithub.com/jnunemaker/httparty/blob/HEAD/Changelog.md#0200)
[Compare Source](https://togithub.com/jnunemaker/httparty/compare/v0.19.1...v0.20.0)
Breaking changes
- Require Ruby >= 2.3.0
Fixes
- [`Marshal.dump` fails on response objects when request option `:logger` is set or `:parser` is a proc](https://togithub.com/jnunemaker/httparty/pull/714)
- [Switch `:pem` option to to `OpenSSL::PKey.read` to support other algorithms](https://togithub.com/jnunemaker/httparty/pull/720)
### [`v0.19.1`](https://togithub.com/jnunemaker/httparty/blob/HEAD/Changelog.md#0191)
[Compare Source](https://togithub.com/jnunemaker/httparty/compare/v0.19.0...v0.19.1)
- [Remove use of unary + method for creating non-frozen string to increase compatibility with older versions of ruby](https://togithub.com/jnunemaker/httparty/commit/4416141d37fd71bdba4f37589ec265f55aa446ce)
### [`v0.19.0`](https://togithub.com/jnunemaker/httparty/blob/HEAD/Changelog.md#0190)
[Compare Source](https://togithub.com/jnunemaker/httparty/compare/v0.18.1...v0.19.0)
- [Multipart/Form-Data: rewind files after read](https://togithub.com/jnunemaker/httparty/pull/709)
- [add frozen_string_literal pragma to all files](https://togithub.com/jnunemaker/httparty/pull/711)
- [Better handling of Accept-Encoding / Content-Encoding decompression (fixes #562)](https://togithub.com/jnunemaker/httparty/pull/729)
Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
0.18.1
->0.21.0
GitHub Vulnerability Alerts
CVE-2024-22049
Impact
I found "multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.
httparty/lib/httparty/request
>body.rb
>def generate_multipart
https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
By exploiting this problem, the following attacks are possible
For example, this vulnerability can be exploited to generate the following Content-Disposition.
The Abused Header has multiple name (
avatar
&foo
) fields and the "filename" has been rewritten from*.txt
to*.sh
.These problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request. I have confirmed that the attack succeeds, at least in the following frameworks
The cause of this problem is the lack of escaping of the
"
(Double-Quote) character in Content-Disposition > filename.WhatWG's HTML spec has an escaping requirement.
https://html.spec.whatwg.org/#multipart-form-data
Patches
As noted at the beginning of this section, encoding must be done as described in the HTML Spec.
https://html.spec.whatwg.org/#multipart-form-data
Therefore, it is recommended that Content-Disposition be modified by either of the following
https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
Also, as for
\r
,\n
, URL Encode is not done, but it is not newlines, so it seemed to be OK. However, since there may be omissions, it is safer to URL encode these as well, if possible. (\r
to%0A
and\d
to%0D
)PoC
PoC Environment
OS: macOS Monterey(12.3) Ruby ver: ruby 3.1.2p20 httparty ver: 0.20.0 (Python3 - HTTP Request Logging Server)
PoC procedure
(Linux or MacOS is required. This is because Windows does not allow file names containing
"
(double-quote) .)Create Project
Create malicious file
I write Python code, but any method will work as long as you can see the HTTP Request Body. (e.g. Debugger, HTTP Logging Server, Packet Capture)
$ vi logging.py
$ python logging.py
Return Request Header & Body:
Content-Disposition:
References
I also include a similar report that I previously reported to Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1556711
I will post some examples of frameworks that did not have problems as reference.
Golang https://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144
Spring https://github.com/spring-projects/spring-framework/blob/4cc91e46b210b4e4e7ed182f93994511391b54ed/spring-web/src/main/java/org/springframework/http/ContentDisposition.java#L259-L267
Symphony https://github.com/symfony/symfony/blob/123b1651c4a7e219ba59074441badfac65525efe/src/Symfony/Component/Mime/Header/ParameterizedHeader.php#L128-L133
For more information
If you have any questions or comments about this advisory:
Release Notes
jnunemaker/httparty (httparty)
### [`v0.21.0`](https://togithub.com/jnunemaker/httparty/blob/HEAD/Changelog.md#0210) [Compare Source](https://togithub.com/jnunemaker/httparty/compare/v0.20.0...v0.21.0) - [escape filename in the multipart/form-data Content-Disposition header](https://togithub.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e) - [Fix request marshaling](https://togithub.com/jnunemaker/httparty/pull/767) - [Replace `mime-types` with `mini_mime`](https://togithub.com/jnunemaker/httparty/pull/769) ### [`v0.20.0`](https://togithub.com/jnunemaker/httparty/blob/HEAD/Changelog.md#0200) [Compare Source](https://togithub.com/jnunemaker/httparty/compare/v0.19.1...v0.20.0) Breaking changes - Require Ruby >= 2.3.0 Fixes - [`Marshal.dump` fails on response objects when request option `:logger` is set or `:parser` is a proc](https://togithub.com/jnunemaker/httparty/pull/714) - [Switch `:pem` option to to `OpenSSL::PKey.read` to support other algorithms](https://togithub.com/jnunemaker/httparty/pull/720) ### [`v0.19.1`](https://togithub.com/jnunemaker/httparty/blob/HEAD/Changelog.md#0191) [Compare Source](https://togithub.com/jnunemaker/httparty/compare/v0.19.0...v0.19.1) - [Remove use of unary + method for creating non-frozen string to increase compatibility with older versions of ruby](https://togithub.com/jnunemaker/httparty/commit/4416141d37fd71bdba4f37589ec265f55aa446ce) ### [`v0.19.0`](https://togithub.com/jnunemaker/httparty/blob/HEAD/Changelog.md#0190) [Compare Source](https://togithub.com/jnunemaker/httparty/compare/v0.18.1...v0.19.0) - [Multipart/Form-Data: rewind files after read](https://togithub.com/jnunemaker/httparty/pull/709) - [add frozen_string_literal pragma to all files](https://togithub.com/jnunemaker/httparty/pull/711) - [Better handling of Accept-Encoding / Content-Encoding decompression (fixes #562)](https://togithub.com/jnunemaker/httparty/pull/729)Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.