Open neild opened 10 months ago
Addendum:
Thanks to Qi Wang and Jianjun Chen for reporting this issue.
Change https://go.dev/cl/573195 mentions this issue: mime/multipart: add Reader.SetRejectContentTransferEncoding
Change https://go.dev/cl/573196 mentions this issue: net/http: reject multipart requests containing a "Content-Transfer-Encoding" header
See also #66434.
A
multipart/form-data
form consists of a series of parts, separated by a boundary. As originally specified in RFC 2388, each part may contain aContent-Transfer-Encoding
header as defined in RFC 2045 Section 6.RFC 7578, Section 4.7, which updates and obsoletes RFC 2388, deprecates the use of
Content-Transfer-Encoding
in contexts which support binary data, specifically including HTTP.http.Request.ParseMultipartForm will parse form parts containing a
Content-Transfer-Encoding
header. To use an example from RFC 7578,ParseMultipartForm
will parse this form part as containing the body "Joe owes €100.":This can act as a content smuggling vector, since other implementations generally do not decode quoted-printable form parts in HTTP
multipart/form-data
responses. As a hardening measure, we should consider not decoding encoded parts inParseMultipartForm
. RFC 7578 indicates that implementations that send such bodies are uncommon to nonexistent.