github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Tolerate other parameters after boundary in multipart C-T

Browse Source
This commit is contained in:
Martin Vierula
2022-04-26 11:17:46 -07:00
parent 3975f0f8fa
commit 6e56950cdf
3 changed files with 68 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/request_body_processor/multipart.cc
View File

@@ -1375,6 +1375,16 @@ bool Multipart::init(std::string *error) {
return false;
}
/* Some frameworks are known to incorrectly include a charset= parameter */
/* after the boundary. Doing so is not RFC-compliant, but we will tolerate it.*/
if (boundary_characters_valid(m_boundary.c_str()) != 1) {
size_t semicolon_after_boundary = m_boundary.find(';');
if (semicolon_after_boundary != std::string::npos) {
ms_dbg_a(m_transaction, 3,
"Multipart: Invalid parameter after boundary in C-T (tolerated).");
m_boundary = m_boundary.substr(0, semicolon_after_boundary);
}
}
/* Validate the characters used in the boundary. */
if (boundary_characters_valid(m_boundary.c_str()) != 1) {
m_flag_error = 1;