Fix quote validation in multipart code

2025-09-30 03:34:29 +03:00 · 2012-06-07 13:46:29 +00:00
parent 8ead49a9b7
commit 988e78e9ab
1 changed files with 28 additions and 13 deletions
--- a/apache2/msc_multipart.c
+++ b/apache2/msc_multipart.c
@@ -36,13 +36,13 @@ void validate_quotes(modsec_rec *msr, unsigned char *data)  {

    for(i = 0; i < len; i++)   {

-        if(data[i] == '\'' && (data[0] != '\"' || data[len-1] != '\"'))
-            msr->mpd->flag_invalid_quoting = 1;
-        else if (data[i] == '\"')   {
-            if(i != 0 && i != len-1)
+        if(data[i] == '\'' && (data[0] != '\"' || data[len-1] != '\"')) {
+            if (msr->txcfg->debuglog_level >= 9) {
+                msr_log(msr, 9, "Multipart: Invalid quoting detected: %s length %d bytes",
+                        log_escape_nq(msr->mp, data), len);
+            }
            msr->mpd->flag_invalid_quoting = 1;
        }
-
    }
 }

@@ -123,8 +123,6 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value)
         * set so the user can deal with it in the rules if they so wish.
         */

-        validate_quotes(msr, p);
-
        if ((*p == '"') || (*p == '\'')) {
            /* quoted */
            char quote = *p;
@@ -183,6 +181,9 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value)
        /* evaluate part */

        if (strcmp(name, "name") == 0) {
+
+            validate_quotes(msr, value);
+
            if (msr->mpd->mpp->name != NULL) {
                msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition name: %s",
                    log_escape_nq(msr->mp, value));
@@ -197,6 +198,9 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value)
        }
        else
        if (strcmp(name, "filename") == 0) {
+
+            validate_quotes(msr, value);
+
            if (msr->mpd->mpp->filename != NULL) {
                msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition filename: %s",
                    log_escape_nq(msr->mp, value));
@@ -215,7 +219,18 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value)
            while((*p == '\t') || (*p == ' ')) p++;
            /* the next character must be a zero or a semi-colon */
            if (*p == '\0') return 1; /* this is OK */
-            if (*p != ';') return -12;
+            if (*p != ';') {
+                p--;
+                if(*p == '\'' || *p == '\"') {
+                    if (msr->txcfg->debuglog_level >= 9) {
+                        msr_log(msr, 9, "Multipart: Invalid quoting detected: %s length %d bytes",
+                                log_escape_nq(msr->mp, p), strlen(p));
+                    }
+                    msr->mpd->flag_invalid_quoting = 1;
+                }
+                p++;
+                return -12;
+            }
            p++; /* move over the semi-colon */
        }