Make the boundary check less strict as per RFC2046

2025-08-13 13:26:01 +03:00 · 2018-11-14 15:25:27 -05:00 · 2018-11-14 15:25:27 -05:00 · b638e523af
commit b638e523af
parent ecad8c6c7e
3 changed files with 71 additions and 34 deletions
--- a/4
+++ b/4
@ -1,7 +1,9 @@
 v3.0.4 - YYYY-MMM-DD (to be released)
 -------------------------------------

- * Fix buffer size for utf8toUnicode transformation 
+ - Make the boundary check less strict as per RFC2046
+   [Issue #1943 - @victorhora, @allanbomsft]
+ - Fix buffer size for utf8toUnicode transformation 
   [Issue #1208 - @katef, @victorhora]


--- a/src/request_body_processor/multipart.cc
+++ b/src/request_body_processor/multipart.cc
@ -158,41 +158,27 @@ int Multipart::boundary_characters_valid(const char *boundary) {
    }

    while ((c = *p) != '\0') {
-        /* Control characters and space not allowed. */
-        if (c < 32) {
+        // Check against allowed list defined in RFC2046 page 22
+        if (!(
+            ('0' <= c && c <= '9')
+            || ('A' <= c && c <= 'Z')
+            || ('a' <= c && c <= 'z')
+            || (c == ' ' && *(p + 1) != '\0') // space allowed, but not as last character
+            || c == '\''
+            || c == '('
+            || c == ')'
+            || c == '+'
+            || c == '_'
+            || c == ','
+            || c == '-'
+            || c == '.'
+            || c == '/'
+            || c == ':'
+            || c == '='
+            || c == '?'
+            )) {
            return 0;
        }
-
-        /* Non-ASCII characters not allowed. */
-        if (c > 126) {
-            return 0;
-        }
-
-        switch (c) {
-            /* Special characters not allowed. */
-            case '(' :
-            case ')' :
-            case '<' :
-            case '>' :
-            case '@' :
-            case ',' :
-            case ';' :
-            case ':' :
-            case '\\' :
-            case '"' :
-            case '/' :
-            case '[' :
-            case ']' :
-            case '?' :
-            case '=' :
-                return 0;
-                break;
-
-            default :
-                /* Do nothing. */
-                break;
-        }
-
        p++;
    }

--- a/test/test-cases/regression/variable-MULTIPART_STRICT_ERROR.json
+++ b/test/test-cases/regression/variable-MULTIPART_STRICT_ERROR.json
@ -293,6 +293,55 @@
      "SecRuleEngine On",
      "SecRule MULTIPART_STRICT_ERROR \"@contains 0\" \"id:1,phase:3,pass,t:trim\""
    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: MULTIPART_STRICT_ERROR - RFC2046",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length":"330",
+        "Content-Type":"multipart/form-data; boundary=0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz '()+_,-./:=?",
+        "Expect":"100-continue"
+      },
+      "uri":"/",
+      "method":"POST",
+      "body":[
+        "--0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz '()+_,-./:=?",
+        "Content-Disposition: form-data; name=\"name\"",
+        "",
+        "1",
+        "--0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz '()+_,-./:=?--"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Target value: \"0\" \\(Variable: REQBODY_ERROR\\)"
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule REQBODY_ERROR \"@contains 0\" \"id:1,phase:3,pass,t:trim\""
+    ]
  }
 ]