Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D (MODSEC-118). Added additional multipart regression tests.

2026-01-14 07:27:09 +03:00 · 2010-02-05 18:11:36 +00:00
parent f33137ea66
commit e6699ca7bf
7 changed files with 1315 additions and 6 deletions
--- a/apache2/msc_multipart.c
+++ b/apache2/msc_multipart.c
@@ -279,12 +279,20 @@ static int multipart_process_part_header(modsec_rec *msr, char **error_msg) {
    } else {
        /* Header line. */

-        if ((msr->mpd->buf[0] == '\t') || (msr->mpd->buf[0] == ' ')) {
+        if (isspace(msr->mpd->buf[0])) {
            char *header_value, *new_value, *data;

            /* header folding, add data to the header we are building */
            msr->mpd->flag_header_folding = 1;

+            /* RFC-2557 states header folding is SP / HTAB, but PHP and
+             * perhaps others will take any whitespace.  So, we accept,
+             * but with a flag set.
+             */
+            if ((msr->mpd->buf[0] != '\t') && (msr->mpd->buf[0] != ' ')) {
+                msr->mpd->flag_invalid_header_folding = 1;
+            }
+
            if (msr->mpd->mpp->last_header_name == NULL) {
                /* we are not building a header at this moment */
                *error_msg = apr_psprintf(msr->mp, "Multipart: Invalid part header (folding error).");
@@ -293,7 +301,15 @@ static int multipart_process_part_header(modsec_rec *msr, char **error_msg) {

            /* locate the beginning of data */
            data = msr->mpd->buf;
-            while((*data == '\t') || (*data == ' ')) data++;
+            while(isspace(*data)) {
+                /* Flag invalid header folding if an invalid RFC-2557 character is used anywhere
+                 * in the folding prefix.
+                 */
+                if ((*data != '\t') && (*data != ' ')) {
+                    msr->mpd->flag_invalid_header_folding = 1;
+                }
+                data++;
+            }

            new_value = apr_pstrdup(msr->mp, data);
            remove_lf_crlf_inplace(new_value);
@@ -879,6 +895,14 @@ int multipart_complete(modsec_rec *msr, char **error_msg) {
        if (msr->mpd->flag_missing_semicolon) {
            msr_log(msr, 4, "Multipart: Warning: missing semicolon in C-T header.");
        }
+
+        if (msr->mpd->flag_invalid_quoting) {
+            msr_log(msr, 4, "Multipart: Warning: invalid quoting used.");
+        }
+
+        if (msr->mpd->flag_invalid_header_folding) {
+            msr_log(msr, 4, "Multipart: Warning: invalid header folding used.");
+        }        
    }

    if ((msr->mpd->seen_data != 0) && (msr->mpd->is_complete == 0)) {