Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Thu, 25 Sep 2025 20:24:01 +0000 (13:24 -0700)
committer	Gopher Robot <gobot@golang.org>
	Fri, 26 Sep 2025 16:04:26 +0000 (09:04 -0700)
commit	41cba31e66c979c413a4368c4f3d82ebadf0fb5b
tree	3abb3516fe8d1e510307387bfd0fd69b8a892e78	tree
parent	dd1d597c3ac049de7865a9cb98627fde0baacc69	commit \| diff

mime/multipart: percent-encode CR and LF in header values to avoid CRLF injection

When provided with a field or file name containing newlines,
multipart.FileContentDisposition and other header-producing functions
could create an invalid header value.

In some scenarios, this could permit a malicious input to perform
a CRLF injection attack:

  field := "field"
  evilFile := "name\"\r\nEvil-Header: \"evil"
  fmt.Printf("Content-Disposition: %v\r\n", multipart.FileContentDisposition(field, evilFile))
  // Prints:
  // Content-Disposition: form-data; name="field"; filename="name"
  // Evil-Header: "evil"

Percent-endode \r and \n characters in headers, as recommended by
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart/form-data-encoding-algorithm

The above algorithm also recommends using percent-encoding for quotes,
but preserve the existing backslash-escape behavior for now.
Empirically, browsers understand backslash-escape in attribute values.

Fixes #75557

Change-Id: Ia203df6ef45a098070f3ebb17f9b6cf80c520ed4
Reviewed-on: https://go-review.googlesource.com/c/go/+/706677
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

src/mime/multipart/writer.go		diff \| blob \| history
src/mime/multipart/writer_test.go		diff \| blob \| history