Null bytes in form payloads
Categories
(Core :: DOM: Forms, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox86 | --- | fixed |
People
(Reporter: andreu, Assigned: andreu)
References
Details
Attachments
(1 file)
The WPT pull requests https://github.com/web-platform-tests/wpt/pull/27142 and https://github.com/web-platform-tests/wpt/pull/26740 (which test bug 1686765) also point out a couple differences in the serialization of form payloads across browsers. Firefox in particular trips on null bytes on multipart/form-data
and text/plain
.
On multipart/form-data
, a null byte on the name, filename or string value, ends the name/filename/value there but doesn't affect the rest of the form. Test: https://wpt.fyi/results/FileAPI/file/send-file-form-controls.html?sha=0f74915a04&label=master&max-count=1
On text/plain
, however, a null byte anywhere will cut off the rest of the form payload, not just the name, filename or value. Test: https://wpt.fyi/results/html/semantics/forms/form-submission-0/text-plain.window.html?label=pr_head&max-count=1&pr=26740
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
On multipart/form-data
payloads, a null byte on the name, filename or string
value cuts off the rest of the name, filename or value. On text/plain
payloads, a null byte anywhere cuts off the rest of the entire payload.
This is because nsLinebreakConverter::ConvertLineBreaks
is called without
giving a length parameter, which causes it to treat the input C string as
null-terminated.
The tests for text/plain
are under review on WPT:
https://github.com/web-platform-tests/wpt/pull/26740
(https://wpt.fyi/results/html/semantics/forms/form-submission-0/text-plain.window.html?label=pr_head&max-count=1&pr=26740)
Updated•4 years ago
|
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6c7f4b2ece67 Fix bugs with null bytes in form payloads. r=smaug
Comment 3•4 years ago
|
||
bugherder |
Description
•