Null bytes in form payloads
Categories
(Core :: DOM: Forms, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox86 | --- | fixed |
People
(Reporter: andreu, Assigned: andreu)
References
Details
Attachments
(1 file)
The WPT pull requests https://github.com/web-platform-tests/wpt/pull/27142 and https://github.com/web-platform-tests/wpt/pull/26740 (which test bug 1686765) also point out a couple differences in the serialization of form payloads across browsers. Firefox in particular trips on null bytes on multipart/form-data and text/plain.
On multipart/form-data, a null byte on the name, filename or string value, ends the name/filename/value there but doesn't affect the rest of the form. Test: https://wpt.fyi/results/FileAPI/file/send-file-form-controls.html?sha=0f74915a04&label=master&max-count=1
On text/plain, however, a null byte anywhere will cut off the rest of the form payload, not just the name, filename or value. Test: https://wpt.fyi/results/html/semantics/forms/form-submission-0/text-plain.window.html?label=pr_head&max-count=1&pr=26740
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 1•4 years ago
|
||
On multipart/form-data payloads, a null byte on the name, filename or string
value cuts off the rest of the name, filename or value. On text/plain
payloads, a null byte anywhere cuts off the rest of the entire payload.
This is because nsLinebreakConverter::ConvertLineBreaks is called without
giving a length parameter, which causes it to treat the input C string as
null-terminated.
The tests for text/plain are under review on WPT:
https://github.com/web-platform-tests/wpt/pull/26740
(https://wpt.fyi/results/html/semantics/forms/form-submission-0/text-plain.window.html?label=pr_head&max-count=1&pr=26740)
|
||
Updated•4 years ago
|
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6c7f4b2ece67 Fix bugs with null bytes in form payloads. r=smaug
|
||
Comment 3•4 years ago
|
||
| bugherder | ||
Description
•