Closed Bug 442010 Opened 17 years ago Closed 15 years ago

uploading a file with double quote is giving problems: post message injection possible?

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 185863

People

(Reporter: adriaanvk, Unassigned)

References

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; nl-NL; rv:1.9) Gecko/2008061017 Firefox/3.0 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; nl-NL; rv:1.9) Gecko/2008061017 Firefox/3.0 when uploading a file using the <input type="file"/> control, i tried to upload a file named: '';"<XSS>=&{()}.txt The response never comes back. When using a sniffer, i see the following shown in the package: Content-Disposition: form-data; name="file"; filename="'';"<XSS>=&{()}.txt" Content-Type: text/plain So, i see that the " is not escaped! Reproducible: Always Steps to Reproduce: 1. upload a file named: '';"<XSS>=&{()}.txt using the html file input control 2. 3. Actual Results: never comes back. Injection possible? Expected Results: double quotes should be escaped and file is uploaded successfully
excuse me, the response comes back, but please check if this is a vuln
Product: Firefox → Core
QA Contact: firefox → toolkit
I can confirm the behavior you are describing, but I am not sure it is a vulnerability so I'll let others comment with their opinion. It is true that uploading a file with special characters can affect the value of the Content-Disposition request header. But a user agent has full control over all the request data anyway. We rely on servers to properly handle the requests they receive. Am I overlooking an attack scenario that you are thinking of? I'm thinking this might be WONTFIX, but I'll let others make that call.
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Even if the server is somehow vulnerable... If the user is uploading the file, he doesn't need the browser to send a malicious request. And websites cannot upload files, neither can they rename files to create "dangerous" names. Websites can only use XMLHttpRequest to emulate file upload (as long as same-origin policy permits it), but then they have full control over the data being sent anyway. No, I don't see an attack scenario here either. According to RFC822, the quotation marks within the file name should be prepended with a backslash. So this is a valid bug, just not a security issue.
The code in question is nsFSMultipartFormData::AddNameFilePair. The comment there refers to rfc2231 which suggests using URL encoding rather than escaping. So there is no way around testing what other browsers are doing.
Managed to test in Internet Explorer with a manipulated ISO image - file names aren't encoded there either. Both Firefox and Opera reject quotes in file names on Windows (which makes sense, quotes aren't allowed on Windows).
Blocks: 448611
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.