multipart/form-data name="..." and file="..." values do not properly escape quotes.

RESOLVED DUPLICATE of bug 136676

Status

()

Firefox
General
RESOLVED DUPLICATE of bug 136676
9 years ago
7 years ago

People

(Reporter: Timothy Landers, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10 (karmic) Firefox/3.5.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10 (karmic) Firefox/3.5.5

When posting forms using enctype="multipart/form-data" Firefox does not properly escape quotes.

Specs state that quoted strings in headers may contain a single character escape via '\'  eg:
"Nested \"quotes\" are possible"
yeilds:
Nested "quotes" are possible.
 
However, when submitting forms with an enctype of multipart/form-data the field values may contain quotes that are not escaped.

Reproducible: Always

Steps to Reproduce:
1. Create a HTML form and use quotes in a name:
<form method="post" enctype="multipart/form-data" action="test.pl">
  A quoted field name:
  <input type="text" name="This is &quot;quoted&quot;" value="user input"><br>
  Upload a file named (My "quoted" FileName.txt)<br>
  <input type="file" name="UploadedFile"><br>
  <input type="submit">
</form>

2. Submit the Form

3. Examine the improper Content-Disposition: header sent to the server.
Actual Results:  
-------------------------------18432962993847510452656978632
Content-Disposition: form-data; name="This is "quoted""

user input
-------------------------------18432962993847510452656978632
Content-Disposition: form-data; name="Upload"; file="My "quoted" FileName"
Content-Type: text/plain

Sample text inside the file that was uploaded
-------------------------------18432962993847510452656978632--


Expected Results:  
-------------------------------18432962993847510452656978632
Content-Disposition: form-data; name="This is \"quoted\""

user input
-------------------------------18432962993847510452656978632
Content-Disposition: form-data; name="Upload"; file="My \"quoted\" FileName"
Content-Type: text/plain

Sample text inside the file that was uploaded
-------------------------------18432962993847510452656978632--


FIX:
Simply replace each occurrence of " with \" in the field values prior to sending the form.
Eg:
A "quoted" string
becomes:
A \"quoted\" string

WORKAROUND:
The workaround for form names is not to use quotes in the form name, or to use JavaScript to escape the quotes before form submittal.

There is no workaround for users uploading file names that contain quotes since JavaScript is forbidden from changing value of file typed input elements.


EXPLOIT:
It is possible to leverage this lack of escaping quoting to craft an input element name that the server will interpret as an upload:
<form method="post" enctype="multipart/form-data" action="test.html">
  Enter text that will be uploaded as a file:
  <textarea name="FakeUpload&quot; file=&quot;Fake.txt">
    This text will be treated as the contents of a
    file upload by any server that doesn't require a
    Content-Type header for uploaded files.
  </textarea><br>
  <input type="submit">
</form>
(Reporter)

Comment 1

9 years ago
Oops!  The fix I proposed doesn't take into consideration the fact that '\' also needs to be escaped...

Revised Escaping process: 
Step 1. Replace each occurrence of \ with \\
Step 2. Replace each occurrence of " with \"

Comment 2

9 years ago
Same issue as bug 136676?
(Reporter)

Comment 3

9 years ago
Yep, this is a duplicate of 136676.  Escaped quotes should be allowed / used in all headers, not just Content-Disposition or Mime headers... even the HTTP headers can have escapes per spec.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 136676
You need to log in before you can comment on or make changes to this bug.