Closed
Bug 627967
Opened 13 years ago
Closed 13 years ago
<textarea> tag allows uploading of files due to incorrectly escaped multipart/form-data headers
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 448611
People
(Reporter: reed, Assigned: mounir)
Details
(Whiteboard: [sg:moderate])
I just noticed this user's comment never got a response, so I'm filing a separate bug report for it. mozilla11@mailinator.com writes in bug #619566, comment #9 ==================================== I was testing https://addons.mozilla.org/en-US/developers/json/listed-info and it seems that there a bug in Firefox. It allows to simulate uploading files with <textarea> tag. Example html below. The problem is that Firefox incorrectly escapes multipart/form-data headers. The example below will send a file to https://addons.mozilla.org/en-US/developers/json/listed-info - this page a). fortunately checks for sessionCheck which is individual for every user b). incorrectly escapes json response (allowing < > tags) <html> <body> <form method=post action=https://addons.mozilla.org/en-US/developers/json/listed-info enctype="multipart/form-data"> <input type=text name="sessionCheck" value=7e14833c316eaca500e5534ea8edd0b9> <input type=text name="data[Addon][status]" value=6> <input type=text name="data[Addon][name]" value=A> <input type=text name="data[Addon][summary]" value=ABC> <input type=text name="data[Addon][guid]" value=ABC> <input type=text name="data[Addon][homepage]" value=http://www.google.com> <input type=text name="data[Addon][addontype_id]" value=1> <textarea name='file"; filename="ABC.<html><style><body>}]!@#$%^&*()"; Content-Type: text/plain; A="B'>ABC</textarea> <input type="submit" value='Send "File"' /> </form> </body> </html> =====================================
Comment 1•13 years ago
|
||
Uh... What's the issue, exactly? The code above doesn't send a file anywhere, last I checked.
Comment 2•13 years ago
|
||
but the server might be fooled into thinking some of the posted data is a file. That means you might be able to use this Firefox problem to CSRF a "file" upload to some server somewhere.
Assignee: nobody → mounir.lamouri
Whiteboard: [sg:moderate]
Comment 3•13 years ago
|
||
> but the server might be fooled into thinking some of the posted data is a file. Uh.... Only if that server is REALLY broken. For the testcase in comment 0, here's what we send on the wire for that last bit: Content-Disposition: form-data; name="file\"; filename=\"ABC.<html><style><body>}]!@#$%^&*()\"; Content-Type: text/plain; A=\"B" ABC (there are no newlines after the "Content-Disposition" bit until the one that comes after the close quote after 'B'). That's exactly the escaping expected for a quoted-string in MIME (plus we replaced the newline with a space, for general sanity). What more are we expected to do here?
Comment 4•13 years ago
|
||
Oh, I see. I was reading our code and testing on trunk... silly me. Given that this is a dup of a public bug, I think we should open it up. But let me know.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security
Updated•5 years ago
|
Component: HTML: Form Submission → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•