New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal/new requirement - served filename in content-disposition header must follow correct encoding #1390
Comments
I'm commenting because I have been researching this issue. Basically, it is better to conform to the RFC or WHAT WG. WHATWG HTML Spec:
Chrome and Firefox use the URL Encode method. HTTP Clinet and other systems basically used escaping with
Similarly, I have confirmed that
Examples of problematic cases include:
90% of the problems were either a lack of escaping of the Implimentetion example I looked at about 50-80 well-known modules, and about 20% of them retained this vulnerability, |
Perhaps CWE - CWE-838: Inappropriate Encoding for Output Context (4.9) is more relevant. |
As we now have RFC references in requirement texts, we can use it for this one as well. One candidate for CWE is CWE-641 Improper Restriction of Names for Files and Other Resources. There are no good one as the requirement asks validation+sanitization+encoding. |
I have written a report on this issue. Also, I have read some RFCs in broad strokes, but the escaping requirement was not clearly stated.
The format of RFC2616 (obsolete)
RFC6266 (standard)
I reported a same problem to Scala's Web Framework (Playframework), I hope this will be helpful. |
that is interesting @motoyasu-saburi Do you think you could try and formulate a requirement based on the conclusions of your research? |
Basically, it must follow RFC 6266: "Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)"
https://tools.ietf.org/html/rfc6266#section-5
Proposal (2023-04-29 updated requirement text and added alternative category):
Note:
Content-Disposition
header may be used with attachment or inline, so we can not limit requirement text only for "download file" functionality.Why: if not converted correctly, it may give "header injection" possibility
Something like that (even this one is for mails):
Update:
filename
- only characters from ISO-8859-1 can be used, value bust be sanitizedfilename*
- can be presented in chosen charset (utf-8) and need to be: sanitized + encoded to charset + urlencodedThe text was updated successfully, but these errors were encountered: