"multipart/form-data" Request tampering potential security issue (CRLF Injection)

[motoyasu-saburi]

This is a report of a problem that I contacted the Ruby maintainer earlier and the maintainer determined to be a Bug, not a Vulnerability.

---

I found "multipart/form-data Request tampering vulnerability(CRLF Injection)" caused by Content-Disposition filename lack of escaping( \r\n ) in
lib > net > http > generic_request > def encode_multipart_form_data

https://github.com/ruby/ruby/blob/master/lib/net/http/generic_request.rb
It is contains a vulnerability that allows the lack of escape filename.

By exploiting this problem, the following attacks are possible

• An attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field. (Example: Override by generating another Content-Disposition Header)
  • Ref: Page151 - https://archive.codeblue.jp/2023/result/pdf/cb23%EF%BD%B0filename-in-content-disposition-is-a-landmine-vulnerability-caused-by-ambiguous-requirements-by-motoyasu-saburi.pdf#page=151
• Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename
  • Ref: Page154 - https://archive.codeblue.jp/2023/result/pdf/cb23%EF%BD%B0filename-in-content-disposition-is-a-landmine-vulnerability-caused-by-ambiguous-requirements-by-motoyasu-saburi.pdf#page=154

(These problems depend on the server-side implementation that receives and parses the response.)

For example, this vulnerability can be exploited to generate the following Content-Disposition.

Input filename:

inject_crlf.txt;\r\n\r\ninjected_crlf\r\ndummy=".txt

Generated header in multipart/form-data:

Content-Disposition: form-data; name="bar"; filename="inject_crlf.txt;
name="foo"; dummy=".txt"
injected_crlf
dummy=\".txt"

This allows you to add a Header such as content-type in multipart/form-data, or to append data that corresponds to the Body.

These problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request.

The cdause of this problem is the lack of escaping of the \r, \n characters in Content-Disposition > filename.

WhatWG's HTML spec has an escaping requirement.
https://html.spec.whatwg.org/#multipart-form-data

For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.

However, the target method implements only " escaping an does not escape\r\n.
https://github.com/ruby/ruby/blob/master/lib/net/http/generic_request.rb#L329

I have found about 20 similar problems and have written a report,
so please refer to it if you have any questions.

Slide(en): https://archive.codeblue.jp/2023/result/pdf/cb23%EF%BD%B0filename-in-content-disposition-is-a-landmine-vulnerability-caused-by-ambiguous-requirements-by-motoyasu-saburi.pdf
Article(en): https://gist.github.com/motoyasu-saburi/1b19ef18e96776fe90ba1b9f910fa714
Artice(jp): https://brutalgoblin.hatenablog.jp/entry/2023/01/05/190150