-
-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal/new requirement - served filename in content-disposition header must follow correct encoding #1390
Comments
I'm commenting because I have been researching this issue. Basically, it is better to conform to the RFC or WHAT WG. WHATWG HTML Spec:
Chrome and Firefox use the URL Encode method. HTTP Clinet and other systems basically used escaping with
Similarly, I have confirmed that
Examples of problematic cases include:
90% of the problems were either a lack of escaping of the Implimentetion example I looked at about 50-80 well-known modules, and about 20% of them retained this vulnerability, |
Perhaps CWE - CWE-838: Inappropriate Encoding for Output Context (4.9) is more relevant. |
As we now have RFC references in requirement texts, we can use it for this one as well. One candidate for CWE is CWE-641 Improper Restriction of Names for Files and Other Resources. There are no good one as the requirement asks validation+sanitization+encoding. |
I have written a report on this issue. Also, I have read some RFCs in broad strokes, but the escaping requirement was not clearly stated.
The format of RFC2616 (obsolete)
RFC6266 (standard)
I reported a same problem to Scala's Web Framework (Playframework), I hope this will be helpful. |
that is interesting @motoyasu-saburi Do you think you could try and formulate a requirement based on the conclusions of your research? |
This was tagged as V5 but my inclination is to keep it as V12 as it is specific to files and V5 is a little overloaded :) @motoyasu-saburi it would be still be cool to get a suggested requirement draft from you :) |
It's not a wording proposal, but just to throw some direction in: |
Sorry I have not been able to make suggestions. Additional materials were prepared late last year and are listed in passing.
I thought the text here was generally good. (In fact, many services were implemented in accordance with the RFC and were vulnerable) |
Proposal for V5 side: |
Why escaped? Typically I suggest we never use the submitted filename and to save files using an internal filename and not a user driven filename. |
My memory is a little fuzzy,
There are quite a few Web services that make requests including file names. Does this answer your question? |
It must be encoded for Also the requirement is not limited here only for request tampering - correct encoding is also needed for the functionality to work correctly in every situation, not only when served filename is taken from user-request directly. |
Since some parts of the story are complicated, we will try to sort it out. Content-Disposition is used in two patterns.
There are two attributes that specify the filename:
As mentioned above, the fact that there may or may not be a standard to refer to makes the requirement very complicated. The fact that Content-Dispotion is used in a variety of situations (Email / HTTP Request / Response) also complicates the situation. |
Double quotes must be sanitized in this situation. Sometimes there are no encloser marks used, which means that it is enough to use Rethinking about it again, I still stand for my previous proposal (#1390 (comment))
We may list here other situations to cover it more cases, but it can be specific here to hilight this one and certain problem. In general we can say, the problem is covered with current requirement 5.3.1 (encoding for |
I did not fully understand the current specifications.
As an addendum, there is the problem that the specifications here are also ambiguous.
|
Previous proposal:
Ok, focus here is the technique to use. Maybe should put the focus to "vector to mitigate" and rephrase it to something like:
(note: that I don't like the line above myself as it requires more work, I just try to put one additional direction to find solution here) |
I like this direction. How about:
Verify that file names served (e.g., in HTTP response headers or email attachments) are properly encoded or sanitized (e.g., following RFC 6266) to preserve document structure and prevent injection attacks.
|
ping @motoyasu-saburi @tghosth @Sjord - any comments or thoughts? |
I agree with this direction myself. |
It is not a mistake - technical input gives an opportunity to validate the requirement, and does it cover all the cases. But we took an approach for the ASVS to put more abstract principles as requirements and leave technical or step-by-step guides to testing guides and cheat sheets. |
I also re-open the section question for the proposed requirement:
|
I like the idea of changing the section to "serving a file". Since this is very focused on file download, I would like to keep this requirement in v12. There are many requirements that fit into many sections. I would like v12 to be as complete as possible to help folks build file upload/download systems instead of having to look to many sections. Or at least have a section at the end of v12 that points to other requirements that are needed for file upload, but I think that is to messy and hard to maintain. |
This looks good to me I think it should stay in V12.5 |
I'll handle the PR for the requirement and opened a separate issue (#2066) for discussing the section title, as there is a bit larger picture to keep in mind. |
Basically, it must follow RFC 6266: "Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)"
https://tools.ietf.org/html/rfc6266#section-5
Proposal (2023-04-29 updated requirement text and added alternative category):
Note:
Content-Disposition
header may be used with attachment or inline, so we can not limit requirement text only for "download file" functionality.Why: if not converted correctly, it may give "header injection" possibility
Something like that (even this one is for mails):
Update:
filename
- only characters from ISO-8859-1 can be used, value bust be sanitizedfilename*
- can be presented in chosen charset (utf-8) and need to be: sanitized + encoded to charset + urlencodedThe text was updated successfully, but these errors were encountered: