ADVISORIES
GEM
SEVERITY
CVSS v3.x: 6.5 (Medium)
PATCHED VERSIONS
- >= 0.21.0
DESCRIPTION
"multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.
httparty/lib/httparty/request
> body.rb
> def generate_multipart
https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
By exploiting this problem, the following attacks are possible
- An attack that rewrites the \"name\" field according to the crafted file name, impersonating (overwriting) another field.
- Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename.
RELATED
- https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
- https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
- https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
- https://bugzilla.mozilla.org/show_bug.cgi?id=1556711