lua-resty-upload
lua-resty-upload copied to clipboard
Support optional compatibility to LF as line break
Many (if not all) mainstream web servers, Apache(mod_upload
) and Nginx(upload module
) for instance are compatible to request use LF as line break:
https://github.com/Austinb/nginx-upload-module/blob/2.2/ngx_http_upload_module.c#L4123 https://github.com/Austinb/nginx-upload-module/blob/2.2/ngx_http_upload_module.c#L4051 http://apache.webthing.com/mod_upload/mod_upload.c L304
Would it be necessary for the resty-upload module to support this too? Maybe an optional feature and closed by default?
To illustrate when it matters, if a WAF may want to filter multipart forms and use lua-resty-upload
, where a malicious request can bypass its check for headers:
POST /submit.php HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6GpaBUxso7BnIrnA
Headers-Dont-Matter: it doesnt matter
------WebKitFormBoundary6GpaBUxso7BnIrnA
Content-Type: text/plain
Content-Disposition: form-data; name="something"; filename="doesnt_matter"
[LF rather than CRLF this line]
------WebKitFormBoundary6GpaBUxso7BnIrnA[LF rather than CRLF this line]
Content-Disposition: form-data; name="webshell.php"
malicious script here
------WebKitFormBoundary6GpaBUxso7BnIrnA--
from WAF's point of view, below is a single line:
[LF rather than CRLF this line]
------WebKitFormBoundary6GpaBUxso7BnIrnA[LF rather than CRLF this line]
Content-Disposition: form-data; name="webshell.php"
therefore the boundary is missing and the second uploaded file(including its headers) is seen as part of the first file's body, and the protected server still sees it as two files.
We can make up more methods to bypass WAF based on this.