94c133a368 (master): [ruby/net-http] Reject CR/LF in multipart field name, filename, and content type
0 views
Skip to first unread message
Hiroshi SHIBATA
Jun 9, 2026, 9:51:27 PM (11 hours ago) Jun 9
to ruby...@g.ruby-lang.org
Hiroshi SHIBATA 2026-06-10 01:10:24 +0000 (Wed, 10 Jun 2026)
New Revision: 94c133a368
https://github.com/ruby/ruby/commit/94c133a368
Log:
[ruby/net-http] Reject CR/LF in multipart field name, filename, and content type
encode_multipart_form_data interpolated the field name, filename, and
per-part content type into Content-Disposition and Content-Type lines
with only quote_string escaping backslash and double quote, so CR/LF in
any of them could forge part headers and tamper with the request.
Fixes https://github.com/ruby/net-http/issues/195
https://github.com/ruby/net-http/commit/02a962fce2
Co-Authored-By: Claude Fable 5 <nor...@anthropic.com>
Modified files:
lib/net/http/generic_request.rb
test/net/http/test_http.rb
New Revision: 94c133a368
https://github.com/ruby/ruby/commit/94c133a368
Log:
[ruby/net-http] Reject CR/LF in multipart field name, filename, and content type
encode_multipart_form_data interpolated the field name, filename, and
per-part content type into Content-Disposition and Content-Type lines
with only quote_string escaping backslash and double quote, so CR/LF in
any of them could forge part headers and tamper with the request.
Fixes https://github.com/ruby/net-http/issues/195
https://github.com/ruby/net-http/commit/02a962fce2
Co-Authored-By: Claude Fable 5 <nor...@anthropic.com>
Modified files:
lib/net/http/generic_request.rb
test/net/http/test_http.rb
Reply all
Reply to author
Forward
0 new messages