Reject MIME parts with unsupported encoding (!78699) · Merge requests · GitLab.org / GitLab

Vasilii Iakliushin requested to merge 340366_fix_workhorse_content_disposition_2 into master Jan 20, 2022

What does this MR do and why?

Contributes to #340366

Based of previously reverted - !77688 (merged)

Problem

Golang mime package skips processing unsupported encodings (see https://sourcegraph.com/github.com/golang/go@0fd0639e4c429e147d33bfc42654fcd651f4449f/-/blob/src/mime/mediatype.go?L247).

Because of that workhorse does not incercept the upload and skip sanitization for filename value.

Solution

Sanitize "Content-Disposition" header

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Feb 04, 2022 by Vasilii Iakliushin

Reject MIME parts with unsupported encoding

What does this MR do and why?

MR acceptance checklist

Merge request reports