Accept MIME linear whitespace around filename= parameter in Content-Disposition

jandro996 · jandro996 · commit a46b9fa02f94 · 2026-04-23T12:32:03.000+02:00
Tabs after ';' and optional SP/HT around '=' are valid per MIME and are
delivered by RESTEasy as-is; the previous parser only skipped literal spaces,
so those variants bypassed server.request.body.filenames detection.
diff --git a/dd-java-agent/instrumentation/resteasy/resteasy-appsec-3.0/src/main/java/datadog/trace/instrumentation/resteasy/MultipartHelper.java b/dd-java-agent/instrumentation/resteasy/resteasy-appsec-3.0/src/main/java/datadog/trace/instrumentation/resteasy/MultipartHelper.java
@@ -51,7 +51,12 @@ public static List<String> collectFilenames(MultipartFormDataInput ret) {
     return filenames;
   }
 
-  // Quote-aware: semicolons inside quoted filenames (e.g. filename="a;b.php") are not separators
+  // Quote-aware: semicolons inside quoted filenames (e.g. filename="a;b.php") are not separators.
+  // Outer loop: i advances to each ';' (skipping quoted strings to avoid treating their contents
+  // as delimiters), then past MIME linear whitespace (SP/HT) to the start of the parameter name.
+  // j is a lookahead used only to find '=' after optional whitespace without committing i until
+  // the parameter is confirmed to be "filename"; this avoids confusing "filename*" (RFC 5987) or
+  // other "filename"-prefixed parameter names with the plain "filename" parameter.
   public static String filenameFromContentDisposition(String cd) {
     if (cd == null) return null;
     int i = 0;
@@ -69,24 +74,29 @@ public static String filenameFromContentDisposition(String cd) {
       }
       if (i >= len) break;
       i++;
-      while (i < len && cd.charAt(i) == ' ') i++;
-      if (cd.regionMatches(true, i, "filename=", 0, 9)) {
-        i += 9;
-        if (i >= len) return null;
-        if (cd.charAt(i) == '"') {
-          i++;
-          StringBuilder sb = new StringBuilder();
-          while (i < len && cd.charAt(i) != '"') {
-            if (cd.charAt(i) == '\\' && i + 1 < len) i++; // unescape
-            sb.append(cd.charAt(i++));
+      while (i < len && (cd.charAt(i) == ' ' || cd.charAt(i) == '\t')) i++;
+      if (cd.regionMatches(true, i, "filename", 0, 8)) {
+        int j = i + 8;
+        while (j < len && (cd.charAt(j) == ' ' || cd.charAt(j) == '\t')) j++;
+        if (j < len && cd.charAt(j) == '=') {
+          i = j + 1;
+          while (i < len && (cd.charAt(i) == ' ' || cd.charAt(i) == '\t')) i++;
+          if (i >= len) return null;
+          if (cd.charAt(i) == '"') {
+            i++;
+            StringBuilder sb = new StringBuilder();
+            while (i < len && cd.charAt(i) != '"') {
+              if (cd.charAt(i) == '\\' && i + 1 < len) i++; // unescape
+              sb.append(cd.charAt(i++));
+            }
+            String name = sb.toString();
+            return name.isEmpty() ? null : name;
+          } else {
+            int start = i;
+            while (i < len && cd.charAt(i) != ';') i++;
+            String name = cd.substring(start, i).trim();
+            return name.isEmpty() ? null : name;
           }
-          String name = sb.toString();
-          return name.isEmpty() ? null : name;
-        } else {
-          int start = i;
-          while (i < len && cd.charAt(i) != ';') i++;
-          String name = cd.substring(start, i).trim();
-          return name.isEmpty() ? null : name;
         }
       }
     }
diff --git a/dd-java-agent/instrumentation/resteasy/resteasy-appsec-3.0/src/test/groovy/MultipartHelperTest.groovy b/dd-java-agent/instrumentation/resteasy/resteasy-appsec-3.0/src/test/groovy/MultipartHelperTest.groovy
@@ -70,4 +70,33 @@ class MultipartHelperTest extends Specification {
       'form-data; fileName="report.php"',
     ]
   }
+
+  def "handles MIME linear whitespace (tab) after semicolon"() {
+    expect:
+    MultipartHelper.filenameFromContentDisposition(cd) == expected
+
+    where:
+    cd                                                        | expected
+    'form-data; name="f";\tfilename="evil.php"'              | 'evil.php'
+    'form-data;\tfilename="evil.php"'                        | 'evil.php'
+    'form-data; name="f";\t\tfilename="evil.php"'            | 'evil.php'
+  }
+
+  def "handles optional whitespace around the equals sign"() {
+    expect:
+    MultipartHelper.filenameFromContentDisposition(cd) == expected
+
+    where:
+    cd                                                        | expected
+    'form-data; filename ="report.php"'                      | 'report.php'
+    'form-data; filename= "report.php"'                      | 'report.php'
+    'form-data; filename = "report.php"'                     | 'report.php'
+    'form-data; filename\t=\t"report.php"'                   | 'report.php'
+    'form-data; name="f";\tfilename\t=\t"evil.php"'          | 'evil.php'
+  }
+
+  def "does not match filename* extended parameter as filename"() {
+    expect:
+    MultipartHelper.filenameFromContentDisposition("form-data; filename*=UTF-8''evil.php") == null
+  }
 }
