Headline
CVE-2023-40586: Merge pull request from GHSA-c2pj-v37r-2p6h · corazawaf/coraza@a5239ba
OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Due to the misuse of log.Fatalf, the application using coraza crashed after receiving crafted requests from attackers. The application will immediately crash after receiving a malicious request that triggers an error in mime.ParseMediaType. This issue was patched in version 3.0.1.
Expand Up @@ -77,3 +77,20 @@ Content-Type: text/html } } }
func TestInvalidMultipartCT(t *testing.T) { payload := strings.TrimSpace(` -----------------------------9051914041544843365972754266 Content-Disposition: form-data; name="text" text default -----------------------------9051914041544843365972754266 `) mp := multipartProcessor(t) v := corazawaf.NewTransactionVariables() if err := mp.ProcessRequest(strings.NewReader(payload), v, plugintypes.BodyProcessorOptions{ Mime: "multipart/form-data; boundary=---------------------------9051914041544843365972754266; a=1; a=2", }); err == nil { t.Error(“multipart processor should fail for invalid content-type”) } }