fix(933110): prevent whitespace padding bypass in PHP upload detection#4546
Merged
Conversation
…ection Add t:removeWhitespace transformation to rule 933110 so filenames with whitespace padding (e.g. "photo. php", "photo.php ") are normalized before regex evaluation, preventing evasion of PHP extension detection.
Contributor
|
📊 Quantitative test results for language: |
This was referenced Mar 15, 2026
fzipi
added a commit
that referenced
this pull request
Mar 27, 2026
* chore: pre-release v3.3.8 Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org> * docs: update changes Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org> * ci: update versions Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org> * ci: add pre-commit file Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org> * fix: pre-commit fixes Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org> * ci: use go-ftw 0.6.4 Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org> * fix(932180,933110,933111): prevent whitespace padding bypass in file upload detection Backport upstream fixes from main (#4546, #4547, #4549) that add t:removeWhitespace transformation to file upload detection rules, preventing evasion via whitespace padding in filenames. Rule 944140 (#4548) was not backported as it does not exist in v3.3. * ci(lint): prevent duplicate workflow runs on PRs Restrict push trigger to v3.3/dev and v3.3/master branches so that pull requests only trigger the workflow once via the pull_request event, instead of running both push and pull_request. --------- Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
fzipi
added a commit
that referenced
this pull request
Mar 28, 2026
* chore: pre-release v3.3.9 (#4576) Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org> * fix: backport whitespace padding bypass fixes for 932180, 933110, 933111 Add t:removeWhitespace transformation to rules 932180, 933110, and 933111 to prevent file upload detection bypass via whitespace in filenames. Backport of #4546, #4547, #4549 from main. Rule 944140 (#4548) skipped as it does not exist in v3.3. --------- Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
what
t:removeWhitespacetransformation to rule 933110 so filenames with whitespace padding are normalized before regex evaluationwhy
photo. phporphoto.php) because the regex requires the dot to be immediately followed by the extension, and onlyt:lowercaseis appliedphoto.phpcould becomephoto.phpand be executed as PHPrefs