[PR #147] fix: multipart parsing for HTTP/2 support in ClamAV plugin #145

New issue

Open

opened 2026-03-02 03:00:09 +03:00 by kerem · 0 comments

kerem commented 2026-03-02 03:00:09 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/bunkerity/bunkerweb-plugins/pull/147
Author: @rayshoo
Created: 6/23/2025
Status: 🔄 Open

Base: main ← Head: main

---

📝 Commits (1)

• f2ef5e4 fix: multipart parsing for HTTP/2 support in ClamAV plugin

📊 Changes

1 file changed (+262 additions, -283 deletions)

View changed files

📝 clamav/clamav.lua (+262 -283)

📄 Description

Description

This PR improves the ClamAV plugin's multipart form-data parsing to properly support HTTP/2 requests. The original implementation had issues parsing multipart data in HTTP/2 environments, causing file uploads to bypass ClamAV scanning.

Changes Made

• Enhanced boundary extraction: Improved parsing of Content-Type header to handle quoted and unquoted boundary values
• Fixed multipart parsing logic: Completely rewrote the multipart parsing function to properly handle HTTP/2 multipart data structure
• Better section splitting: Used exact string matching instead of regex patterns for more reliable boundary detection
• Improved header/data separation: Enhanced logic to separate headers from file data in each multipart section
• Robust filename extraction: Better parsing of Content-Disposition headers to extract filenames accurately

Technical Details

I modified the code to support HTTP/2 because the original multipart parsing wasn't working properly. Since I'm not very familiar with Lua code, I got help from ChatGPT and Claude AI to implement these improvements. The updated code has been thoroughly tested and works excellently.

Testing

• ✅ Tested with HTTP/2 multipart file uploads
• ✅ Successfully detects and scans files with ClamAV
• ✅ Properly blocks malware (tested with EICAR test file)
• ✅ Allows clean files to pass through
• ✅ Maintains backward compatibility with HTTP/1.1

Impact

This fix ensures that file uploads via HTTP/2 are properly scanned by ClamAV, closing a potential security gap where malicious files could bypass antivirus scanning in HTTP/2 environments.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/bunkerity/bunkerweb-plugins/pull/147 **Author:** [@rayshoo](https://github.com/rayshoo) **Created:** 6/23/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `main` --- ### 📝 Commits (1) - [`f2ef5e4`](https://github.com/bunkerity/bunkerweb-plugins/commit/f2ef5e4d232f175f695e7f13d84a922bcf4b90e4) fix: multipart parsing for HTTP/2 support in ClamAV plugin ### 📊 Changes **1 file changed** (+262 additions, -283 deletions) <details> <summary>View changed files</summary> 📝 `clamav/clamav.lua` (+262 -283) </details> ### 📄 Description ## Description This PR improves the ClamAV plugin's multipart form-data parsing to properly support HTTP/2 requests. The original implementation had issues parsing multipart data in HTTP/2 environments, causing file uploads to bypass ClamAV scanning. ## Changes Made - **Enhanced boundary extraction**: Improved parsing of Content-Type header to handle quoted and unquoted boundary values - **Fixed multipart parsing logic**: Completely rewrote the multipart parsing function to properly handle HTTP/2 multipart data structure - **Better section splitting**: Used exact string matching instead of regex patterns for more reliable boundary detection - **Improved header/data separation**: Enhanced logic to separate headers from file data in each multipart section - **Robust filename extraction**: Better parsing of Content-Disposition headers to extract filenames accurately ## Technical Details I modified the code to support HTTP/2 because the original multipart parsing wasn't working properly. Since I'm not very familiar with Lua code, I got help from ChatGPT and Claude AI to implement these improvements. The updated code has been thoroughly tested and works excellently. ## Testing - ✅ Tested with HTTP/2 multipart file uploads - ✅ Successfully detects and scans files with ClamAV - ✅ Properly blocks malware (tested with EICAR test file) - ✅ Allows clean files to pass through - ✅ Maintains backward compatibility with HTTP/1.1 ## Impact This fix ensures that file uploads via HTTP/2 are properly scanned by ClamAV, closing a potential security gap where malicious files could bypass antivirus scanning in HTTP/2 environments. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem added the

pull-request

label 2026-03-02 03:00:09 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dev

dependabot/docker/coraza/api/dev/golang-1.26-alpine

dependabot/github_actions/dev/github/codeql-action-4.32.2

dependabot/github_actions/dev/docker/login-action-3.7.0

dependabot/github_actions/dev/actions/checkout-6.0.2

dependabot/go_modules/coraza/api/dev/github.com/corazawaf/coraza/v3-3.3.3

v1.10

v1.9

v1.8

v1.7

v1.6

v1.5

v1.4

v1.3

v1.2

v1.1

v1.0

v0.2

Labels

Clear labels   

bug

  

bug

  

clamav

  

crowdsec

  

documentation

  

enhancement

  

enhancement

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

virustotal

  

virustotal

No labels

bug

bug

clamav

crowdsec

documentation

enhancement

enhancement

enhancement

pull-request

question

virustotal

virustotal

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/bunkerweb-plugins#145

No description provided.