Fix multipart injection (#12104) (#12109)

(cherry picked from commit dab9e87)

Co-authored-by: mingi jung <[email protected]>

Author: Dreamsorcerer

aiohttp/formdata.py

@@ -79,6 +79,11 @@ def add_field(
                 raise TypeError(
                     "content_type must be an instance of str. Got: %s" % content_type
                 )
+            if "\r" in content_type or "\n" in content_type:
+                raise ValueError(
+                    "Newline or carriage return detected in headers. "
+                    "Potential header injection attack."
+                )
             headers[hdrs.CONTENT_TYPE] = content_type
             self._is_multipart = True
         if content_transfer_encoding is not None:

tests/test_formdata.py

@@ -67,12 +67,18 @@ async def test_formdata_textio_charset(buf: bytearray, writer) -> None:
     assert b"\x93\xfa\x96{" in buf
 
 
-def test_invalid_formdata_content_type() -> None:
+@pytest.mark.parametrize("val", (0, 0.1, {}, [], b"foo"))
+def test_invalid_type_formdata_content_type(val: object) -> None:
     form = FormData()
-    invalid_vals = [0, 0.1, {}, [], b"foo"]
-    for invalid_val in invalid_vals:
-        with pytest.raises(TypeError):
-            form.add_field("foo", "bar", content_type=invalid_val)
+    with pytest.raises(TypeError):
+        form.add_field("foo", "bar", content_type=val)  # type: ignore[arg-type]
+
+
+@pytest.mark.parametrize("val", ("\r", "\n", "a\ra\n", "a\na\r"))
+def test_invalid_value_formdata_content_type(val: str) -> None:
+    form = FormData()
+    with pytest.raises(ValueError):
+        form.add_field("foo", "bar", content_type=val)
 
 
 def test_invalid_formdata_filename() -> None: