Sends filename validation doesn't work with forward slashes #204

New Issue

Closed

opened 2025-10-09 16:17:40 +03:00 by OVERLORD · 14 comments

OVERLORD commented 2025-10-09 16:17:40 +03:00

Owner

Copy Link

Originally created by @KyleKaniecki on GitHub.

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.33.2
• Web-vault version: v2025.1.1
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: PostgreSQL
• Database version: PostgreSQL 16.2 (Debian 16.2-1.pgdg110+2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
• Environment settings overridden!: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: false
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://***************************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**************************",
  "domain_origin": "*****://**************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**********************************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "********************",
  "templates_folder": "/data/templates",
  "tmp_folder": "/data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.33.2

Deployment method

Official Container Image

Custom deployment method

Deployed on a self-hosted kube cluster

Reverse Proxy

traefik v2

Host/Server Operating System

Linux

Operating System Version

Debian 12

Clients

Browser Extension, CLI

Client Version

cli 2025.1.3

Steps To Reproduce

1. Download the official bw cli using npm
2. Generate a send template using bw send template send.file
3. Fill out the appropriate information, and base64 the content. echo '<json>' | base64
4. Attempt to create the send using the base64 content. bw send create <base64content>

Expected Result

I expect the server to accept send file names who's base64 version contains forward slashes

Actual Result

The server incorrectly parses the send filename, splitting by forward slashes instead of taking the entire filename and doing the comparison

I believe the issue stems from this block

Logs

[2025-02-18 16:17:40.928][request][INFO] POST /api/sends/63a7e61c-fee9-412d-a36b-4f048d9cfc3f/file/42bbbb45d59f4eb969fd6624edb68a96706abd245b4137c6aaa1bd36b6e487bb                                                                                                                         
[2025-02-18 16:17:40.930][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.kLTgmxWNNuJPW6tHeCUhkg==|tu6a27kerdUKMbpjbbuixw==|/yhE62kV2ee+Wu2UnKROhoDHgildtG9adaJgM2Cc7Yo=' got 'yhE62kV2ee+Wu2UnKROhoDHgildtG9adaJgM2Cc7Yo='                     
[2025-02-18 16:17:40.930][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request                                                                                                                                          
[2025-02-18 16:17:40.947][request][INFO] DELETE /api/sends/63a7e61c-fee9-412d-a36b-4f048d9cfc3f                                                                                                                                                                                             
[2025-02-18 16:17:40.951][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK                                                                                                                                                                                               
[2025-02-18 16:17:43.116][request][INFO] POST /api/sends/file/v2                                                                                                                                                                                                                            
[2025-02-18 16:17:43.120][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK                                                                                                                                                                                             
[2025-02-18 16:17:43.140][request][INFO] POST /api/sends/8b062172-10bc-4a21-af64-83cd281cba2f/file/91772abbe53c79502425770b0a02d17844e428fabea0515c901862dfd167c323                                                                                                                         
[2025-02-18 16:17:43.144][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 200 OK                                                                                                                                                   
[2025-02-18 16:17:45.343][request][INFO] POST /api/sends/file/v2                                                                                                                                                                                                                            
[2025-02-18 16:17:45.347][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK                                                                                                                                                                                             
[2025-02-18 16:17:45.366][request][INFO] POST /api/sends/c6d60d46-146b-46c1-864a-d60bbf2e23e9/file/f0973e31c0a0540947d502c9a63b8e64c7f1e94ac1e21e319c3d1ffc5ed15a03                                                                                                                         
[2025-02-18 16:17:45.370][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 200 OK                                                                                                                                                   
[2025-02-18 16:17:47.607][request][INFO] POST /api/sends/file/v2                                                                                                                                                                                                                            
[2025-02-18 16:17:47.611][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK                                                                                                                                                                                             
[2025-02-18 16:17:47.631][request][INFO] POST /api/sends/e1af9bf9-bc4e-4586-8240-04d15588ee44/file/25aaaaf11b2cdca1ef994f80d16d01663c1df94cd0b5f9a25a727a3a7dd4f264                                                                                                                         
[2025-02-18 16:17:47.633][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.RDe95xSSokrvl14qVCgygA==|ge32Hl/YVs9FwarSpcXK+lydn7+gWz5VunUvn92PNvQ=|7F5/j3m+8eblxkGlqBeqspiKMGC06YHBSJ/sE0CSqgo=' got 'sE0CSqgo='                                   
[2025-02-18 16:17:47.633][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request                                                                                                                                          
[2025-02-18 16:17:47.650][request][INFO] DELETE /api/sends/e1af9bf9-bc4e-4586-8240-04d15588ee44                                                                                                                                                                                             
[2025-02-18 16:17:47.653][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK                                                                                                                                                                                               
[2025-02-18 16:17:49.841][request][INFO] POST /api/sends/file/v2                                                                                                                                                                                                                            
[2025-02-18 16:17:49.845][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK                                                                                                                                                                                             
[2025-02-18 16:17:49.866][request][INFO] POST /api/sends/93bea7f0-1208-463e-a392-5cfed755a17c/file/7dd9290e1c7d72b0a0bc703b769c55a0a16b7b830d6f443bb2f287f6e899be84                                                                                                                         
[2025-02-18 16:17:49.868][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.JTf0ESsdIWUje3iV9OecTw==|XCNFOP1P7/OfmeRkEVipp2rMfN5HglW81aVt04UzcSk=|LqEwNiZRU8fG8TFo/cGAcEdOG74vArCywhGKx4t4Y+w=' got 'cGAcEdOG74vArCywhGKx4t4Y+w='                 
[2025-02-18 16:17:49.868][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request                                                                                                                                          
[2025-02-18 16:17:49.883][request][INFO] DELETE /api/sends/93bea7f0-1208-463e-a392-5cfed755a17c                                                                                                                                                                                             
[2025-02-18 16:17:49.887][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK                                                                                                                                                                                               
[2025-02-18 16:17:52.058][request][INFO] POST /api/sends/file/v2                                                                                                                                                                                                                            
[2025-02-18 16:17:52.065][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK                                                                                                                                                                                             
[2025-02-18 16:17:52.086][request][INFO] POST /api/sends/a55fe284-c514-4eb7-8090-66af49450a03/file/fcc8449e1856b3a8805e95fe772b5e87f245a3c6e36cc86b817a839c2d7206d6                                                                                                                         
[2025-02-18 16:17:52.088][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.Hyo8v/nLjGjnRICfZoev8A==|LqrCQQv4P1yBwgFfw6aNpzm912Zo6b2OazGFs2Oo0/4=|VC7g+uKcoVSYPG64wf/YiteFSmc3zWB0zEHGwCtAPHs=' got 'YiteFSmc3zWB0zEHGwCtAPHs='                   
[2025-02-18 16:17:52.088][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request                                                                                                                                          
[2025-02-18 16:17:52.105][request][INFO] DELETE /api/sends/a55fe284-c514-4eb7-8090-66af49450a03                                                                                                                                                                                             
[2025-02-18 16:17:52.109][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK                                                                                                                                                                                               
[2025-02-18 16:17:54.265][request][INFO] POST /api/sends/file/v2                                                                                                                                                                                                                            
[2025-02-18 16:17:54.269][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK                                                                                                                                                                                             
[2025-02-18 16:17:54.290][request][INFO] POST /api/sends/ebeb01d1-b541-4a93-b645-f2e425d4519f/file/9c7a8a870cd8e1ab84c0b45cdadf387f5f0d02bbe7ac5a282f725eb05fc28b2b                                                                                                                         
[2025-02-18 16:17:54.294][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 200 OK                                                                                                                                                   
[2025-02-18 16:17:56.496][request][INFO] POST /api/sends/file/v2                                                                                                                                                                                                                            
[2025-02-18 16:17:56.500][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK                                                                                                                                                                                             
[2025-02-18 16:17:56.521][request][INFO] POST /api/sends/c30e904b-8fd5-4b74-b35e-9fd57dbf3900/file/59b36ff1699c880907504f821f3fb8f5a0a79199efe73e73663f09041f48423c                                                                                                                         
[2025-02-18 16:17:56.523][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.GE05eOGFOq3HmWa+E1PjJw==|x10OUc4nIrKVLAohur6HlA==|bJe/mPXL9PVpj9JBj5xKZSjwsnyuxfv3udnYFdQVImA=' got 'mPXL9PVpj9JBj5xKZSjwsnyuxfv3udnYFdQVImA='                        
[2025-02-18 16:17:56.523][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request                                                                                                                                          
[2025-02-18 16:17:56.540][request][INFO] DELETE /api/sends/c30e904b-8fd5-4b74-b35e-9fd57dbf3900                                                                                                                                                                                             
[2025-02-18 16:17:56.544][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK

Screenshots or Videos

No response

Additional Context

My usecase is I often have to send many files to team members within my organization, and use python + the bitwarden cli to do so. This makes that almost impossible without manual intervention

Originally created by @KyleKaniecki on GitHub. ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.33.2 * Web-vault version: v2025.1.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 16.2 (Debian 16.2-1.pgdg110+2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit * Environment settings overridden!: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: false * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "/data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://***************************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**************************", "domain_origin": "*****://**************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/bitwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*************************", "smtp_from_name": "Vaultwarden", "smtp_host": "**********************************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "********************", "templates_folder": "/data/templates", "tmp_folder": "/data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.33.2 ### Deployment method Official Container Image ### Custom deployment method Deployed on a self-hosted kube cluster ### Reverse Proxy traefik v2 ### Host/Server Operating System Linux ### Operating System Version Debian 12 ### Clients Browser Extension, CLI ### Client Version cli 2025.1.3 ### Steps To Reproduce 1. Download the official bw cli using npm 2. Generate a send template using `bw send template send.file` 3. Fill out the appropriate information, and base64 the content. `echo '<json>' | base64` 4. Attempt to create the send using the base64 content. `bw send create <base64content>` ### Expected Result I expect the server to accept send file names who's base64 version contains forward slashes ### Actual Result The server incorrectly parses the send filename, splitting by forward slashes instead of taking the entire filename and doing the comparison I believe the issue stems from [this block](https://github.com/dani-garcia/vaultwarden/blob/main/src/api/core/sends.rs#L380) ### Logs ```text [2025-02-18 16:17:40.928][request][INFO] POST /api/sends/63a7e61c-fee9-412d-a36b-4f048d9cfc3f/file/42bbbb45d59f4eb969fd6624edb68a96706abd245b4137c6aaa1bd36b6e487bb [2025-02-18 16:17:40.930][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.kLTgmxWNNuJPW6tHeCUhkg==|tu6a27kerdUKMbpjbbuixw==|/yhE62kV2ee+Wu2UnKROhoDHgildtG9adaJgM2Cc7Yo=' got 'yhE62kV2ee+Wu2UnKROhoDHgildtG9adaJgM2Cc7Yo=' [2025-02-18 16:17:40.930][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request [2025-02-18 16:17:40.947][request][INFO] DELETE /api/sends/63a7e61c-fee9-412d-a36b-4f048d9cfc3f [2025-02-18 16:17:40.951][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK [2025-02-18 16:17:43.116][request][INFO] POST /api/sends/file/v2 [2025-02-18 16:17:43.120][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK [2025-02-18 16:17:43.140][request][INFO] POST /api/sends/8b062172-10bc-4a21-af64-83cd281cba2f/file/91772abbe53c79502425770b0a02d17844e428fabea0515c901862dfd167c323 [2025-02-18 16:17:43.144][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 200 OK [2025-02-18 16:17:45.343][request][INFO] POST /api/sends/file/v2 [2025-02-18 16:17:45.347][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK [2025-02-18 16:17:45.366][request][INFO] POST /api/sends/c6d60d46-146b-46c1-864a-d60bbf2e23e9/file/f0973e31c0a0540947d502c9a63b8e64c7f1e94ac1e21e319c3d1ffc5ed15a03 [2025-02-18 16:17:45.370][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 200 OK [2025-02-18 16:17:47.607][request][INFO] POST /api/sends/file/v2 [2025-02-18 16:17:47.611][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK [2025-02-18 16:17:47.631][request][INFO] POST /api/sends/e1af9bf9-bc4e-4586-8240-04d15588ee44/file/25aaaaf11b2cdca1ef994f80d16d01663c1df94cd0b5f9a25a727a3a7dd4f264 [2025-02-18 16:17:47.633][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.RDe95xSSokrvl14qVCgygA==|ge32Hl/YVs9FwarSpcXK+lydn7+gWz5VunUvn92PNvQ=|7F5/j3m+8eblxkGlqBeqspiKMGC06YHBSJ/sE0CSqgo=' got 'sE0CSqgo=' [2025-02-18 16:17:47.633][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request [2025-02-18 16:17:47.650][request][INFO] DELETE /api/sends/e1af9bf9-bc4e-4586-8240-04d15588ee44 [2025-02-18 16:17:47.653][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK [2025-02-18 16:17:49.841][request][INFO] POST /api/sends/file/v2 [2025-02-18 16:17:49.845][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK [2025-02-18 16:17:49.866][request][INFO] POST /api/sends/93bea7f0-1208-463e-a392-5cfed755a17c/file/7dd9290e1c7d72b0a0bc703b769c55a0a16b7b830d6f443bb2f287f6e899be84 [2025-02-18 16:17:49.868][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.JTf0ESsdIWUje3iV9OecTw==|XCNFOP1P7/OfmeRkEVipp2rMfN5HglW81aVt04UzcSk=|LqEwNiZRU8fG8TFo/cGAcEdOG74vArCywhGKx4t4Y+w=' got 'cGAcEdOG74vArCywhGKx4t4Y+w=' [2025-02-18 16:17:49.868][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request [2025-02-18 16:17:49.883][request][INFO] DELETE /api/sends/93bea7f0-1208-463e-a392-5cfed755a17c [2025-02-18 16:17:49.887][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK [2025-02-18 16:17:52.058][request][INFO] POST /api/sends/file/v2 [2025-02-18 16:17:52.065][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK [2025-02-18 16:17:52.086][request][INFO] POST /api/sends/a55fe284-c514-4eb7-8090-66af49450a03/file/fcc8449e1856b3a8805e95fe772b5e87f245a3c6e36cc86b817a839c2d7206d6 [2025-02-18 16:17:52.088][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.Hyo8v/nLjGjnRICfZoev8A==|LqrCQQv4P1yBwgFfw6aNpzm912Zo6b2OazGFs2Oo0/4=|VC7g+uKcoVSYPG64wf/YiteFSmc3zWB0zEHGwCtAPHs=' got 'YiteFSmc3zWB0zEHGwCtAPHs=' [2025-02-18 16:17:52.088][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request [2025-02-18 16:17:52.105][request][INFO] DELETE /api/sends/a55fe284-c514-4eb7-8090-66af49450a03 [2025-02-18 16:17:52.109][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK [2025-02-18 16:17:54.265][request][INFO] POST /api/sends/file/v2 [2025-02-18 16:17:54.269][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK [2025-02-18 16:17:54.290][request][INFO] POST /api/sends/ebeb01d1-b541-4a93-b645-f2e425d4519f/file/9c7a8a870cd8e1ab84c0b45cdadf387f5f0d02bbe7ac5a282f725eb05fc28b2b [2025-02-18 16:17:54.294][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 200 OK [2025-02-18 16:17:56.496][request][INFO] POST /api/sends/file/v2 [2025-02-18 16:17:56.500][response][INFO] (post_send_file_v2) POST /api/sends/file/v2 => 200 OK [2025-02-18 16:17:56.521][request][INFO] POST /api/sends/c30e904b-8fd5-4b74-b35e-9fd57dbf3900/file/59b36ff1699c880907504f821f3fb8f5a0a79199efe73e73663f09041f48423c [2025-02-18 16:17:56.523][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.GE05eOGFOq3HmWa+E1PjJw==|x10OUc4nIrKVLAohur6HlA==|bJe/mPXL9PVpj9JBj5xKZSjwsnyuxfv3udnYFdQVImA=' got 'mPXL9PVpj9JBj5xKZSjwsnyuxfv3udnYFdQVImA=' [2025-02-18 16:17:56.523][response][INFO] (post_send_file_v2_data) POST /api/sends/<send_id>/file/<file_id> multipart/form-data => 400 Bad Request [2025-02-18 16:17:56.540][request][INFO] DELETE /api/sends/c30e904b-8fd5-4b74-b35e-9fd57dbf3900 [2025-02-18 16:17:56.544][response][INFO] (delete_send) DELETE /api/sends/<send_id> => 200 OK ``` ### Screenshots or Videos _No response_ ### Additional Context My usecase is I often have to send many files to team members within my organization, and use python + the bitwarden cli to do so. This makes that almost impossible without manual intervention

OVERLORD added the bug label 2025-10-09 16:17:41 +03:00

OVERLORD closed this issue 2025-10-09 16:17:41 +03:00

OVERLORD commented 2025-10-09 16:17:42 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

@BlackDex that's what the command expects, isn't it? https://bitwarden.com/help/send-cli/#create

@stefan0xC commented on GitHub: @BlackDex that's what the command expects, isn't it? https://bitwarden.com/help/send-cli/#create

OVERLORD commented 2025-10-09 16:17:43 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Not sure why you are base64 encoding it though?

@BlackDex commented on GitHub: Not sure why you are base64 encoding it though?

OVERLORD commented 2025-10-09 16:17:43 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

btw: the problem is not a forward slash in the filename that is send (that seems to work just fine, is just an indication of a directory, etc.) but with how it's processed by the server (if the encrypted name includes a /)

[2025-02-18 18:33:48.206][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.Jxz1NK+DPYwKjIF204/Mag==|2shii/tgZsAfWwnpWjX2Aw==|qb34Prb6TVI9KjfxW0EbpBuvNjEliD5C3Zpo3toPQVE=' got 'tgZsAfWwnpWjX2Aw==|qb34Prb6TVI9KjfxW0EbpBuvNjEliD5C3Zpo3toPQVE='

which is why this sometimes fails and sometimes doesn't.

@stefan0xC commented on GitHub: btw: the problem is not a forward slash in the filename that is send (that seems to work just fine, is just an indication of a directory, etc.) but with how it's processed by the server (if the encrypted name includes a `/`) ``` [2025-02-18 18:33:48.206][vaultwarden::api::core::sends][ERROR] Send file name does not match.. Expected file name '2.Jxz1NK+DPYwKjIF204/Mag==|2shii/tgZsAfWwnpWjX2Aw==|qb34Prb6TVI9KjfxW0EbpBuvNjEliD5C3Zpo3toPQVE=' got 'tgZsAfWwnpWjX2Aw==|qb34Prb6TVI9KjfxW0EbpBuvNjEliD5C3Zpo3toPQVE=' ``` which is why this sometimes fails and sometimes doesn't.

OVERLORD commented 2025-10-09 16:17:43 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

Well, it seems to work just fine with the web-vault so it might be a client side issue? Not sure how to check what request the cli is sending but it might not provide the proper filename?

@stefan0xC commented on GitHub: Well, it seems to work just fine with the web-vault so it might be a client side issue? Not sure how to check what request the cli is sending but it might not provide the proper filename?

OVERLORD commented 2025-10-09 16:17:44 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

I wonder what happens when just using --file, and why it doesn't fail on other clients (as far as we know).

I have not tested it though. And cli file uploads didn't worked for a long time anyways, so we weren't able to check that scenario.

It also might be something changed in general, and we haven't noticed it yet.

@BlackDex commented on GitHub: I wonder what happens when just using `--file`, and why it doesn't fail on other clients (as far as we know). I have not tested it though. And cli file uploads didn't worked for a long time anyways, so we weren't able to check that scenario. It also might be something changed in general, and we haven't noticed it yet.

OVERLORD commented 2025-10-09 16:17:45 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

So, probably a bug in the cli client then hehe.

@BlackDex commented on GitHub: So, probably a bug in the cli client then hehe.

OVERLORD commented 2025-10-09 16:17:46 +03:00

Author

Owner

Copy Link

@KyleKaniecki commented on GitHub:

I've actually been going down this path as well. I believe the cli creates the object here, but I am still grepping how / where the client itself sends the data to the server

I tried to use the file flag for a bit, but I kept getting Error parsing the encoded request data. with any permutation that didn't include the file key in the object, unfortunately

@KyleKaniecki commented on GitHub: I've actually been going down this path as well. I believe the cli creates the object [here](https://github.com/bitwarden/clients/blob/main/apps/cli/src/tools/send/send.program.ts#L201), but I am still grepping how / where the client itself sends the data to the server I tried to use the file flag for a bit, but I kept getting `Error parsing the encoded request data.` with any permutation that didn't include the `file` key in the object, unfortunately

OVERLORD commented 2025-10-09 16:17:46 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

As far as I've tested it the web-vault sends the same fileName both in /api/sends/file/v2:
"2.Xoqh62MG8wjAKFc9M9ak5Q==|hAx3z34rbQdHxJNXLYe8HQ==|i0QdhPF/GWLRn76NkiAmoOL/9nI/BF13QaR8VIr8Epg=" as it does when sending the file to /api/sends/<send_id>/file/<file_id>:
Content-Disposition: form-data; name="data"; filename="2.Xoqh62MG8wjAKFc9M9ak5Q==|hAx3z34rbQdHxJNXLYe8HQ==|i0QdhPF/GWLRn76NkiAmoOL/9nI/BF13QaR8VIr8Epg=" while I suspect the CLI request would appear to only send something like Content-Disposition: form-data; name="data"; filename="BF13QaR8VIr8Epg=" instead.

@stefan0xC commented on GitHub: As far as I've tested it the web-vault sends the same `fileName` both in `/api/sends/file/v2`: `"2.Xoqh62MG8wjAKFc9M9ak5Q==|hAx3z34rbQdHxJNXLYe8HQ==|i0QdhPF/GWLRn76NkiAmoOL/9nI/BF13QaR8VIr8Epg="` as it does when sending the file to `/api/sends/<send_id>/file/<file_id>`: `Content-Disposition: form-data; name="data"; filename="2.Xoqh62MG8wjAKFc9M9ak5Q==|hAx3z34rbQdHxJNXLYe8HQ==|i0QdhPF/GWLRn76NkiAmoOL/9nI/BF13QaR8VIr8Epg="` while I suspect the CLI request would appear to only send something like `Content-Disposition: form-data; name="data"; filename="BF13QaR8VIr8Epg="` instead.

OVERLORD commented 2025-10-09 16:17:46 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

Yeah, well I mean that's just my guess, that this happens here which might even be caused by form-data.
Cf. https://github.com/form-data/form-data/issues/570
I think this is because they should use filepath instead of filename if I understand the code correctly.
But I have not tested it, so might be wrong. 😅

@stefan0xC commented on GitHub: Yeah, well I mean that's just my guess, that this happens [here](https://github.com/bitwarden/clients/blob/30ee79d2068cfc4a095b56587ef6fc0965db4231/libs/common/src/platform/services/file-upload/bitwarden-file-upload.service.ts#L16-L23) which might even be caused by `form-data`. Cf. https://github.com/form-data/form-data/issues/570 I think this is because they should use `filepath` instead of `filename` if I understand [the code correctly](https://github.com/form-data/form-data/blob/81ab41b46fdf34f5d89d7ff30b513b0925febfaa/lib/form_data.js#L226-L240). But I have not tested it, so might be wrong. 😅

OVERLORD commented 2025-10-09 16:17:47 +03:00

Author

Owner

Copy Link

@KyleKaniecki commented on GitHub:

sigh I'm starting to see the reports...

https://github.com/bitwarden/clients/issues/5876

^ In that report, you can see the headers being truncated as well

Looks like I will take a stab at my own python client. Cheers 🍻

@KyleKaniecki commented on GitHub: _sigh_ I'm starting to see the reports... https://github.com/bitwarden/clients/issues/5876 ^ In that report, you can see the headers being truncated as well Looks like I will take a stab at my own python client. Cheers 🍻

OVERLORD commented 2025-10-09 16:17:48 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

@BlackDex should we fix this by being less strict about the filename? I.e. instead of only accepting raw_file_name.dangerous_unsafe_unsanitized_raw() == send_data.fileName also allow something like send_data.fileName.ends_with(raw_file_name.dangerous_unsafe_unsanitized_raw().as_str()) to account for truncated paths.

@stefan0xC commented on GitHub: @BlackDex should we fix this by being less strict about the filename? I.e. instead of only accepting `raw_file_name.dangerous_unsafe_unsanitized_raw() == send_data.fileName` also allow something like `send_data.fileName.ends_with(raw_file_name.dangerous_unsafe_unsanitized_raw().as_str())` to account for truncated paths.

OVERLORD commented 2025-10-09 16:17:48 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

It does look like it shouldn't be having any impact indeed.
But there was something about it in some way. But i can't find the report about it anymore.

@BlackDex commented on GitHub: It does look like it shouldn't be having any impact indeed. But there was something about it in some way. But i can't find the report about it anymore.

OVERLORD commented 2025-10-09 16:17:48 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub:

Because we do need to validate it to prevent custom names as a security precaution.

How so? I mean I think it makes sense to validate it but If I wrote a malicious client I could still send whatever custom name I wanted for both fields, wouldn't I? Also I don't think that we are even using the raw name for send files anyway and even if we did store it in the database somewhere, wouldn't this comment from the legacy file attachments API also apply?
3baffeee9a/src/api/core/ciphers.rs (L1256-L1259)

@stefan0xC commented on GitHub: > Because we do need to validate it to prevent custom names as a security precaution. How so? I mean I think it makes sense to validate it but If I wrote a malicious client I could still send whatever custom name I wanted for both fields, wouldn't I? Also I don't think that we are even using the raw name for send files anyway and even if we did store it in the database somewhere, wouldn't this comment from the legacy file attachments API also apply? https://github.com/dani-garcia/vaultwarden/blob/3baffeee9a167d61f3b7b71f8693b6cd4c5fdf43/src/api/core/ciphers.rs#L1256-L1259

OVERLORD commented 2025-10-09 16:17:49 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

@stefan0xC that might be a good idea. Maybe we could check if it's the cli client and allow lesser strict checks?

Because we do need to validate it to prevent custom names as a security precaution.

@BlackDex commented on GitHub: @stefan0xC that might be a good idea. Maybe we could check if it's the cli client and allow lesser strict checks? Because we do need to validate it to prevent custom names as a security precaution.

OVERLORD referenced this issue 2025-10-09 18:30:32 +03:00

[PR #204] [MERGED] Org improvements #3807

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#204