Return 400 for invalid UTF-8 multipart fields

lovasoa · lovasoa · commit bbd92bc1578b · 2026-03-12T11:44:43.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## 0.43.0
 
+- Fix: invalid UTF-8 in multipart text fields now returns `400 Bad Request` instead of `500 Internal Server Error`.
 - OIDC protected and public paths now respect the site prefix when it is defined.
 - Fix: OIDC provider metadata refreshes now always happen in the background, and with a timeout. Previously, a slow OIDC provider could prevent SQLPage from handling requests for an arbitrary amount of time.
 - Fix: forms without submit or reset buttons no longer keep extra bottom spacing.
diff --git a/src/webserver/http_request_info.rs b/src/webserver/http_request_info.rs
@@ -273,7 +273,14 @@ async fn extract_text(
         .await
         .map(|bytes| bytes.data)
         .map_err(|e| anyhow!("failed to read form field data: {e}"))?;
-    Ok(String::from_utf8(data.to_vec())?)
+    String::from_utf8(data.to_vec()).map_err(|e| {
+        anyhow!(super::ErrorWithStatus {
+            status: actix_web::http::StatusCode::BAD_REQUEST,
+        })
+        .context(format!(
+            "could not parse multipart form field as utf-8 text: {e}"
+        ))
+    })
 }
 
 async fn extract_file(
diff --git a/tests/requests/mod.rs b/tests/requests/mod.rs
@@ -188,4 +188,34 @@ async fn test_variables_function() -> actix_web::Result<()> {
     Ok(())
 }
 
+#[actix_web::test]
+async fn test_invalid_utf8_multipart_text_field_returns_bad_request() -> actix_web::Result<()> {
+    let req = get_request_to("/tests/requests/variables.sql")
+        .await?
+        .insert_header(("content-type", "multipart/form-data; boundary=1234567890"))
+        .set_payload(
+            b"--1234567890\r\n\
+            Content-Disposition: form-data; name=\"x\"\r\n\
+            Content-Type: text/plain\r\n\
+            \r\n\
+            \xff\r\n\
+            --1234567890--\r\n"
+                .as_slice(),
+        )
+        .to_srv_request();
+    let status = match main_handler(req).await {
+        Ok(resp) => resp.status(),
+        Err(err) => err.as_response_error().status_code(),
+    };
+
+    assert_eq!(
+        status,
+        StatusCode::BAD_REQUEST,
+        "assertion error, expected 400 bad request on invalid utf8 payload, got {}",
+        status
+    );
+
+    Ok(())
+}
+
 mod webhook_hmac;
