Rack: backport fix for CVE-2025-49007

kratob · kratob · commit c5c3ab94048a · 2025-06-16T09:35:12.000+02:00
diff --git a/rack/lib/rack/multipart.rb b/rack/lib/rack/multipart.rb
@@ -8,6 +8,8 @@ module Multipart
     autoload :Generator, 'rack/multipart/generator'
 
     EOL = "\r\n"
+    FWS = /[ \t]+(?:\r\n[ \t]+)?/ # whitespace with optional folding
+    HEADER_VALUE = "(?:[^\r\n]|\r\n[ \t])*" # anything but a non-folding CRLF
     MULTIPART_BOUNDARY = "AaB03x"
     MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|n
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
@@ -16,9 +18,12 @@ module Multipart
     RFC2183 = /^#{CONDISP}(#{DISPPARM})+$/i
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
     BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
-    MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s+name="?([^\";]*)"?/ni
-    MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
+
+    MULTIPART_CONTENT_TYPE = /^Content-Type:#{FWS}?(#{HEADER_VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /^Content-Disposition:#{FWS}?(#{HEADER_VALUE})/ni
+    MULTIPART_CONTENT_ID = /^Content-ID:#{FWS}?(#{HEADER_VALUE})/ni
+
+    MULTIPART_CONTENT_DISPOSITION_NAME = /;\s+name="?([^\";]*)"?/ni
 
     class << self
       def parse_multipart(env)
diff --git a/rack/lib/rack/multipart/parser.rb b/rack/lib/rack/multipart/parser.rb
@@ -117,7 +117,7 @@ def get_current_head_and_filename_and_content_type_and_name_and_body
             @buf.slice!(0, 2)          # Second \r\n
 
             content_type = head[MULTIPART_CONTENT_TYPE, 1]
-            name = head[MULTIPART_CONTENT_DISPOSITION, 1] || head[MULTIPART_CONTENT_ID, 1]
+            name = get_name(head)
 
             filename = get_filename(head)
 
@@ -145,6 +145,13 @@ def get_current_head_and_filename_and_content_type_and_name_and_body
         [head, filename, content_type, name, body]
       end
 
+      def get_name(head)
+        name = if (disposition_value = head[MULTIPART_CONTENT_DISPOSITION, 1])
+          disposition_value[MULTIPART_CONTENT_DISPOSITION_NAME, 1]
+        end
+        name || head[MULTIPART_CONTENT_ID, 1]
+      end
+
       def get_filename(head)
         filename = nil
         if head =~ RFC2183
