From 8291f502b0e1dcf514cc25c34e4bf0beec7a92ae Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Wed, 3 Aug 2022 00:19:56 -0700
Subject: [PATCH] Forbid control characters in attributes

This commit restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.

This also now should fully follow the RFCs.

RFC 2231, Section 7 specifies:

    attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
                         "*", "'", "%", or tspecials>

RFC 2045, Appendix A specifies:

    tspecials :=  "(" / ")" / "<" / ">" / "@" /
                  "," / ";" / ":" / "\" / <">
                  "/" / "[" / "]" / "?" / "="

RFC 822, Section 3.3 specifies:

    CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
                    character and DEL>          ; (    177,     127.)
    SPACE       =  <ASCII SP, space>            ; (     40,      32.)

[CVE-2022-44572]
---
 lib/rack/multipart.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/rack/multipart.rb
+++ b/lib/rack/multipart.rb
@@ -21,7 +21,7 @@
     MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/