Fix CWE-190: properly parse RFC 2046 quoted-string boundary values

The previous code stripped all double-quote characters from the boundary
string using a blanket replace(), which would silently corrupt boundary
values that contain escaped quotes (\") and could leave a trailing
semi-colon if the quoted string was followed by another parameter.

Replace with a proper RFC 2045/2046 quoted-string parser:
- Token form  (no leading quote): trim and stop at the next ';'.
- Quoted-string form (leading '"'): scan forward for the closing quote,
  skipping backslash-escaped quotes (\") along the way; extract the
  content between the outer quotes.  Reject unterminated quoted strings
  (missing closing quote) immediately with PARSE_REQ_FAIL + abort().

This was reviewed and proposed by GitHub Copilot Autofix.

Author: mathieucarbou

src/WebRequest.cpp

@@ -511,16 +511,44 @@ bool AsyncWebServerRequest::_parseReqHeader() {
           return true;
         }
 
-        // Extract the boundary value; strip any following parameters, optional
-        // surrounding whitespace and quotes (RFC 2046 allows quoted-string).
+        // Extract the boundary value that follows "boundary=" and strip leading/
+        // trailing whitespace.  The value may be either a token or a
+        // quoted-string (RFC 2045 §5.1 / RFC 2046 §5.1).
         _boundary = value.substring(bpos + (int)T_BOUNDARY_LEN);
-        int semi = _boundary.indexOf(';');
-        if (semi >= 0) {
-          _boundary = _boundary.substring(0, semi);
-        }
-
         _boundary.trim();
-        _boundary.replace(String('"'), String());
+
+        if (_boundary.startsWith("\"")) {
+          // Quoted-string form: scan forward from position 1 for the closing
+          // double-quote, skipping any backslash-escaped quotes (\" sequences)
+          // along the way.  The boundary value is the content between the pair
+          // of outer quotes, with escape sequences left as-is (the boundary is
+          // compared verbatim against incoming data).
+          int endQuote = 1;
+          while (true) {
+            endQuote = _boundary.indexOf('"', endQuote);
+            if (endQuote < 0 || _boundary.charAt(endQuote - 1) != '\\') {
+              break;  // found the real closing quote (or string ran out)
+            }
+            endQuote++;  // skip escaped quote (\") and keep scanning
+          }
+          if (endQuote < 0) {
+            // Opening quote was never closed — malformed header.
+            async_ws_log_d("Invalid multipart boundary (unterminated quote), aborting");
+            _parseState = PARSE_REQ_FAIL;
+            abort();
+            return true;
+          }
+          // Strip the surrounding quotes; content between them is the boundary.
+          _boundary = _boundary.substring(1, endQuote);
+        } else {
+          // Token form: the value ends at the next ';' (start of the next
+          // parameter) or at the end of the header field.
+          int semi = _boundary.indexOf(';');
+          if (semi >= 0) {
+            _boundary = _boundary.substring(0, semi);
+          }
+          _boundary.trim();
+        }
 
         // CWE-190 / DoS fix: RFC 2046 §5.1 limits boundary strings to 70
         // characters.  _boundaryPosition was formerly uint8_t, so a boundary