fix(WebRequest): CWE-190/DoS fix and boundary-parsing refactor

Tighten multipart boundary parsing in _parseReqHeader():

- Replace String::charAt() inner loop with a raw C-string pointer and
  pre-computed length for faster, allocation-free scanning.
- Add an early-exit upper bound on the scan loop so that positions
  where 'boundary=' cannot possibly fit are skipped entirely.
- Replace the three-pass quoted-string extraction (find close-quote,
  substring, then unescape) with a single-pass approach that writes
  directly into _boundary using a std::string_view window into the
  original header value — no intermediate heap allocations.
- Enforce the RFC 2046 §5.1 70-character limit on boundary length in
  both token and quoted-string paths; abort with PARSE_REQ_FAIL on
  violation to prevent CWE-190 integer-overflow / DoS.
- Replace strncmp length guard with a position-based early break that
  is clearer and avoids the redundant cast.

Ref: #445

Author: mathieucarbou

src/WebRequest.cpp

@@ -9,6 +9,7 @@
 #include <algorithm>
 #include <cstring>
 #include <memory>
+#include <string_view>
 #include <utility>
 
 #include "./literals.h"
@@ -490,10 +491,17 @@ bool AsyncWebServerRequest::_parseReqHeader() {
         // optional OWS) so that e.g. 'x-boundary=' is not matched.
         int bpos = -1;
         bool inQuotes = false;
-        for (int i = 0; i < (int)lowcase.length(); i++) {
-          char c = lowcase.charAt(i);
+        const char *lc = lowcase.c_str();
+        const int llen = (int)lowcase.length();
+        // Stop early: a ';' followed by OWS and 'boundary=' needs at least
+        // T_BOUNDARY_LEN+1 chars after it.  Without OWS the minimum is
+        // i+1+T_BOUNDARY_LEN+1 <= llen, i.e. i < llen-(T_BOUNDARY_LEN+1).
+        // The inner OWS-aware check below still guards the OWS case.
+        const int lscan = llen - (int)(T_BOUNDARY_LEN + 1);
+        for (int i = 0; i < lscan; i++) {
+          char c = lc[i];
           if (inQuotes) {
-            if (c == '\\' && i + 1 < (int)lowcase.length()) {
+            if (c == '\\' && i + 1 < llen) {
               i++;  // skip quoted-pair — the escaped character cannot terminate the quoted-string
             } else if (c == '"') {
               inQuotes = false;
@@ -504,13 +512,17 @@ bool AsyncWebServerRequest::_parseReqHeader() {
             } else if (c == ';') {
               // Skip OWS after the ';' and check for 'boundary='
               int j = i + 1;
-              while (j < (int)lowcase.length() && (lowcase.charAt(j) == ' ' || lowcase.charAt(j) == '\t')) {
+              while (j < llen && (lc[j] == ' ' || lc[j] == '\t')) {
                 j++;
               }
-              // Use strncmp on the raw C string to avoid a heap allocation
-              // from String::substring() — this code runs on attacker-controlled
-              // input in a scan loop, so zero-allocation is preferred.
-              if ((size_t)j + T_BOUNDARY_LEN <= lowcase.length() && std::strncmp(lowcase.c_str() + j, T_BOUNDARY, T_BOUNDARY_LEN) == 0) {
+              // If there is not enough room left for "boundary=" plus at least
+              // one value byte, no later ';' can match either — stop scanning.
+              if (j + (int)T_BOUNDARY_LEN + 1 > llen) {
+                break;
+              }
+              // strncmp stops at the null terminator, so no separate length
+              // guard is needed: a short suffix causes a non-matching result.
+              if (std::strncmp(lc + j, T_BOUNDARY, T_BOUNDARY_LEN) == 0) {
                 bpos = j;
                 break;
               }
@@ -526,64 +538,61 @@ bool AsyncWebServerRequest::_parseReqHeader() {
           return true;
         }
 
-        // Extract the boundary value that follows "boundary=" and strip leading/
-        // trailing whitespace.  The value may be either a token or a
-        // quoted-string (RFC 2045 §5.1 / RFC 2046 §5.1).
-        _boundary = value.substring(bpos + (int)T_BOUNDARY_LEN);
-        _boundary.trim();
-
-        if (_boundary.startsWith("\"")) {
-          // Quoted-string form: scan forward from position 1 for the closing
-          // double-quote.  A quote is escaped only when preceded by an ODD
-          // number of consecutive backslashes (e.g. \" is escaped, \\" is not
-          // because the two backslashes escape each other, leaving the quote
-          // unescaped).  Checking only the immediately preceding character
-          // would mishandle the \\" case.
-          int endQuote = 1;
-          while (true) {
-            endQuote = _boundary.indexOf('"', endQuote);
-            if (endQuote < 0) {
-              break;  // string ran out — unterminated quote
-            }
-            // Count consecutive backslashes immediately before this quote.
-            int backslashes = 0;
-            while (endQuote - 1 - backslashes >= 0 && _boundary.charAt(endQuote - 1 - backslashes) == '\\') {
-              backslashes++;
+        // Use a std::string_view into the original (mixed-case) header value
+        // to locate and extract the boundary without any intermediate heap
+        // allocation.  The value may be either a token or a quoted-string
+        // (RFC 2045 §5.1 / RFC 2046 §5.1).
+        std::string_view bv(value.c_str() + bpos + T_BOUNDARY_LEN, value.length() - bpos - T_BOUNDARY_LEN);
+
+        if (!bv.empty() && bv[0] == '"') {
+          // Quoted-string form: scan once from the opening '"', unescaping
+          // quoted-pairs on the fly and writing into _boundary directly.
+          // This single pass replaces the previous three-pass approach
+          // (find close-quote, substring, then separate unescape loop).
+          bv.remove_prefix(1);  // skip opening '"'
+          _boundary.reserve(bv.size());
+          bool closed = false;
+          for (size_t i = 0; i < bv.size(); ++i) {
+            char c = bv[i];
+            if (c == '\\' && i + 1 < bv.size()) {
+              _boundary += bv[++i];  // quoted-pair: keep only the escaped char
+            } else if (c == '"') {
+              closed = true;
+              break;
+            } else {
+              _boundary += c;
             }
-            if (backslashes % 2 == 0) {
-              break;  // even number of backslashes → quote is real closing quote
+            if (_boundary.length() > 70) {
+              async_ws_log_d("Invalid multipart boundary length (%u), aborting", _boundary.length());
+              _parseState = PARSE_REQ_FAIL;
+              abort();
+              return true;
             }
-            endQuote++;  // odd number → quote is escaped, keep scanning
           }
-          if (endQuote < 0) {
+          if (!closed) {
             // Opening quote was never closed — malformed header.
             async_ws_log_d("Invalid multipart boundary (unterminated quote), aborting");
             _parseState = PARSE_REQ_FAIL;
             abort();
             return true;
           }
-          // Strip the surrounding quotes; content between them is the boundary.
-          _boundary = _boundary.substring(1, endQuote);
-
-          // Unescape quoted-pair sequences so the boundary matches the actual bytes on the wire.
-          String unescaped;
-          unescaped.reserve(_boundary.length());
-          for (size_t i = 0; i < _boundary.length(); ++i) {
-            char c = _boundary.charAt(i);
-            if (c == '\\' && (i + 1) < _boundary.length()) {
-              c = _boundary.charAt(++i);
-            }
-            unescaped += c;
-          }
-          _boundary = unescaped;
         } else {
-          // Token form: the value ends at the next ';' (start of the next
-          // parameter) or at the end of the header field.
-          int semi = _boundary.indexOf(';');
-          if (semi >= 0) {
-            _boundary = _boundary.substring(0, semi);
+          // Token form: value ends at the next ';' or end of string.
+          // Trim trailing OWS using the view — no copy until the final assign.
+          auto semi = bv.find(';');
+          if (semi != std::string_view::npos) {
+            bv = bv.substr(0, semi);
+          }
+          while (!bv.empty() && (bv.back() == ' ' || bv.back() == '\t')) {
+            bv.remove_suffix(1);
+          }
+          if (bv.empty() || bv.size() > 70) {
+            async_ws_log_d("Invalid multipart boundary length (%u), aborting", (unsigned)bv.size());
+            _parseState = PARSE_REQ_FAIL;
+            abort();
+            return true;
           }
-          _boundary.trim();
+          _boundary = String(bv.data(), (unsigned int)bv.size());
         }
 
         // CWE-190 / DoS fix: RFC 2046 §5.1 limits boundary strings to 70