Limit the number of quoted escapes during multipart parsing

This sets a default limit of 8192 escapes, which can be modified
using the RACK_MULTIPART_CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT
environment variable.

Author: jeremyevans

CHANGELOG.md

@@ -18,6 +18,7 @@ All notable changes to this project will be documented in this file. For info on
 - [CVE-2026-34830](https://github.com/advisories/GHSA-qv7j-4883-hwh7) `Rack::Sendfile` header-based `X-Accel-Mapping` regex injection enables unauthorized `X-Accel-Redirect`.
 - [CVE-2026-34785](https://github.com/advisories/GHSA-h2jq-g4cq-5ppq) `Rack::Static` prefix matching can expose unintended files under the static root.
 - [CVE-2026-34829](https://github.com/advisories/GHSA-8vqr-qjwx-82mw) Multipart parsing without `Content-Length` header allows unbounded chunked file uploads.
+- [CVE-2026-34827](https://github.com/advisories/GHSA-v6x5-cg8r-vv6x) Quadratic-time multipart header parsing allows denial of service via escape-heavy quoted parameters.
 
 ### SPEC Changes
 

lib/rack/multipart/parser.rb

@@ -84,6 +84,9 @@ class Parser
       PARSER_BYTESIZE_LIMIT = bytesize_limit > 0 ? bytesize_limit : nil
       private_constant :PARSER_BYTESIZE_LIMIT
 
+      CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT = env_int.call("RACK_MULTIPART_CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT", 8 * 1024)
+      private_constant :CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT
+
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -264,6 +267,7 @@ def initialize(boundary, tempfile, bufsize, query_parser)
         @body_retained = nil
         @retained_size = 0
         @total_bytes_read = (0 if PARSER_BYTESIZE_LIMIT)
+        @content_disposition_quoted_escapes = 0
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".b)
@@ -416,6 +420,11 @@ def handle_mime_head
                   # stop parsing parameter value if found ending quote
                   break if c == '"'
 
+                  @content_disposition_quoted_escapes += 1
+                  if @content_disposition_quoted_escapes > CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT
+                    raise Error, "number of quoted escapes during content disposition parsing exceeds limit"
+                  end
+
                   escaped_char = disposition.slice!(0, 1)
                   if param == 'filename' && escaped_char != '"'
                     # Possible IE uploaded filename, append both escape backslash and value

test/spec_multipart.rb

@@ -658,6 +658,50 @@ def rd.rewind; end
     x.must_equal "application/pdf"=>[""]
   end
 
+  quoted_escape_test_parse = lambda do |parts, escapes_per_part|
+    boundary = '---------------------------932620571087722842402766118'
+    escaped_quotes = '\\"' * (escapes_per_part/2)
+    unescaped_quotes = '"' * (escapes_per_part/2)
+
+    data = StringIO.new
+    parts.times do |i|
+      data.write("--#{boundary}")
+      data.write("\r\n")
+      data.write("Content-Disposition: form-data; name=\"a#{i}#{escaped_quotes}\" filename=\"b#{i}#{escaped_quotes}\"")
+      data.write("\r\n")
+      data.write("content-type:application/pdf\r\n")
+      data.write("\r\n")
+      data.write("--#{boundary}--\r\n")
+    end
+    data.rewind
+
+    fixture = {
+      "CONTENT_TYPE" => "multipart/form-data; boundary=#{boundary}",
+      "CONTENT_LENGTH" => data.length.to_s,
+      :input => data,
+    }
+
+    env = Rack::MockRequest.env_for '/', fixture
+    [Rack::Multipart.parse_multipart(env), unescaped_quotes]
+  end
+
+  it "allows up to 8192 quoted escapes during parsing" do
+    parts = 32
+    x, unescaped_quotes = quoted_escape_test_parse.call(parts, 256)
+    x.keys.must_equal Array.new(parts) {|i| "a#{i}#{unescaped_quotes}" }
+    parts.times do |i|
+      key = "a#{i}#{unescaped_quotes}"
+      v = x[key]
+      v[:filename].must_equal "b#{i}#{unescaped_quotes}"
+      v[:name].must_equal key
+    end
+  end
+
+  it "disallows more than 8192 quoted escapes during parsing" do
+    proc{quoted_escape_test_parse.call(32, 258)}.must_raise Rack::Multipart::Error
+    proc{quoted_escape_test_parse.call(33, 256)}.must_raise Rack::Multipart::Error
+  end
+
   it 'raises an EOF error on content-length mismatch' do
     env = Rack::MockRequest.env_for("/", multipart_fixture(:empty))
     env['rack.input'] = StringIO.new