Skip to content

Improve validation and hardening of user-supplied data#24

Merged
tomtaylor merged 4 commits into
mainfrom
injection-fixes
Jun 9, 2026
Merged

Improve validation and hardening of user-supplied data#24
tomtaylor merged 4 commits into
mainfrom
injection-fixes

Conversation

@tomtaylor

Copy link
Copy Markdown
Contributor

Harden multipart encoding against malicious filenames, form fields, headers and boundaries. An attacker could use these to craft inject headers or content-disposition directives. This is a similar issue to GHSA-px9f-whj3-246m.

  • Multipart.new/1 now raises ArgumentError for boundaries outside the RFC 2046 charset
  • Serializing a part whose headers contain CR/LF now raises ArgumentError
  • These affect only malformed/malicious input; all existing fixture tests pass unchanged

@tomtaylor tomtaylor merged commit 2b8446d into main Jun 9, 2026
10 checks passed
@tomtaylor tomtaylor deleted the injection-fixes branch June 9, 2026 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant