Please see related discussion and research in rack/rack#323.
RFC 1867 does not say to escape ASCII chars in filenames in multipart uploads using %XX (the URL-encoding scheme from RFC 1738). No browser I tried (see list in rack/rack#323) escapes ASCII filename characters in this way so Rack shouldn't either, with one exception: it could emulate either Firefox or Webkit by escaping only the double-quote character.
All other ASCII characters--including single quote ('), percent (%), ampersand (&), question mark (?), backslash (\)--should be passed straight through without encoding.
Background: this bit me because rack-test escapes the entire filename using RFC 1738 encoding and rack unescapes the filename using the same method. I had a passing test in my app to verify that special characters were allowed in filenames and it was passing, but later I discovered that in a real browser with a % sign in the filename it raised an error in rack. The real browser did not escape the % sign but rack tried to unescape it. If rack-test were behaving more like a real browser and not escape percent signs, my test would have told me something was wrong.
The correct fix is for both rack-test and rack to be updated (which is why rack/rack#323 was filed along with this one).