Limit file extension length of multipart tempfiles (#2069) (#2075)

- Fixes #1968
rack · Apr 25, 2023 · c4245c5 · c4245c5
1 parent 983b6e3
commit c4245c5
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb
@@ -13,7 +13,9 @@ class Parser
       BUFSIZE = 1_048_576
       TEXT_PLAIN = "text/plain"
       TEMPFILE_FACTORY = lambda { |filename, content_type|
-        Tempfile.new(["RackMultipart", ::File.extname(filename.gsub("\0", '%00'))])
+        extension = ::File.extname(filename.gsub("\0", '%00'))[0, 129]
+
+        Tempfile.new(["RackMultipart", extension])
       }
 
       BOUNDARY_REGEX = /\A([^\n]*(?:\n|\Z))/

diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
@@ -704,6 +704,28 @@ def initialize(*)
     params["file"][:filename].must_equal 'long' * 100
   end
 
+  it "limits very long file name extensions in multipart tempfiles" do
+    data = <<-EOF
+--AaB03x\r
+content-type: text/plain\r
+content-disposition: attachment; name=file; filename=foo.#{'a' * 1000}\r
+\r
+contents\r
+--AaB03x--\r
+    EOF
+
+    options = {
+      "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+      "CONTENT_LENGTH" => data.length.to_s,
+      :input => StringIO.new(data)
+    }
+    env = Rack::MockRequest.env_for("/", options)
+    params = Rack::Multipart.parse_multipart(env)
+
+    params["file"][:filename].must_equal "foo.#{'a' * 1000}"
+    File.extname(env["rack.tempfiles"][0]).must_equal ".#{'a' * 128}"
+  end
+
   it "parse unquoted parameter values at end of line" do
     data = <<-EOF
 --AaB03x\r