Reject CR/LF in multipart field name, filename, and content type

encode_multipart_form_data interpolated the field name, filename, and
per-part content type into Content-Disposition and Content-Type lines
with only quote_string escaping backslash and double quote, so CR/LF in
any of them could forge part headers and tamper with the request.

Fixes #195

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Author: hsbt

lib/net/http/generic_request.rb

@@ -350,6 +350,9 @@ def encode_multipart_form_data(out, params, opt)
       if filename
         filename = quote_string(filename, charset)
         type = h[:content_type] || 'application/octet-stream'
+        if /[\r\n]/.match?(type)
+          raise ArgumentError, "field content type cannot include CR/LF"
+        end
         buf << "Content-Disposition: form-data; " \
           "name=\"#{key}\"; filename=\"#{filename}\"\r\n" \
           "Content-Type: #{type}\r\n\r\n"
@@ -384,6 +387,9 @@ def encode_multipart_form_data(out, params, opt)
 
   def quote_string(str, charset)
     str = str.encode(charset, fallback:->(c){'&#%d;'%c.encode("UTF-8").ord}) if charset
+    if /[\r\n]/.match?(str)
+      raise ArgumentError, "multipart field name or filename cannot include CR/LF"
+    end
     str.gsub(/[\\"]/, '\\\\\&')
   end
 

test/net/http/test_http.rb

@@ -931,6 +931,20 @@ def test_set_form_with_file
       }
     }
   end
+
+  def test_set_form_multipart_crlf_injection
+    build = ->(data) {
+      req = Net::HTTP::Post.new('/')
+      req.set_form(data, 'multipart/form-data')
+      out = +''
+      req.send(:encode_multipart_form_data, out, req.instance_variable_get(:@body_data), {})
+    }
+    assert_raise(ArgumentError) { build.call([["foo\r\nX-Injected: 1", 'v']]) }
+    assert_raise(ArgumentError) { build.call([['f', 'v', {filename: "a\r\nX-Injected: 1"}]]) }
+    assert_raise(ArgumentError) do
+      build.call([['f', 'v', {filename: 'a', content_type: "text/plain\r\nX-Injected: 1"}]])
+    end
+  end
 end
 
 class TestNetHTTP_v1_2 < Test::Unit::TestCase