Add Content-Length size check in Rack::Multipart::Parser

th4s1s · ioquatix · commit 367a2a0ec6fb · 2026-04-01T16:00:07.000+13:00
Compare the declared `Content-Length` against a configurable maximum (`PARSER_BYTESIZE_LIMIT`) before any parsing begins.

If it exceeds the limit, raise an exception immediately.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@ All notable changes to this project will be documented in this file. For info on
 - [CVE-2026-34835](https://github.com/advisories/GHSA-g2pf-xv49-m2h5) `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
 - [CVE-2026-34830](https://github.com/advisories/GHSA-qv7j-4883-hwh7) `Rack::Sendfile` header-based `X-Accel-Mapping` regex injection enables unauthorized `X-Accel-Redirect`.
 - [CVE-2026-34785](https://github.com/advisories/GHSA-h2jq-g4cq-5ppq) `Rack::Static` prefix matching can expose unintended files under the static root.
+- [CVE-2026-34829](https://github.com/advisories/GHSA-8vqr-qjwx-82mw) Multipart parsing without `Content-Length` header allows unbounded chunked file uploads.
 
 ## [3.1.20] - 2026-02-16
 
diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb
@@ -68,6 +68,10 @@ class Parser
       BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
       private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
 
+      bytesize_limit = env_int.call("RACK_MULTIPART_PARSER_BYTESIZE_LIMIT", 10 * 1024 * 1024 * 1024)
+      PARSER_BYTESIZE_LIMIT = bytesize_limit > 0 ? bytesize_limit : nil
+      private_constant :PARSER_BYTESIZE_LIMIT
+
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -121,6 +125,10 @@ def self.parse(io, content_length, content_type, tmpfile, bufsize, qp)
         boundary = parse_boundary content_type
         return EMPTY unless boundary
 
+        if PARSER_BYTESIZE_LIMIT && content_length && content_length > PARSER_BYTESIZE_LIMIT
+          raise Error, "multipart Content-Length #{content_length} exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+        end
+
         if boundary.length > 70
           # RFC 1521 Section 7.2.1 imposes a 70 character maximum for the boundary.
           # Most clients use no more than 55 characters.
@@ -237,6 +245,7 @@ def initialize(boundary, tempfile, bufsize, query_parser)
         @mime_index = 0
         @body_retained = nil
         @retained_size = 0
+        @total_bytes_read = (0 if PARSER_BYTESIZE_LIMIT)
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".dup)
@@ -248,6 +257,7 @@ def initialize(boundary, tempfile, bufsize, query_parser)
       end
 
       def parse(io)
+        @total_bytes_read &&= nil if io.is_a?(BoundedIO)
         outbuf = String.new
         read_data(io, outbuf)
 
@@ -291,6 +301,12 @@ def dequote(str) # From WEBrick::HTTPUtils
       def read_data(io, outbuf)
         content = io.read(@bufsize, outbuf)
         handle_empty_content!(content)
+        if @total_bytes_read
+          @total_bytes_read += content.bytesize
+          if @total_bytes_read > PARSER_BYTESIZE_LIMIT
+            raise Error, "multipart upload exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+          end
+        end
         @sbuf.concat(content)
       end
 
diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
@@ -29,6 +29,18 @@ def multipart_file(name)
     File.join(File.dirname(__FILE__), "multipart", name.to_s)
   end
 
+  def with_multipart_limit(limit)
+    previous = Rack::Multipart::Parser.send(:const_get, :PARSER_BYTESIZE_LIMIT)
+    begin
+      Rack::Multipart::Parser.send(:remove_const, :PARSER_BYTESIZE_LIMIT)
+      Rack::Multipart::Parser.const_set(:PARSER_BYTESIZE_LIMIT, limit)
+      yield
+    ensure
+      Rack::Multipart::Parser.send(:remove_const, :PARSER_BYTESIZE_LIMIT)
+      Rack::Multipart::Parser.const_set(:PARSER_BYTESIZE_LIMIT, previous)
+    end
+  end
+
   it "returns nil if the content type is not multipart" do
     env = Rack::MockRequest.env_for("/", "CONTENT_TYPE" => 'application/x-www-form-urlencoded', :input => "")
     Rack::Multipart.parse_multipart(env).must_be_nil
@@ -64,6 +76,49 @@ def multipart_file(name)
     }.must_raise Rack::Multipart::Error
   end
 
+  it "raises an exception if Content-Length exceeds total bytesize limit" do
+    with_multipart_limit(1024) do
+      env = Rack::MockRequest.env_for("/",
+        "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+        "CONTENT_LENGTH" => "2048",
+        :input => StringIO.new("--AaB03x--\r\n"))
+
+      lambda {
+        Rack::Multipart.parse_multipart(env)
+      }.must_raise(Rack::Multipart::Error)
+    end
+  end
+
+  it "allows requests within the total bytesize limit" do
+    with_multipart_limit(1024 * 1024) do
+      env = Rack::MockRequest.env_for("/", multipart_fixture(:text))
+      params = Rack::Multipart.parse_multipart(env)
+      params["submit-name"].must_equal "Larry"
+    end
+  end
+
+  it "skips total bytesize check when there is no limit" do
+    with_multipart_limit(nil) do
+      env = Rack::MockRequest.env_for("/", multipart_fixture(:text))
+      params = Rack::Multipart.parse_multipart(env)
+      params["submit-name"].must_equal "Larry"
+    end
+  end
+
+  it "enforces total bytesize limit during streaming when Content-Length is absent" do
+    with_multipart_limit(1) do
+      # Even without Content-Length, the streaming check catches oversized uploads
+      fixture = multipart_fixture(:text)
+      fixture.delete("CONTENT_LENGTH")
+      env = Rack::MockRequest.env_for("/", fixture)
+      env.delete("CONTENT_LENGTH")
+
+      lambda {
+        Rack::Multipart.parse_multipart(env)
+      }.must_raise Rack::Multipart::Error
+    end
+  end
+
   it "raises a bad request exception if no body is given but content type indicates a multipart body" do
     env = Rack::MockRequest.env_for("/", "CONTENT_TYPE" => 'multipart/form-data; boundary=BurgerBurger', :input => nil)
     lambda {
