Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5
when the input stream returns "" (empty string) instead of nil on EOF.
Certain malformed multipart requests leave the parser in a non-terminating
state, leaving the program vulnerable to denial of service attack. The fix
more carefully checks for input stream EOF.
  affected: standalone CGI, Mongrel
  unaffected: FastCGI, mod_ruby, WEBrick

This fully closes a previously-reported but partially-fixed vulnerability:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0983
  http://www.securityfocus.com/bid/11618/info

Attached are a README, the patch, a distributable hotfix gem for existing
Ruby installs, and a test demonstrating the flaw. Install the gem and run
the test to verify the flaw is corrected.

To include the fix in Rails apps, require 'cgi_multipart_eof_fix' in
config/environment.rb.

Regards,
jeremy