Improper Handling of Length Parameter Inconsistency

Summary

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.x prior to 3.1.21 and 3.2.x prior to 3.2.6, `Rack::Files#fail` sets the Content-Length response header using `String#size` instead of `String#bytesize`. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because `Rack::Files` reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.