Curl multipart header injection via unescaped field names/filenames

## Summary

When building multipart form data with `-F`, field names and filenames are interpolated directly into `Content-Disposition` headers without escaping quotes or newlines. A field name containing `"` or `\r\n` characters can inject arbitrary HTTP headers into the multipart body.

**Severity:** Medium  
**Category:** Injection (TM-INJ)

## Affected Files

- `crates/bashkit/src/builtins/curl.rs` lines 386-399

## Steps to Reproduce

```bash
# Field name with embedded quote and CRLF
curl -F 'key"; filename="evil.txt\r\nEvil-Header: injected=value' http://httpbin.org/post
```

## Impact

- HTTP header injection in multipart requests
- Potential request smuggling against target servers
- Could enable SSRF in chained attack scenarios

## Acceptance Criteria

- [ ] Escape or reject double quotes in field names and filenames (replace `"` with `\"`)
- [ ] Reject `\r` and `\n` characters in field names and filenames
- [ ] Consider RFC 2231 encoding for non-ASCII characters
- [ ] Test: Field name with `"` is properly escaped
- [ ] Test: Field name with `\r\n` is rejected with error

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Curl multipart header injection via unescaped field names/filenames #985

Summary

Affected Files

Steps to Reproduce

Impact

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Curl multipart header injection via unescaped field names/filenames #985

Description

Summary

Affected Files

Steps to Reproduce

Impact

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions