rack 1.4.5 → 1.4.6

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 831b88a622b664dc64b00b2a2870464ddda19600
+  data.tar.gz: 269e5418115994dafa0d31264de69e535f4f2614
+SHA512:
+  metadata.gz: 943193c81ea0787cdf1b51407826fb495c6c27f015e2d714dc313d2b377495f2db069e7e3df31ce3056b3737372c073fac81644a3d6e493e84d53dc903f1bcc3
+  data.tar.gz: 1a94e8b2f5dead0aa38784c3c06bb0d0d14252be517a6962914d0846af2d147ef316dabca6d1d234472ad811b5e546abf0272fca4dd12868453cee778d1ddfea

data/lib/rack.rb

@@ -20,7 +20,7 @@ module Rack
 
   # Return the Rack release as a dotted string.
   def self.release
-    "1.4"
+    "1.4.6"
   end
 
   autoload :Builder, "rack/builder"

data/lib/rack/multipart/parser.rb

@@ -2,6 +2,8 @@ require 'rack/utils'
 
 module Rack
   module Multipart
+    class MultipartLimitError < Errno::EMFILE; end
+
     class Parser
       BUFSIZE = 16384
 
@@ -14,7 +16,13 @@ module Rack
 
         fast_forward_to_first_boundary
 
+        opened_files = 0
         loop do
+          if Utils.multipart_part_limit > 0
+            raise MultipartLimitError, 'Maximum file multiparts in content reached' if opened_files >= Utils.multipart_part_limit
+            opened_files += 1
+          end
+
           head, filename, content_type, name, body =
             get_current_head_and_filename_and_content_type_and_name_and_body
 

data/lib/rack/server.rb

@@ -337,6 +337,8 @@ module Rack
         return :exited unless ::File.exist?(options[:pid])
 
         pid = ::File.read(options[:pid]).to_i
+        return :dead if pid == 0
+
         Process.kill(0, pid)
         :running
       rescue Errno::ESRCH

data/lib/rack/utils.rb

@@ -51,12 +51,23 @@ module Rack
 
     class << self
       attr_accessor :key_space_limit
+      attr_accessor :param_depth_limit
+      attr_accessor :multipart_part_limit
     end
 
     # The default number of bytes to allow parameter keys to take up.
     # This helps prevent a rogue client from flooding a Request.
     self.key_space_limit = 65536
 
+    # Default depth at which the parameter parser will raise an exception for
+    # being too deep.  This helps prevent SystemStackErrors
+    self.param_depth_limit = 100
+    #
+    # The maximum number of parts a request can contain. Accepting to many part
+    # can lead to the server running out of file handles.
+    # Set to `0` for no limit.
+    self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i
+
     # Stolen from Mongrel, with some small modifications:
     # Parses a query string by breaking it up at the '&'
     # and ';' characters.  You can also use this to parse
@@ -100,7 +111,9 @@ module Rack
     end
     module_function :parse_nested_query
 
-    def normalize_params(params, name, v = nil)
+    def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit)
+      raise RangeError if depth <= 0
+
       name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
       k = $1 || ''
       after = $' || ''
@@ -118,14 +131,14 @@ module Rack
         params[k] ||= []
         raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
         if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
-          normalize_params(params[k].last, child_key, v)
+          normalize_params(params[k].last, child_key, v, depth - 1)
         else
-          params[k] << normalize_params(params.class.new, child_key, v)
+          params[k] << normalize_params(params.class.new, child_key, v, depth - 1)
         end
       else
         params[k] ||= params.class.new
         raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k])
-        params[k] = normalize_params(params[k], after, v)
+        params[k] = normalize_params(params[k], after, v, depth - 1)
       end
 
       return params

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.4.5"
+  s.version         = "1.4.6"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 

data/test/spec_multipart.rb

@@ -364,22 +364,29 @@ Content-Type: image/jpeg\r
   end
 
   it "builds complete params with the chunk size of 16384 slicing exactly on boundary" do
-    data = File.open(multipart_file("fail_16384_nofile")) { |f| f.read }.gsub(/\n/, "\r\n")
-    options = {
-      "CONTENT_TYPE" => "multipart/form-data; boundary=----WebKitFormBoundaryWsY0GnpbI5U7ztzo",
-      "CONTENT_LENGTH" => data.length.to_s,
-      :input => StringIO.new(data)
-    }
-    env = Rack::MockRequest.env_for("/", options)
-    params = Rack::Multipart.parse_multipart(env)
-
-    params.should.not.equal nil
-    params.keys.should.include "AAAAAAAAAAAAAAAAAAA"
-    params["AAAAAAAAAAAAAAAAAAA"].keys.should.include "PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"
-    params["AAAAAAAAAAAAAAAAAAA"]["PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"].keys.should.include "new"
-    params["AAAAAAAAAAAAAAAAAAA"]["PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"]["new"].keys.should.include "-2"
-    params["AAAAAAAAAAAAAAAAAAA"]["PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"]["new"]["-2"].keys.should.include "ba_unit_id"
-    params["AAAAAAAAAAAAAAAAAAA"]["PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"]["new"]["-2"]["ba_unit_id"].should.equal "1017"
+    begin
+      previous_limit = Rack::Utils.multipart_part_limit
+      Rack::Utils.multipart_part_limit = 256
+
+      data = File.open(multipart_file("fail_16384_nofile"), 'rb') { |f| f.read }.gsub(/\n/, "\r\n")
+      options = {
+        "CONTENT_TYPE" => "multipart/form-data; boundary=----WebKitFormBoundaryWsY0GnpbI5U7ztzo",
+        "CONTENT_LENGTH" => data.length.to_s,
+        :input => StringIO.new(data)
+      }
+      env = Rack::MockRequest.env_for("/", options)
+      params = Rack::Multipart.parse_multipart(env)
+
+      params.should.not.equal nil
+      params.keys.should.include "AAAAAAAAAAAAAAAAAAA"
+      params["AAAAAAAAAAAAAAAAAAA"].keys.should.include "PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"
+      params["AAAAAAAAAAAAAAAAAAA"]["PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"].keys.should.include "new"
+      params["AAAAAAAAAAAAAAAAAAA"]["PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"]["new"].keys.should.include "-2"
+      params["AAAAAAAAAAAAAAAAAAA"]["PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"]["new"]["-2"].keys.should.include "ba_unit_id"
+      params["AAAAAAAAAAAAAAAAAAA"]["PLAPLAPLA_MEMMEMMEMM_ATTRATTRER"]["new"]["-2"]["ba_unit_id"].should.equal "1017"
+    ensure
+      Rack::Utils.multipart_part_limit = previous_limit
+    end
   end
 
   should "return nil if no UploadedFiles were used" do

data/test/spec_request.rb

@@ -2,6 +2,7 @@ require 'stringio'
 require 'cgi'
 require 'rack/request'
 require 'rack/mock'
+require 'securerandom'
 
 describe Rack::Request do
   should "wrap the rack variables" do
@@ -613,6 +614,22 @@ EOF
     f[:tempfile].size.should.equal 76
   end
 
+  should "MultipartLimitError when request has too many multipart parts if limit set" do
+    begin
+      data = 10000.times.map { "--AaB03x\r\nContent-Type: text/plain\r\nContent-Disposition: attachment; name=#{SecureRandom.hex(10)}; filename=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n")
+      data += "--AaB03x--\r"
+
+      options = {
+        "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+        "CONTENT_LENGTH" => data.length.to_s,
+        :input => StringIO.new(data)
+      }
+
+      request = Rack::Request.new Rack::MockRequest.env_for("/", options)
+      lambda { request.POST }.should.raise(Rack::Multipart::MultipartLimitError)
+    end
+  end
+
   should "parse big multipart form data" do
     input = <<EOF
 --AaB03x\r

data/test/spec_utils.rb

@@ -123,6 +123,18 @@ describe Rack::Utils do
     Rack::Utils.parse_query(",foo=bar;,", ";,").should.equal "foo" => "bar"
   end
 
+  should "raise an exception if the params are too deep" do
+    len = Rack::Utils.param_depth_limit
+
+    lambda {
+      Rack::Utils.parse_nested_query("foo#{"[a]" * len}=bar")
+    }.should.raise(RangeError)
+
+    lambda {
+      Rack::Utils.parse_nested_query("foo#{"[a]" * (len - 1)}=bar")
+    }.should.not.raise
+  end
+
   should "parse nested query strings correctly" do
     Rack::Utils.parse_nested_query("foo").
       should.equal "foo" => nil

metadata

@@ -1,128 +1,120 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: rack
-version: !ruby/object:Gem::Version 
-  hash: 13
-  prerelease: 
-  segments: 
-  - 1
-  - 4
-  - 5
-  version: 1.4.5
+version: !ruby/object:Gem::Version
+  version: 1.4.6
 platform: ruby
-authors: 
+authors:
 - Christian Neukirchen
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2013-02-08 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2015-06-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: bacon
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: rake
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: ruby-fcgi
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby-fcgi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: memcache-client
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: memcache-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: mongrel
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mongrel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3904189667
-        segments: 
-        - 1
-        - 2
-        - 0
-        - pre
-        - 2
+      - !ruby/object:Gem::Version
         version: 1.2.0.pre2
   type: :development
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: thin
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: 1.2.0.pre2
+- !ruby/object:Gem::Dependency
+  name: thin
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id006
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: |
   Rack provides a minimal, modular and adaptable interface for developing
   web applications in Ruby.  By wrapping HTTP requests and responses in
   the simplest way possible, it unifies and distills the API for web
   servers, web frameworks, and software in between (the so-called
   middleware) into a single method call.
-  
-  Also see http://rack.github.com/.
 
+  Also see http://rack.github.com/.
 email: chneukirchen@gmail.com
-executables: 
+executables:
 - rackup
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - README.rdoc
 - KNOWN-ISSUES
-files: 
+files:
+- COPYING
+- KNOWN-ISSUES
+- README.rdoc
+- Rakefile
+- SPEC
 - bin/rackup
 - contrib/rack.png
 - contrib/rack.svg
@@ -131,6 +123,7 @@ files:
 - example/lobster.ru
 - example/protectedlobster.rb
 - example/protectedlobster.ru
+- lib/rack.rb
 - lib/rack/auth/abstract/handler.rb
 - lib/rack/auth/abstract/request.rb
 - lib/rack/auth/basic.rb
@@ -154,6 +147,7 @@ files:
 - lib/rack/directory.rb
 - lib/rack/etag.rb
 - lib/rack/file.rb
+- lib/rack/handler.rb
 - lib/rack/handler/cgi.rb
 - lib/rack/handler/evented_mongrel.rb
 - lib/rack/handler/fastcgi.rb
@@ -163,7 +157,6 @@ files:
 - lib/rack/handler/swiftiplied_mongrel.rb
 - lib/rack/handler/thin.rb
 - lib/rack/handler/webrick.rb
-- lib/rack/handler.rb
 - lib/rack/head.rb
 - lib/rack/lint.rb
 - lib/rack/lobster.rb
@@ -172,10 +165,10 @@ files:
 - lib/rack/methodoverride.rb
 - lib/rack/mime.rb
 - lib/rack/mock.rb
+- lib/rack/multipart.rb
 - lib/rack/multipart/generator.rb
 - lib/rack/multipart/parser.rb
 - lib/rack/multipart/uploaded_file.rb
-- lib/rack/multipart.rb
 - lib/rack/nulllogger.rb
 - lib/rack/recursive.rb
 - lib/rack/reloader.rb
@@ -194,7 +187,7 @@ files:
 - lib/rack/static.rb
 - lib/rack/urlmap.rb
 - lib/rack/utils.rb
-- lib/rack.rb
+- rack.gemspec
 - test/builder/anything.rb
 - test/builder/comment.ru
 - test/builder/end.ru
@@ -289,46 +282,30 @@ files:
 - test/testrequest.rb
 - test/unregistered_handler/rack/handler/unregistered.rb
 - test/unregistered_handler/rack/handler/unregistered_long_one.rb
-- COPYING
-- KNOWN-ISSUES
-- rack.gemspec
-- Rakefile
-- README.rdoc
-- SPEC
 homepage: http://rack.github.com/
 licenses: []
-
+metadata: {}
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: rack
-rubygems_version: 1.8.24
+rubygems_version: 2.4.5
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: a modular Ruby webserver interface
-test_files: 
+test_files:
 - test/spec_auth.rb
 - test/spec_auth_basic.rb
 - test/spec_auth_digest.rb
@@ -376,4 +353,3 @@ test_files:
 - test/spec_urlmap.rb
 - test/spec_utils.rb
 - test/spec_webrick.rb
-has_rdoc: