rack 2.0.9.1 → 2.0.9.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3d7540b6cecf9193ad7a6ca8f1be4e4a97cf56b3d9a54d420b21ca164af57b66
4
- data.tar.gz: b966e0e74ffe6c9b813bbbb222ec3d5ff5b331878feb57440c23a74ebf93197d
3
+ metadata.gz: bc237005e0685c87558593892557c95cd2b19a69344a5e7730861c4737710068
4
+ data.tar.gz: c6f06fabfb75b648b39013635615bb0c234b46e06bb21ee0d34fa984bc8a4327
5
5
  SHA512:
6
- metadata.gz: e9d484bfb940bb4894a9c4be9cf7c88f5b7d13c55bbd1b7dfc110b6dee577d6aa724614ec7e9f3861f860e4d699933ee49b5e32fca1affdae6541f459176260a
7
- data.tar.gz: 4ddec5784e6318979bfcefd89c12882f2da022ddb216e99df6d570871e35b9ba9f693872245f031a3fb8505361b966b41dae0d32b180fcb53a8bdec1f329f57f
6
+ metadata.gz: 91d96b990c872a04ed4dfc6eeea2ee24c7229d1bc382fb19ee56a2d63df67ef155e76e2ff760b5fce600101bf49f4359ed021959f1d72789821c71db4653e67a
7
+ data.tar.gz: bf4aceee4f04788e44dac8838ff210be458f6869264c380da218ad1d8f60651900212c6f2b6e1909666d9861a2d7865a85da8b4ff836b5ad075d3fe7cf9293f2
data/HISTORY.md CHANGED
@@ -1,3 +1,9 @@
1
+ Tue Jan 17 12:27:04 2023 Aaron Patterson <tenderlove@ruby-lang.org>
2
+
3
+ * [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
4
+ * [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
5
+ * [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
6
+
1
7
  Fri May 27 08:27:04 2022 Aaron Patterson <tenderlove@ruby-lang.org>
2
8
 
3
9
  * [CVE-2022-30123] Fix shell escaping issue in Common Logger
@@ -16,10 +16,10 @@ module Rack
16
16
  VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
17
17
  BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
18
18
  MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
19
- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*\s+name=(#{VALUE})/ni
19
+ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s+name=(#{VALUE})/ni
20
20
  MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
21
21
  # Updated definitions from RFC 2231
22
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
22
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
23
23
  ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
24
24
  SECTION = /\*[0-9]+/
25
25
  REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
data/lib/rack/utils.rb CHANGED
@@ -365,17 +365,18 @@ module Rack
365
365
  return nil unless http_range && http_range =~ /bytes=([^;]+)/
366
366
  ranges = []
367
367
  $1.split(/,\s*/).each do |range_spec|
368
- return nil unless range_spec =~ /(\d*)-(\d*)/
369
- r0,r1 = $1, $2
370
- if r0.empty?
371
- return nil if r1.empty?
368
+ return nil unless range_spec.include?('-')
369
+ range = range_spec.split('-')
370
+ r0, r1 = range[0], range[1]
371
+ if r0.nil? || r0.empty?
372
+ return nil if r1.nil?
372
373
  # suffix-byte-range-spec, represents trailing suffix of file
373
374
  r0 = size - r1.to_i
374
375
  r0 = 0 if r0 < 0
375
376
  r1 = size - 1
376
377
  else
377
378
  r0 = r0.to_i
378
- if r1.empty?
379
+ if r1.nil?
379
380
  r1 = size - 1
380
381
  else
381
382
  r1 = r1.to_i
data/lib/rack.rb CHANGED
@@ -18,7 +18,7 @@ module Rack
18
18
  VERSION.join(".")
19
19
  end
20
20
 
21
- RELEASE = "2.0.9.1"
21
+ RELEASE = "2.0.9.2"
22
22
 
23
23
  # Return the Rack release as a dotted string.
24
24
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.9.1
4
+ version: 2.0.9.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-05-27 00:00:00.000000000 Z
11
+ date: 2023-01-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -260,7 +260,7 @@ homepage: https://rack.github.io/
260
260
  licenses:
261
261
  - MIT
262
262
  metadata: {}
263
- post_install_message:
263
+ post_install_message:
264
264
  rdoc_options: []
265
265
  require_paths:
266
266
  - lib
@@ -275,8 +275,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
275
275
  - !ruby/object:Gem::Version
276
276
  version: '0'
277
277
  requirements: []
278
- rubygems_version: 3.0.3.1
279
- signing_key:
278
+ rubygems_version: 3.1.6
279
+ signing_key:
280
280
  specification_version: 4
281
281
  summary: a modular Ruby webserver interface
282
282
  test_files: