rack 2.0.9.2 → 2.0.9.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc237005e0685c87558593892557c95cd2b19a69344a5e7730861c4737710068
-  data.tar.gz: c6f06fabfb75b648b39013635615bb0c234b46e06bb21ee0d34fa984bc8a4327
+  metadata.gz: 3418ae80f8de1427728a2e17364b9c8d124f2efb3e2ce6ebd2fbf6ba08c76efa
+  data.tar.gz: 2ba9cd20d9b168c583813b6c1e0d39cb6b8f33d110605b2c28c97dac60718cfc
 SHA512:
-  metadata.gz: 91d96b990c872a04ed4dfc6eeea2ee24c7229d1bc382fb19ee56a2d63df67ef155e76e2ff760b5fce600101bf49f4359ed021959f1d72789821c71db4653e67a
-  data.tar.gz: bf4aceee4f04788e44dac8838ff210be458f6869264c380da218ad1d8f60651900212c6f2b6e1909666d9861a2d7865a85da8b4ff836b5ad075d3fe7cf9293f2
+  metadata.gz: ff2af28dd5b0b338c61d95eb793ac577098803374db893f739402ebd41ee75a1ebab4eba32474e2e68014475f0f5e71ad8fff3b4270fe3c9f281eaf3024c4b32
+  data.tar.gz: 6ebf297cb644ab382bcf02d3c0a7b4376223222ccaca426e093ecba02a4a9302324199ecd43788aa5f248b060f3c37a16fe820ebb9b46570dc2831627ef486d0

data/HISTORY.md

@@ -1,3 +1,7 @@
+Thu Mar  2 14:50:46 2023  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+
 Tue Jan 17 12:27:04 2023  Aaron Patterson <tenderlove@ruby-lang.org>
 
         * [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser

data/README.rdoc

@@ -189,16 +189,30 @@ This helps prevent a rogue client from flooding a Request.
 
 Default to 65536 characters (4 kiB in worst case).
 
-=== multipart_part_limit
+=== multipart_file_limit
 
-The maximum number of parts a request can contain.
+The maximum number of parts with a filename a request can contain.
 Accepting too many part can lead to the server running out of file handles.
 
 The default is 128, which means that a single request can't upload more than 128 files at once.
 
 Set to 0 for no limit.
 
-Can also be set via the RACK_MULTIPART_PART_LIMIT environment variable.
+Can also be set via the +RACK_MULTIPART_FILE_LIMIT+ environment variable.
+
+(This is also aliased as +multipart_part_limit+ and +RACK_MULTIPART_PART_LIMIT+ for compatibility)
+
+=== multipart_total_part_limit
+
+The maximum total number of parts a request can contain of any type, including
+both file and non-file form fields.
+
+The default is 4096, which means that a single request can't contain more than
+4096 parts.
+
+Set to 0 for no limit.
+
+Can also be set via the +RACK_MULTIPART_TOTAL_PART_LIMIT+ environment variable.
 
 == History
 

data/lib/rack/multipart/parser.rb

@@ -3,6 +3,7 @@ require 'rack/utils'
 module Rack
   module Multipart
     class MultipartPartLimitError < Errno::EMFILE; end
+    class MultipartTotalPartLimitError < StandardError; end
 
     class Parser
       BUFSIZE = 16384
@@ -138,7 +139,8 @@ module Rack
           end
 
           @mime_parts[mime_index] = klass.new(body, head, filename, content_type, name)
-          check_open_files
+
+          check_part_limits
         end
 
         def on_mime_body mime_index, content
@@ -150,13 +152,23 @@ module Rack
 
         private
 
-        def check_open_files
-          if Utils.multipart_part_limit > 0
-            if @open_files >= Utils.multipart_part_limit
+        def check_part_limits
+          file_limit = Utils.multipart_file_limit
+          part_limit = Utils.multipart_total_part_limit
+
+          if file_limit && file_limit > 0
+            if @open_files >= file_limit
               @mime_parts.each(&:close)
               raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
             end
           end
+
+          if part_limit && part_limit > 0
+            if @mime_parts.size >= part_limit
+              @mime_parts.each(&:close)
+              raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached'
+            end
+          end
         end
       end
 

data/lib/rack/utils.rb

@@ -53,13 +53,24 @@ module Rack
     module_function :unescape
 
     class << self
-      attr_accessor :multipart_part_limit
+      attr_accessor :multipart_total_part_limit
+
+      attr_accessor :multipart_file_limit
+
+      # multipart_part_limit is the original name of multipart_file_limit, but
+      # the limit only counts parts with filenames.
+      alias multipart_part_limit multipart_file_limit
+      alias multipart_part_limit= multipart_file_limit=
     end
 
-    # The maximum number of parts a request can contain. Accepting too many part
-    # can lead to the server running out of file handles.
+    # The maximum number of file parts a request can contain. Accepting too
+    # many parts can lead to the server running out of file handles.
     # Set to `0` for no limit.
-    self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i
+    self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
+
+    # The maximum total number of parts a request can contain. Accepting too
+    # many can lead to excessive memory use and parsing time.
+    self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
 
     def self.param_depth_limit
       default_query_parser.param_depth_limit
@@ -129,8 +140,8 @@ module Rack
     module_function :build_nested_query
 
     def q_values(q_value_header)
-      q_value_header.to_s.split(/\s*,\s*/).map do |part|
-        value, parameters = part.split(/\s*;\s*/, 2)
+      q_value_header.to_s.split(',').map do |part|
+        value, parameters = part.split(';', 2).map(&:strip)
         quality = 1.0
         if md = /\Aq=([\d.]+)/.match(parameters)
           quality = md[1].to_f

data/lib/rack.rb

@@ -18,7 +18,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.0.9.2"
+  RELEASE = "2.0.9.4"
 
   # Return the Rack release as a dotted string.
   def self.release

data/test/spec_multipart.rb

@@ -548,6 +548,18 @@ Content-Type: image/jpeg\r
     end
   end
 
+  it "reach a multipart total limit" do
+    begin
+      previous_limit = Rack::Utils.multipart_total_part_limit
+      Rack::Utils.multipart_total_part_limit = 5
+
+      env = Rack::MockRequest.env_for '/', multipart_fixture(:three_files_three_fields)
+      lambda { Rack::Multipart.parse_multipart(env) }.must_raise Rack::Multipart::MultipartTotalPartLimitError
+    ensure
+      Rack::Utils.multipart_total_part_limit = previous_limit
+    end
+  end
+
   it "return nil if no UploadedFiles were used" do
     data = Rack::Multipart.build_multipart("people" => [{"submit-name" => "Larry", "files" => "contents"}])
     data.must_be_nil

data/test/spec_request.rb

@@ -911,7 +911,7 @@ EOF
     f[:tempfile].size.must_equal 76
   end
 
-  it "MultipartPartLimitError when request has too many multipart parts if limit set" do
+  it "MultipartPartLimitError when request has too many multipart file parts if limit set" do
     begin
       data = 10000.times.map { "--AaB03x\r\nContent-Type: text/plain\r\nContent-Disposition: attachment; name=#{SecureRandom.hex(10)}; filename=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n")
       data += "--AaB03x--\r"
@@ -927,6 +927,22 @@ EOF
     end
   end
 
+  it "MultipartPartLimitError when request has too many multipart total parts if limit set" do
+    begin
+      data = 10000.times.map { "--AaB03x\r\ncontent-type: text/plain\r\ncontent-disposition: attachment; name=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n")
+      data += "--AaB03x--\r"
+
+      options = {
+        "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+        "CONTENT_LENGTH" => data.length.to_s,
+        :input => StringIO.new(data)
+      }
+
+      request = make_request Rack::MockRequest.env_for("/", options)
+      lambda { request.POST }.must_raise Rack::Multipart::MultipartTotalPartLimitError
+    end
+  end
+
   it 'closes tempfiles it created in the case of too many created' do
     begin
       data = 10000.times.map { "--AaB03x\r\nContent-Type: text/plain\r\nContent-Disposition: attachment; name=#{SecureRandom.hex(10)}; filename=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.0.9.2
+  version: 2.0.9.4
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-17 00:00:00.000000000 Z
+date: 2024-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -275,60 +275,60 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: a modular Ruby webserver interface
 test_files:
-- test/spec_multipart.rb
+- test/spec_auth_basic.rb
+- test/spec_auth_digest.rb
+- test/spec_body_proxy.rb
+- test/spec_builder.rb
+- test/spec_cascade.rb
+- test/spec_cgi.rb
+- test/spec_chunked.rb
+- test/spec_common_logger.rb
+- test/spec_conditional_get.rb
+- test/spec_config.rb
+- test/spec_content_length.rb
+- test/spec_content_type.rb
 - test/spec_deflater.rb
-- test/spec_static.rb
-- test/spec_session_cookie.rb
-- test/spec_session_pool.rb
+- test/spec_directory.rb
 - test/spec_etag.rb
-- test/spec_version.rb
+- test/spec_events.rb
+- test/spec_fastcgi.rb
+- test/spec_file.rb
 - test/spec_handler.rb
-- test/spec_thin.rb
-- test/spec_session_abstract_id.rb
-- test/spec_mime.rb
-- test/spec_recursive.rb
-- test/spec_null_logger.rb
+- test/spec_head.rb
+- test/spec_lint.rb
+- test/spec_lobster.rb
+- test/spec_lock.rb
+- test/spec_logger.rb
 - test/spec_media_type.rb
-- test/spec_cgi.rb
 - test/spec_method_override.rb
-- test/spec_content_type.rb
-- test/spec_session_abstract_session_hash.rb
+- test/spec_mime.rb
+- test/spec_mock.rb
+- test/spec_multipart.rb
+- test/spec_null_logger.rb
+- test/spec_recursive.rb
 - test/spec_request.rb
-- test/spec_chunked.rb
-- test/spec_show_exceptions.rb
+- test/spec_response.rb
+- test/spec_rewindable_input.rb
 - test/spec_runtime.rb
-- test/spec_session_persisted_secure_secure_session_hash.rb
-- test/spec_fastcgi.rb
-- test/spec_common_logger.rb
-- test/spec_builder.rb
-- test/spec_config.rb
-- test/spec_utils.rb
 - test/spec_sendfile.rb
-- test/spec_lobster.rb
-- test/spec_lint.rb
-- test/spec_conditional_get.rb
-- test/spec_tempfile_reaper.rb
-- test/spec_mock.rb
 - test/spec_server.rb
-- test/spec_directory.rb
-- test/spec_webrick.rb
-- test/spec_response.rb
-- test/spec_file.rb
+- test/spec_session_abstract_id.rb
+- test/spec_session_abstract_session_hash.rb
+- test/spec_session_cookie.rb
+- test/spec_session_memcache.rb
+- test/spec_session_persisted_secure_secure_session_hash.rb
+- test/spec_session_pool.rb
+- test/spec_show_exceptions.rb
 - test/spec_show_status.rb
-- test/spec_body_proxy.rb
-- test/spec_logger.rb
-- test/spec_auth_digest.rb
+- test/spec_static.rb
+- test/spec_tempfile_reaper.rb
+- test/spec_thin.rb
 - test/spec_urlmap.rb
-- test/spec_events.rb
-- test/spec_cascade.rb
-- test/spec_auth_basic.rb
-- test/spec_head.rb
-- test/spec_lock.rb
-- test/spec_rewindable_input.rb
-- test/spec_session_memcache.rb
-- test/spec_content_length.rb
+- test/spec_utils.rb
+- test/spec_version.rb
+- test/spec_webrick.rb