rack 2.0.9 → 2.0.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9b0768103afcff14e04b93b0f4d359289b26b21d2ac7c80a42a31d74c0467e23
-  data.tar.gz: 84164353b9192f85a1ee40813ce9402dfca3f4850704718c6b103a3f062bc813
+  metadata.gz: bc237005e0685c87558593892557c95cd2b19a69344a5e7730861c4737710068
+  data.tar.gz: c6f06fabfb75b648b39013635615bb0c234b46e06bb21ee0d34fa984bc8a4327
 SHA512:
-  metadata.gz: fe9cdddbc606c1898db93ab17308de607d0ac9f93d6cf0554e444eea18901d144740718aedfe37b6a9353dae5169152315c00a2b971394fa2d6785ae0ad82203
-  data.tar.gz: e06d452659054f852edd963fb9ec776e450526f7918dedb937298b4f0ca938eeb047901d3c48c463a5ce1291070221dda1602cf96b042603c4e531cc6873dcbd
+  metadata.gz: 91d96b990c872a04ed4dfc6eeea2ee24c7229d1bc382fb19ee56a2d63df67ef155e76e2ff760b5fce600101bf49f4359ed021959f1d72789821c71db4653e67a
+  data.tar.gz: bf4aceee4f04788e44dac8838ff210be458f6869264c380da218ad1d8f60651900212c6f2b6e1909666d9861a2d7865a85da8b4ff836b5ad075d3fe7cf9293f2

data/HISTORY.md

@@ -1,3 +1,14 @@
+Tue Jan 17 12:27:04 2023  Aaron Patterson <tenderlove@ruby-lang.org>
+
+        * [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+        * [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+        * [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+Fri May 27 08:27:04 2022  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* [CVE-2022-30123] Fix shell escaping issue in Common Logger
+	* [CVE-2022-30122] Restrict parsing of broken MIME attachments
+
 Sun Dec 4 18:48:03 2015  Jeremy Daer <jeremydaer@gmail.com>
 
 	* First-party "SameSite" cookies. Browsers omit SameSite cookies

data/SPEC

@@ -60,8 +60,8 @@ below.
                            the presence or absence of the
                            appropriate HTTP header in the
                            request. See
-                           <a href="https://tools.ietf.org/html/rfc3875#section-4.1.18">
-                           RFC3875 section 4.1.18</a> for
+                           {https://tools.ietf.org/html/rfc3875#section-4.1.18
+                           RFC3875 section 4.1.18} for
                            specific behavior.
 In addition to this, the Rack environment must include these
 Rack-specific variables:
@@ -98,13 +98,12 @@ Rack-specific variables:
 Additional environment specifications have approved to
 standardized middleware APIs.  None of these are required to
 be implemented by the server.
-<tt>rack.session</tt>:: A hash like interface for storing
-                        request session data.
+<tt>rack.session</tt>:: A hash like interface for storing request session data.
                         The store must implement:
-                        store(key, value)         (aliased as []=);
-                        fetch(key, default = nil) (aliased as []);
-                        delete(key);
-                        clear;
+                         store(key, value)         (aliased as []=);
+                         fetch(key, default = nil) (aliased as []);
+                         delete(key);
+                         clear;
 <tt>rack.logger</tt>:: A common object interface for logging messages.
                        The object must implement:
                         info(message, &block)

data/lib/rack/common_logger.rb

@@ -54,7 +54,10 @@ module Rack
         length,
         now - began_at ]
 
+      msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
+
       logger = @logger || env[RACK_ERRORS]
+
       # Standard library logger doesn't support write but it supports << which actually
       # calls to write on the log device without formatting
       if logger.respond_to?(:write)

data/lib/rack/lint.rb

@@ -295,7 +295,7 @@ module Rack
       check_hijack env
 
       ## * The <tt>REQUEST_METHOD</tt> must be a valid token.
-      assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
+      assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
         env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
       }
 

data/lib/rack/multipart/parser.rb

@@ -302,8 +302,9 @@ module Rack
           elsif filename = params['filename*']
             encoding, _, filename = filename.split("'", 3)
           end
-        when BROKEN_QUOTED, BROKEN_UNQUOTED
+        when BROKEN
           filename = $1
+          filename = $1 if filename =~ /^"(.*)"$/
         end
 
         return unless filename

data/lib/rack/multipart.rb

@@ -14,13 +14,12 @@ module Rack
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
-    BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
-    BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
+    BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*\s+name=(#{VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s+name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/

data/lib/rack/utils.rb

@@ -365,17 +365,18 @@ module Rack
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
       $1.split(/,\s*/).each do |range_spec|
-        return nil  unless range_spec =~ /(\d*)-(\d*)/
-        r0,r1 = $1, $2
-        if r0.empty?
-          return nil  if r1.empty?
+        return nil unless range_spec.include?('-')
+        range = range_spec.split('-')
+        r0, r1 = range[0], range[1]
+        if r0.nil? || r0.empty?
+          return nil if r1.nil?
           # suffix-byte-range-spec, represents trailing suffix of file
           r0 = size - r1.to_i
           r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i
-          if r1.empty?
+          if r1.nil?
             r1 = size - 1
           else
             r1 = r1.to_i

data/lib/rack.rb

@@ -18,7 +18,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.0.9"
+  RELEASE = "2.0.9.2"
 
   # Return the Rack release as a dotted string.
   def self.release

data/test/multipart/filename_with_escaped_quotes_and_modification_param

@@ -1,6 +1,6 @@
 --AaB03x
 Content-Type: image/jpeg
-Content-Disposition: attachment; name="files"; filename=""human" genome.jpeg"; modification-date="Wed, 12 Feb 1997 16:29:51 -0500";
+Content-Disposition: attachment; name="files"; filename="\"human\" genome.jpeg"; modification-date="Wed, 12 Feb 1997 16:29:51 -0500";
 Content-Description: a complete map of the human genome
 
 contents

data/test/spec_common_logger.rb

@@ -21,6 +21,10 @@ describe Rack::CommonLogger do
     [200,
      {"Content-Type" => "text/html", "Content-Length" => "0"},
      []]}
+  app_without_lint = lambda { |env|
+    [200,
+     { "content-type" => "text/html", "content-length" => length.to_s },
+     [obj]]}
 
   it "log to rack.errors by default" do
     res = Rack::MockRequest.new(Rack::CommonLogger.new(app)).get("/")
@@ -85,6 +89,14 @@ describe Rack::CommonLogger do
     (0..1).must_include duration.to_f
   end
 
+  it "escapes non printable characters except newline" do
+    logdev = StringIO.new
+    log = Logger.new(logdev)
+    Rack::MockRequest.new(Rack::CommonLogger.new(app_without_lint, log)).request("GET\b", "/hello")
+
+    logdev.string.must_match(/GET\\x8 \/hello/)
+  end
+
   def length
     123
   end

data/test/spec_lint.rb

@@ -96,6 +96,11 @@ describe Rack::Lint do
     }.must_raise(Rack::Lint::LintError).
       message.must_match(/REQUEST_METHOD/)
 
+    lambda {
+      Rack::Lint.new(nil).call(env("REQUEST_METHOD" => "OOPS?\b!"))
+    }.must_raise(Rack::Lint::LintError).
+      message.must_match(/OOPS\?\\/)
+
     lambda {
       Rack::Lint.new(nil).call(env("SCRIPT_NAME" => "howdy"))
     }.must_raise(Rack::Lint::LintError).

data/test/spec_multipart.rb

@@ -381,19 +381,6 @@ describe Rack::Multipart do
     params["files"][:tempfile].read.must_equal "contents"
   end
 
-  it "parse filename with unescaped quotes" do
-    env = Rack::MockRequest.env_for("/", multipart_fixture(:filename_with_unescaped_quotes))
-    params = Rack::Multipart.parse_multipart(env)
-    params["files"][:type].must_equal "application/octet-stream"
-    params["files"][:filename].must_equal "escape \"quotes"
-    params["files"][:head].must_equal "Content-Disposition: form-data; " +
-      "name=\"files\"; " +
-      "filename=\"escape \"quotes\"\r\n" +
-      "Content-Type: application/octet-stream\r\n"
-    params["files"][:name].must_equal "files"
-    params["files"][:tempfile].read.must_equal "contents"
-  end
-
   it "parse filename with escaped quotes and modification param" do
     env = Rack::MockRequest.env_for("/", multipart_fixture(:filename_with_escaped_quotes_and_modification_param))
     params = Rack::Multipart.parse_multipart(env)
@@ -402,7 +389,7 @@ describe Rack::Multipart do
     params["files"][:head].must_equal "Content-Type: image/jpeg\r\n" +
       "Content-Disposition: attachment; " +
       "name=\"files\"; " +
-      "filename=\"\"human\" genome.jpeg\"; " +
+      "filename=\"\\\"human\\\" genome.jpeg\"; " +
       "modification-date=\"Wed, 12 Feb 1997 16:29:51 -0500\";\r\n" +
       "Content-Description: a complete map of the human genome\r\n"
     params["files"][:name].must_equal "files"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.0.9
+  version: 2.0.9.2
 platform: ruby
 authors:
 - Leah Neukirchen
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-02-08 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -260,7 +260,7 @@ homepage: https://rack.github.io/
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -275,8 +275,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.1.6
+signing_key:
 specification_version: 4
 summary: a modular Ruby webserver interface
 test_files: