rack 2.0.9 → 2.0.9.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9b0768103afcff14e04b93b0f4d359289b26b21d2ac7c80a42a31d74c0467e23
-  data.tar.gz: 84164353b9192f85a1ee40813ce9402dfca3f4850704718c6b103a3f062bc813
+  metadata.gz: 3418ae80f8de1427728a2e17364b9c8d124f2efb3e2ce6ebd2fbf6ba08c76efa
+  data.tar.gz: 2ba9cd20d9b168c583813b6c1e0d39cb6b8f33d110605b2c28c97dac60718cfc
 SHA512:
-  metadata.gz: fe9cdddbc606c1898db93ab17308de607d0ac9f93d6cf0554e444eea18901d144740718aedfe37b6a9353dae5169152315c00a2b971394fa2d6785ae0ad82203
-  data.tar.gz: e06d452659054f852edd963fb9ec776e450526f7918dedb937298b4f0ca938eeb047901d3c48c463a5ce1291070221dda1602cf96b042603c4e531cc6873dcbd
+  metadata.gz: ff2af28dd5b0b338c61d95eb793ac577098803374db893f739402ebd41ee75a1ebab4eba32474e2e68014475f0f5e71ad8fff3b4270fe3c9f281eaf3024c4b32
+  data.tar.gz: 6ebf297cb644ab382bcf02d3c0a7b4376223222ccaca426e093ecba02a4a9302324199ecd43788aa5f248b060f3c37a16fe820ebb9b46570dc2831627ef486d0

data/HISTORY.md

@@ -1,3 +1,18 @@
+Thu Mar  2 14:50:46 2023  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+
+Tue Jan 17 12:27:04 2023  Aaron Patterson <tenderlove@ruby-lang.org>
+
+        * [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+        * [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+        * [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+Fri May 27 08:27:04 2022  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* [CVE-2022-30123] Fix shell escaping issue in Common Logger
+	* [CVE-2022-30122] Restrict parsing of broken MIME attachments
+
 Sun Dec 4 18:48:03 2015  Jeremy Daer <jeremydaer@gmail.com>
 
 	* First-party "SameSite" cookies. Browsers omit SameSite cookies

data/README.rdoc

@@ -189,16 +189,30 @@ This helps prevent a rogue client from flooding a Request.
 
 Default to 65536 characters (4 kiB in worst case).
 
-=== multipart_part_limit
+=== multipart_file_limit
 
-The maximum number of parts a request can contain.
+The maximum number of parts with a filename a request can contain.
 Accepting too many part can lead to the server running out of file handles.
 
 The default is 128, which means that a single request can't upload more than 128 files at once.
 
 Set to 0 for no limit.
 
-Can also be set via the RACK_MULTIPART_PART_LIMIT environment variable.
+Can also be set via the +RACK_MULTIPART_FILE_LIMIT+ environment variable.
+
+(This is also aliased as +multipart_part_limit+ and +RACK_MULTIPART_PART_LIMIT+ for compatibility)
+
+=== multipart_total_part_limit
+
+The maximum total number of parts a request can contain of any type, including
+both file and non-file form fields.
+
+The default is 4096, which means that a single request can't contain more than
+4096 parts.
+
+Set to 0 for no limit.
+
+Can also be set via the +RACK_MULTIPART_TOTAL_PART_LIMIT+ environment variable.
 
 == History
 

data/SPEC

@@ -60,8 +60,8 @@ below.
                            the presence or absence of the
                            appropriate HTTP header in the
                            request. See
-                           <a href="https://tools.ietf.org/html/rfc3875#section-4.1.18">
-                           RFC3875 section 4.1.18</a> for
+                           {https://tools.ietf.org/html/rfc3875#section-4.1.18
+                           RFC3875 section 4.1.18} for
                            specific behavior.
 In addition to this, the Rack environment must include these
 Rack-specific variables:
@@ -98,13 +98,12 @@ Rack-specific variables:
 Additional environment specifications have approved to
 standardized middleware APIs.  None of these are required to
 be implemented by the server.
-<tt>rack.session</tt>:: A hash like interface for storing
-                        request session data.
+<tt>rack.session</tt>:: A hash like interface for storing request session data.
                         The store must implement:
-                        store(key, value)         (aliased as []=);
-                        fetch(key, default = nil) (aliased as []);
-                        delete(key);
-                        clear;
+                         store(key, value)         (aliased as []=);
+                         fetch(key, default = nil) (aliased as []);
+                         delete(key);
+                         clear;
 <tt>rack.logger</tt>:: A common object interface for logging messages.
                        The object must implement:
                         info(message, &block)

data/lib/rack/common_logger.rb

@@ -54,7 +54,10 @@ module Rack
         length,
         now - began_at ]
 
+      msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
+
       logger = @logger || env[RACK_ERRORS]
+
       # Standard library logger doesn't support write but it supports << which actually
       # calls to write on the log device without formatting
       if logger.respond_to?(:write)

data/lib/rack/lint.rb

@@ -295,7 +295,7 @@ module Rack
       check_hijack env
 
       ## * The <tt>REQUEST_METHOD</tt> must be a valid token.
-      assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
+      assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
         env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
       }
 

data/lib/rack/multipart/parser.rb

@@ -3,6 +3,7 @@ require 'rack/utils'
 module Rack
   module Multipart
     class MultipartPartLimitError < Errno::EMFILE; end
+    class MultipartTotalPartLimitError < StandardError; end
 
     class Parser
       BUFSIZE = 16384
@@ -138,7 +139,8 @@ module Rack
           end
 
           @mime_parts[mime_index] = klass.new(body, head, filename, content_type, name)
-          check_open_files
+
+          check_part_limits
         end
 
         def on_mime_body mime_index, content
@@ -150,13 +152,23 @@ module Rack
 
         private
 
-        def check_open_files
-          if Utils.multipart_part_limit > 0
-            if @open_files >= Utils.multipart_part_limit
+        def check_part_limits
+          file_limit = Utils.multipart_file_limit
+          part_limit = Utils.multipart_total_part_limit
+
+          if file_limit && file_limit > 0
+            if @open_files >= file_limit
               @mime_parts.each(&:close)
               raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
             end
           end
+
+          if part_limit && part_limit > 0
+            if @mime_parts.size >= part_limit
+              @mime_parts.each(&:close)
+              raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached'
+            end
+          end
         end
       end
 
@@ -302,8 +314,9 @@ module Rack
           elsif filename = params['filename*']
             encoding, _, filename = filename.split("'", 3)
           end
-        when BROKEN_QUOTED, BROKEN_UNQUOTED
+        when BROKEN
           filename = $1
+          filename = $1 if filename =~ /^"(.*)"$/
         end
 
         return unless filename

data/lib/rack/multipart.rb

@@ -14,13 +14,12 @@ module Rack
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
-    BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
-    BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
+    BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*\s+name=(#{VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s+name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/

data/lib/rack/utils.rb

@@ -53,13 +53,24 @@ module Rack
     module_function :unescape
 
     class << self
-      attr_accessor :multipart_part_limit
+      attr_accessor :multipart_total_part_limit
+
+      attr_accessor :multipart_file_limit
+
+      # multipart_part_limit is the original name of multipart_file_limit, but
+      # the limit only counts parts with filenames.
+      alias multipart_part_limit multipart_file_limit
+      alias multipart_part_limit= multipart_file_limit=
     end
 
-    # The maximum number of parts a request can contain. Accepting too many part
-    # can lead to the server running out of file handles.
+    # The maximum number of file parts a request can contain. Accepting too
+    # many parts can lead to the server running out of file handles.
     # Set to `0` for no limit.
-    self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i
+    self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
+
+    # The maximum total number of parts a request can contain. Accepting too
+    # many can lead to excessive memory use and parsing time.
+    self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
 
     def self.param_depth_limit
       default_query_parser.param_depth_limit
@@ -129,8 +140,8 @@ module Rack
     module_function :build_nested_query
 
     def q_values(q_value_header)
-      q_value_header.to_s.split(/\s*,\s*/).map do |part|
-        value, parameters = part.split(/\s*;\s*/, 2)
+      q_value_header.to_s.split(',').map do |part|
+        value, parameters = part.split(';', 2).map(&:strip)
         quality = 1.0
         if md = /\Aq=([\d.]+)/.match(parameters)
           quality = md[1].to_f
@@ -365,17 +376,18 @@ module Rack
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
       $1.split(/,\s*/).each do |range_spec|
-        return nil  unless range_spec =~ /(\d*)-(\d*)/
-        r0,r1 = $1, $2
-        if r0.empty?
-          return nil  if r1.empty?
+        return nil unless range_spec.include?('-')
+        range = range_spec.split('-')
+        r0, r1 = range[0], range[1]
+        if r0.nil? || r0.empty?
+          return nil if r1.nil?
           # suffix-byte-range-spec, represents trailing suffix of file
           r0 = size - r1.to_i
           r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i
-          if r1.empty?
+          if r1.nil?
             r1 = size - 1
           else
             r1 = r1.to_i

data/lib/rack.rb

@@ -18,7 +18,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.0.9"
+  RELEASE = "2.0.9.4"
 
   # Return the Rack release as a dotted string.
   def self.release

data/test/multipart/filename_with_escaped_quotes_and_modification_param

@@ -1,6 +1,6 @@
 --AaB03x
 Content-Type: image/jpeg
-Content-Disposition: attachment; name="files"; filename=""human" genome.jpeg"; modification-date="Wed, 12 Feb 1997 16:29:51 -0500";
+Content-Disposition: attachment; name="files"; filename="\"human\" genome.jpeg"; modification-date="Wed, 12 Feb 1997 16:29:51 -0500";
 Content-Description: a complete map of the human genome
 
 contents

data/test/spec_common_logger.rb

@@ -21,6 +21,10 @@ describe Rack::CommonLogger do
     [200,
      {"Content-Type" => "text/html", "Content-Length" => "0"},
      []]}
+  app_without_lint = lambda { |env|
+    [200,
+     { "content-type" => "text/html", "content-length" => length.to_s },
+     [obj]]}
 
   it "log to rack.errors by default" do
     res = Rack::MockRequest.new(Rack::CommonLogger.new(app)).get("/")
@@ -85,6 +89,14 @@ describe Rack::CommonLogger do
     (0..1).must_include duration.to_f
   end
 
+  it "escapes non printable characters except newline" do
+    logdev = StringIO.new
+    log = Logger.new(logdev)
+    Rack::MockRequest.new(Rack::CommonLogger.new(app_without_lint, log)).request("GET\b", "/hello")
+
+    logdev.string.must_match(/GET\\x8 \/hello/)
+  end
+
   def length
     123
   end

data/test/spec_lint.rb

@@ -96,6 +96,11 @@ describe Rack::Lint do
     }.must_raise(Rack::Lint::LintError).
       message.must_match(/REQUEST_METHOD/)
 
+    lambda {
+      Rack::Lint.new(nil).call(env("REQUEST_METHOD" => "OOPS?\b!"))
+    }.must_raise(Rack::Lint::LintError).
+      message.must_match(/OOPS\?\\/)
+
     lambda {
       Rack::Lint.new(nil).call(env("SCRIPT_NAME" => "howdy"))
     }.must_raise(Rack::Lint::LintError).

data/test/spec_multipart.rb

@@ -381,19 +381,6 @@ describe Rack::Multipart do
     params["files"][:tempfile].read.must_equal "contents"
   end
 
-  it "parse filename with unescaped quotes" do
-    env = Rack::MockRequest.env_for("/", multipart_fixture(:filename_with_unescaped_quotes))
-    params = Rack::Multipart.parse_multipart(env)
-    params["files"][:type].must_equal "application/octet-stream"
-    params["files"][:filename].must_equal "escape \"quotes"
-    params["files"][:head].must_equal "Content-Disposition: form-data; " +
-      "name=\"files\"; " +
-      "filename=\"escape \"quotes\"\r\n" +
-      "Content-Type: application/octet-stream\r\n"
-    params["files"][:name].must_equal "files"
-    params["files"][:tempfile].read.must_equal "contents"
-  end
-
   it "parse filename with escaped quotes and modification param" do
     env = Rack::MockRequest.env_for("/", multipart_fixture(:filename_with_escaped_quotes_and_modification_param))
     params = Rack::Multipart.parse_multipart(env)
@@ -402,7 +389,7 @@ describe Rack::Multipart do
     params["files"][:head].must_equal "Content-Type: image/jpeg\r\n" +
       "Content-Disposition: attachment; " +
       "name=\"files\"; " +
-      "filename=\"\"human\" genome.jpeg\"; " +
+      "filename=\"\\\"human\\\" genome.jpeg\"; " +
       "modification-date=\"Wed, 12 Feb 1997 16:29:51 -0500\";\r\n" +
       "Content-Description: a complete map of the human genome\r\n"
     params["files"][:name].must_equal "files"
@@ -561,6 +548,18 @@ Content-Type: image/jpeg\r
     end
   end
 
+  it "reach a multipart total limit" do
+    begin
+      previous_limit = Rack::Utils.multipart_total_part_limit
+      Rack::Utils.multipart_total_part_limit = 5
+
+      env = Rack::MockRequest.env_for '/', multipart_fixture(:three_files_three_fields)
+      lambda { Rack::Multipart.parse_multipart(env) }.must_raise Rack::Multipart::MultipartTotalPartLimitError
+    ensure
+      Rack::Utils.multipart_total_part_limit = previous_limit
+    end
+  end
+
   it "return nil if no UploadedFiles were used" do
     data = Rack::Multipart.build_multipart("people" => [{"submit-name" => "Larry", "files" => "contents"}])
     data.must_be_nil

data/test/spec_request.rb

@@ -911,7 +911,7 @@ EOF
     f[:tempfile].size.must_equal 76
   end
 
-  it "MultipartPartLimitError when request has too many multipart parts if limit set" do
+  it "MultipartPartLimitError when request has too many multipart file parts if limit set" do
     begin
       data = 10000.times.map { "--AaB03x\r\nContent-Type: text/plain\r\nContent-Disposition: attachment; name=#{SecureRandom.hex(10)}; filename=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n")
       data += "--AaB03x--\r"
@@ -927,6 +927,22 @@ EOF
     end
   end
 
+  it "MultipartPartLimitError when request has too many multipart total parts if limit set" do
+    begin
+      data = 10000.times.map { "--AaB03x\r\ncontent-type: text/plain\r\ncontent-disposition: attachment; name=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n")
+      data += "--AaB03x--\r"
+
+      options = {
+        "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+        "CONTENT_LENGTH" => data.length.to_s,
+        :input => StringIO.new(data)
+      }
+
+      request = make_request Rack::MockRequest.env_for("/", options)
+      lambda { request.POST }.must_raise Rack::Multipart::MultipartTotalPartLimitError
+    end
+  end
+
   it 'closes tempfiles it created in the case of too many created' do
     begin
       data = 10000.times.map { "--AaB03x\r\nContent-Type: text/plain\r\nContent-Disposition: attachment; name=#{SecureRandom.hex(10)}; filename=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.0.9
+  version: 2.0.9.4
 platform: ruby
 authors:
 - Leah Neukirchen
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-02-08 00:00:00.000000000 Z
+date: 2024-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -260,7 +260,7 @@ homepage: https://rack.github.io/
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -275,60 +275,60 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: a modular Ruby webserver interface
 test_files:
-- test/spec_multipart.rb
+- test/spec_auth_basic.rb
+- test/spec_auth_digest.rb
+- test/spec_body_proxy.rb
+- test/spec_builder.rb
+- test/spec_cascade.rb
+- test/spec_cgi.rb
+- test/spec_chunked.rb
+- test/spec_common_logger.rb
+- test/spec_conditional_get.rb
+- test/spec_config.rb
+- test/spec_content_length.rb
+- test/spec_content_type.rb
 - test/spec_deflater.rb
-- test/spec_static.rb
-- test/spec_session_cookie.rb
-- test/spec_session_pool.rb
+- test/spec_directory.rb
 - test/spec_etag.rb
-- test/spec_version.rb
+- test/spec_events.rb
+- test/spec_fastcgi.rb
+- test/spec_file.rb
 - test/spec_handler.rb
-- test/spec_thin.rb
-- test/spec_session_abstract_id.rb
-- test/spec_mime.rb
-- test/spec_recursive.rb
-- test/spec_null_logger.rb
+- test/spec_head.rb
+- test/spec_lint.rb
+- test/spec_lobster.rb
+- test/spec_lock.rb
+- test/spec_logger.rb
 - test/spec_media_type.rb
-- test/spec_cgi.rb
 - test/spec_method_override.rb
-- test/spec_content_type.rb
-- test/spec_session_abstract_session_hash.rb
+- test/spec_mime.rb
+- test/spec_mock.rb
+- test/spec_multipart.rb
+- test/spec_null_logger.rb
+- test/spec_recursive.rb
 - test/spec_request.rb
-- test/spec_chunked.rb
-- test/spec_show_exceptions.rb
+- test/spec_response.rb
+- test/spec_rewindable_input.rb
 - test/spec_runtime.rb
-- test/spec_session_persisted_secure_secure_session_hash.rb
-- test/spec_fastcgi.rb
-- test/spec_common_logger.rb
-- test/spec_builder.rb
-- test/spec_config.rb
-- test/spec_utils.rb
 - test/spec_sendfile.rb
-- test/spec_lobster.rb
-- test/spec_lint.rb
-- test/spec_conditional_get.rb
-- test/spec_tempfile_reaper.rb
-- test/spec_mock.rb
 - test/spec_server.rb
-- test/spec_directory.rb
-- test/spec_webrick.rb
-- test/spec_response.rb
-- test/spec_file.rb
+- test/spec_session_abstract_id.rb
+- test/spec_session_abstract_session_hash.rb
+- test/spec_session_cookie.rb
+- test/spec_session_memcache.rb
+- test/spec_session_persisted_secure_secure_session_hash.rb
+- test/spec_session_pool.rb
+- test/spec_show_exceptions.rb
 - test/spec_show_status.rb
-- test/spec_body_proxy.rb
-- test/spec_logger.rb
-- test/spec_auth_digest.rb
+- test/spec_static.rb
+- test/spec_tempfile_reaper.rb
+- test/spec_thin.rb
 - test/spec_urlmap.rb
-- test/spec_events.rb
-- test/spec_cascade.rb
-- test/spec_auth_basic.rb
-- test/spec_head.rb
-- test/spec_lock.rb
-- test/spec_rewindable_input.rb
-- test/spec_session_memcache.rb
-- test/spec_content_length.rb
+- test/spec_utils.rb
+- test/spec_version.rb
+- test/spec_webrick.rb