rack 2.1.4.1 → 2.1.4.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/rack/multipart.rb +2 -2
- data/lib/rack/utils.rb +6 -5
- data/lib/rack.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: edbcf6126aae323681d2fdc8e61fbbc036661d3354419ac07a389499c9f2f04a
|
4
|
+
data.tar.gz: a1071b44bbf6fa93a58ad2739f9df6f9450666c18aa94e7c69b8e813f3c290a4
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 555cbd0c544abc9102e68450e0e2f7a1a6a758adac673087562419bd85073b5d4130c6446349a1efb68f0cd13ae94863eb083d3e528ec12d6c9e0d71c7047dd1
|
7
|
+
data.tar.gz: 6028521bbb96e209dde73311e30e614f680359ded81465bb23723a45ada328c661104a7487bf5cebc238831504a4e5f370a763769a4dd50d7df1b524da27c24d
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,9 @@
|
|
1
|
+
## [2.1.4.2] - 2022-01-17
|
2
|
+
|
3
|
+
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
|
4
|
+
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
|
5
|
+
- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
|
6
|
+
|
1
7
|
## [2.1.4.1] - 2022-05-27
|
2
8
|
|
3
9
|
- [CVE-2022-30123] Fix shell escaping issue in Common Logger
|
data/lib/rack/multipart.rb
CHANGED
@@ -18,10 +18,10 @@ module Rack
|
|
18
18
|
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
|
19
19
|
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
|
20
20
|
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
|
21
|
-
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition
|
21
|
+
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
|
22
22
|
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
|
23
23
|
# Updated definitions from RFC 2231
|
24
|
-
ATTRIBUTE_CHAR = %r{[^ \
|
24
|
+
ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
|
25
25
|
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
|
26
26
|
SECTION = /\*[0-9]+/
|
27
27
|
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
|
data/lib/rack/utils.rb
CHANGED
@@ -350,17 +350,18 @@ module Rack
|
|
350
350
|
return nil unless http_range && http_range =~ /bytes=([^;]+)/
|
351
351
|
ranges = []
|
352
352
|
$1.split(/,\s*/).each do |range_spec|
|
353
|
-
return nil
|
354
|
-
|
355
|
-
|
356
|
-
|
353
|
+
return nil unless range_spec.include?('-')
|
354
|
+
range = range_spec.split('-')
|
355
|
+
r0, r1 = range[0], range[1]
|
356
|
+
if r0.nil? || r0.empty?
|
357
|
+
return nil if r1.nil?
|
357
358
|
# suffix-byte-range-spec, represents trailing suffix of file
|
358
359
|
r0 = size - r1.to_i
|
359
360
|
r0 = 0 if r0 < 0
|
360
361
|
r1 = size - 1
|
361
362
|
else
|
362
363
|
r0 = r0.to_i
|
363
|
-
if r1.
|
364
|
+
if r1.nil?
|
364
365
|
r1 = size - 1
|
365
366
|
else
|
366
367
|
r1 = r1.to_i
|
data/lib/rack.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.1.4.
|
4
|
+
version: 2.1.4.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Leah Neukirchen
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -170,7 +170,7 @@ metadata:
|
|
170
170
|
homepage_uri: https://rack.github.io
|
171
171
|
mailing_list_uri: https://groups.google.com/forum/#!forum/rack-devel
|
172
172
|
source_code_uri: https://github.com/rack/rack
|
173
|
-
post_install_message:
|
173
|
+
post_install_message:
|
174
174
|
rdoc_options: []
|
175
175
|
require_paths:
|
176
176
|
- lib
|
@@ -185,8 +185,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
185
185
|
- !ruby/object:Gem::Version
|
186
186
|
version: '0'
|
187
187
|
requirements: []
|
188
|
-
rubygems_version: 3.
|
189
|
-
signing_key:
|
188
|
+
rubygems_version: 3.1.6
|
189
|
+
signing_key:
|
190
190
|
specification_version: 4
|
191
191
|
summary: a modular Ruby webserver interface
|
192
192
|
test_files: []
|