rack 2.1.4.2 → 2.1.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: edbcf6126aae323681d2fdc8e61fbbc036661d3354419ac07a389499c9f2f04a
-  data.tar.gz: a1071b44bbf6fa93a58ad2739f9df6f9450666c18aa94e7c69b8e813f3c290a4
+  metadata.gz: c6c6bc44966ead6d6a9da2aaf2491e17ae23f2ad2a812ebca495b804a4574405
+  data.tar.gz: 7aa862a282ed242ed951ca59158e3078a05f19ea377009cd96e4dd09ebf5f513
 SHA512:
-  metadata.gz: 555cbd0c544abc9102e68450e0e2f7a1a6a758adac673087562419bd85073b5d4130c6446349a1efb68f0cd13ae94863eb083d3e528ec12d6c9e0d71c7047dd1
-  data.tar.gz: 6028521bbb96e209dde73311e30e614f680359ded81465bb23723a45ada328c661104a7487bf5cebc238831504a4e5f370a763769a4dd50d7df1b524da27c24d
+  metadata.gz: 5ce33f287708bb007eac0960c5ab16dadbc759bdea9266f0d3ca51c9d79bab83c815a6d8b73450cd1878f3a2e10cf26b1892304352b027bd7924c07ea1a28c31
+  data.tar.gz: 264d2812f22b99a85e83b65664d1d08380c1699384a21f3c144837f4a6449a5b3a05e3df3187b19082da4e6e51695dce23dc4e98f5463bb7361e34614286ff8d

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## [2.1.4.3] - 2023-03-02
+
+- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+
 ## [2.1.4.2] - 2022-01-17
 
 - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser

data/README.rdoc

@@ -166,16 +166,30 @@ This helps prevent a rogue client from flooding a Request.
 
 Default to 65536 characters (4 kiB in worst case).
 
-=== multipart_part_limit
+=== multipart_file_limit
 
-The maximum number of parts a request can contain.
+The maximum number of parts with a filename a request can contain.
 Accepting too many part can lead to the server running out of file handles.
 
 The default is 128, which means that a single request can't upload more than 128 files at once.
 
 Set to 0 for no limit.
 
-Can also be set via the +RACK_MULTIPART_PART_LIMIT+ environment variable.
+Can also be set via the +RACK_MULTIPART_FILE_LIMIT+ environment variable.
+
+(This is also aliased as +multipart_part_limit+ and +RACK_MULTIPART_PART_LIMIT+ for compatibility)
+
+=== multipart_total_part_limit
+
+The maximum total number of parts a request can contain of any type, including
+both file and non-file form fields.
+
+The default is 4096, which means that a single request can't contain more than
+4096 parts.
+
+Set to 0 for no limit.
+
+Can also be set via the +RACK_MULTIPART_TOTAL_PART_LIMIT+ environment variable.
 
 == Changelog
 

data/lib/rack/multipart/parser.rb

@@ -7,6 +7,7 @@ require 'rack/core_ext/regexp'
 module Rack
   module Multipart
     class MultipartPartLimitError < Errno::EMFILE; end
+    class MultipartTotalPartLimitError < StandardError; end
 
     class Parser
       using ::Rack::RegexpExtensions
@@ -148,7 +149,7 @@ module Rack
 
           @mime_parts[mime_index] = klass.new(body, head, filename, content_type, name)
 
-          check_open_files
+          check_part_limits
         end
 
         def on_mime_body mime_index, content
@@ -160,13 +161,23 @@ module Rack
 
         private
 
-        def check_open_files
-          if Utils.multipart_part_limit > 0
-            if @open_files >= Utils.multipart_part_limit
+        def check_part_limits
+          file_limit = Utils.multipart_file_limit
+          part_limit = Utils.multipart_total_part_limit
+
+          if file_limit && file_limit > 0
+            if @open_files >= file_limit
               @mime_parts.each(&:close)
               raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
             end
           end
+
+          if part_limit && part_limit > 0
+            if @mime_parts.size >= part_limit
+              @mime_parts.each(&:close)
+              raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached'
+            end
+          end
         end
       end
 

data/lib/rack/utils.rb

@@ -59,13 +59,24 @@ module Rack
     module_function :unescape
 
     class << self
-      attr_accessor :multipart_part_limit
+      attr_accessor :multipart_total_part_limit
+
+      attr_accessor :multipart_file_limit
+
+      # multipart_part_limit is the original name of multipart_file_limit, but
+      # the limit only counts parts with filenames.
+      alias multipart_part_limit multipart_file_limit
+      alias multipart_part_limit= multipart_file_limit=
     end
 
-    # The maximum number of parts a request can contain. Accepting too many part
-    # can lead to the server running out of file handles.
+    # The maximum number of file parts a request can contain. Accepting too
+    # many parts can lead to the server running out of file handles.
     # Set to `0` for no limit.
-    self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i
+    self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
+
+    # The maximum total number of parts a request can contain. Accepting too
+    # many can lead to excessive memory use and parsing time.
+    self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
 
     def self.param_depth_limit
       default_query_parser.param_depth_limit

data/lib/rack.rb

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.1.4.2"
+  RELEASE = "2.1.4.3"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.1.4.2
+  version: 2.1.4.3
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-17 00:00:00.000000000 Z
+date: 2023-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -185,7 +185,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.4.1
 signing_key:
 specification_version: 4
 summary: a modular Ruby webserver interface