rack 2.1.4 → 2.1.4.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3851dcf1bb18356cc36d8d390c8b2f7e9abde5a7068dac862246e8280a9d7c41
4
- data.tar.gz: 5a5b9b318ba267f8ac3bd726048e6e826ff3feed3bb150252df91c7d038951cc
3
+ metadata.gz: 328f3d4ad7c94b2662ae35cc3633d67060bac8f0acf2728c414094a3c0c3c001
4
+ data.tar.gz: 00f0493d8fa4c8393059d9b3d8da2e0e6401cec2e734daee5ee9c806648a3878
5
5
  SHA512:
6
- metadata.gz: 7d071738226e954ce7bf0507422e41857bba7a10ceed70c22263b279cbbd19d362066a6ac62999a47212878f7e26e659e396c6c6ee51eb5dc4d5617a41859597
7
- data.tar.gz: 2d0ff8ec9f7fe54a4c0d88fd4ae51424b506df4c9a15324830ea36961dda8e5327250637f8b0a4168d4f66e95c815d0f2cc773c56f5a70dcadf5d50491723614
6
+ metadata.gz: d2987fc196b4eb837e26917c2b8deadfbbd58ff3909a6e12acf3e9bef334d1d0da36bf1d08f10054bee2b57e4e2872dd64964d73ce225cdf028402ec5d52db05
7
+ data.tar.gz: e6276012db31f2c93f433d40c9d3be4beb7999d974d9d1f33eb830d4a4953f6e94840533917dd2e0eddd73e9d95e71f56a3fa72599f70796ecf88fe88677fcd1
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ ## [2.1.4.1] - 2022-05-27
2
+
3
+ - [CVE-2022-30123] Fix shell escaping issue in Common Logger
4
+ - [CVE-2022-30122] Restrict parsing of broken MIME attachments
5
+
1
6
  ## [2.1.4] - 2020-06-15
2
7
 
3
8
  - [CVE-2020-8184] When parsing cookies, only decode the value
@@ -55,7 +55,10 @@ module Rack
55
55
  length,
56
56
  Utils.clock_time - began_at ]
57
57
 
58
+ msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
59
+
58
60
  logger = @logger || env[RACK_ERRORS]
61
+
59
62
  # Standard library logger doesn't support write but it supports << which actually
60
63
  # calls to write on the log device without formatting
61
64
  if logger.respond_to?(:write)
data/lib/rack/lint.rb CHANGED
@@ -296,7 +296,7 @@ module Rack
296
296
  check_hijack env
297
297
 
298
298
  ## * The <tt>REQUEST_METHOD</tt> must be a valid token.
299
- assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
299
+ assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
300
300
  env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
301
301
  }
302
302
 
@@ -309,8 +309,9 @@ module Rack
309
309
  elsif filename = params['filename*']
310
310
  encoding, _, filename = filename.split("'", 3)
311
311
  end
312
- when BROKEN_QUOTED, BROKEN_UNQUOTED
312
+ when BROKEN
313
313
  filename = $1
314
+ filename = $1 if filename =~ /^"(.*)"$/
314
315
  end
315
316
 
316
317
  return unless filename
@@ -16,8 +16,7 @@ module Rack
16
16
  TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
17
17
  CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
18
18
  VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
19
- BROKEN_QUOTED = /^#{CONDISP}.*;\s*filename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
20
- BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i
19
+ BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
21
20
  MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
22
21
  MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
23
22
  MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
data/lib/rack.rb CHANGED
@@ -20,7 +20,7 @@ module Rack
20
20
  VERSION.join(".")
21
21
  end
22
22
 
23
- RELEASE = "2.1.4"
23
+ RELEASE = "2.1.4.1"
24
24
 
25
25
  # Return the Rack release as a dotted string.
26
26
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.4
4
+ version: 2.1.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-06-15 00:00:00.000000000 Z
11
+ date: 2022-05-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -170,7 +170,7 @@ metadata:
170
170
  homepage_uri: https://rack.github.io
171
171
  mailing_list_uri: https://groups.google.com/forum/#!forum/rack-devel
172
172
  source_code_uri: https://github.com/rack/rack
173
- post_install_message:
173
+ post_install_message:
174
174
  rdoc_options: []
175
175
  require_paths:
176
176
  - lib
@@ -185,8 +185,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
185
185
  - !ruby/object:Gem::Version
186
186
  version: '0'
187
187
  requirements: []
188
- rubygems_version: 3.2.0.pre1
189
- signing_key:
188
+ rubygems_version: 3.0.3.1
189
+ signing_key:
190
190
  specification_version: 4
191
191
  summary: a modular Ruby webserver interface
192
192
  test_files: []