RubyGems - rack - Versions diffs - 2.1.4 → 2.1.4.2 - Mend

rack 2.1.4 → 2.1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3851dcf1bb18356cc36d8d390c8b2f7e9abde5a7068dac862246e8280a9d7c41
-  data.tar.gz: 5a5b9b318ba267f8ac3bd726048e6e826ff3feed3bb150252df91c7d038951cc
+  metadata.gz: edbcf6126aae323681d2fdc8e61fbbc036661d3354419ac07a389499c9f2f04a
+  data.tar.gz: a1071b44bbf6fa93a58ad2739f9df6f9450666c18aa94e7c69b8e813f3c290a4
 SHA512:
-  metadata.gz: 7d071738226e954ce7bf0507422e41857bba7a10ceed70c22263b279cbbd19d362066a6ac62999a47212878f7e26e659e396c6c6ee51eb5dc4d5617a41859597
-  data.tar.gz: 2d0ff8ec9f7fe54a4c0d88fd4ae51424b506df4c9a15324830ea36961dda8e5327250637f8b0a4168d4f66e95c815d0f2cc773c56f5a70dcadf5d50491723614
+  metadata.gz: 555cbd0c544abc9102e68450e0e2f7a1a6a758adac673087562419bd85073b5d4130c6446349a1efb68f0cd13ae94863eb083d3e528ec12d6c9e0d71c7047dd1
+  data.tar.gz: 6028521bbb96e209dde73311e30e614f680359ded81465bb23723a45ada328c661104a7487bf5cebc238831504a4e5f370a763769a4dd50d7df1b524da27c24d

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,14 @@
+## [2.1.4.2] - 2022-01-17
+- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+## [2.1.4.1] - 2022-05-27
+- [CVE-2022-30123] Fix shell escaping issue in Common Logger
+- [CVE-2022-30122] Restrict parsing of broken MIME attachments
 ## [2.1.4] - 2020-06-15
 - [CVE-2020-8184] When parsing cookies, only decode the value

data/lib/rack/common_logger.rb CHANGED Viewed

@@ -55,7 +55,10 @@ module Rack
         length,
         Utils.clock_time - began_at ]
+      msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
       logger = @logger || env[RACK_ERRORS]
       # Standard library logger doesn't support write but it supports << which actually
       # calls to write on the log device without formatting
       if logger.respond_to?(:write)

data/lib/rack/lint.rb CHANGED Viewed

@@ -296,7 +296,7 @@ module Rack
       check_hijack env
       ## * The <tt>REQUEST_METHOD</tt> must be a valid token.
-      assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
+      assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
         env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
       }

data/lib/rack/multipart/parser.rb CHANGED Viewed

@@ -309,8 +309,9 @@ module Rack
           elsif filename = params['filename*']
             encoding, _, filename = filename.split("'", 3)
           end
-        when BROKEN_QUOTED, BROKEN_UNQUOTED
+        when BROKEN
           filename = $1
+          filename = $1 if filename =~ /^"(.*)"$/
         end
         return unless filename

data/lib/rack/multipart.rb CHANGED Viewed

@@ -16,13 +16,12 @@ module Rack
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
-    BROKEN_QUOTED = /^#{CONDISP}.*;\s*filename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
-    BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i
+    BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/

data/lib/rack/utils.rb CHANGED Viewed

@@ -350,17 +350,18 @@ module Rack
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
       $1.split(/,\s*/).each do |range_spec|
-        return nil  unless range_spec =~ /(\d*)-(\d*)/
-        r0, r1 = $1, $2
-        if r0.empty?
-          return nil  if r1.empty?
+        return nil unless range_spec.include?('-')
+        range = range_spec.split('-')
+        r0, r1 = range[0], range[1]
+        if r0.nil? || r0.empty?
+          return nil if r1.nil?
           # suffix-byte-range-spec, represents trailing suffix of file
           r0 = size - r1.to_i
           r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i
-          if r1.empty?
+          if r1.nil?
             r1 = size - 1
           else
             r1 = r1.to_i

data/lib/rack.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
-  RELEASE = "2.1.4"
+  RELEASE = "2.1.4.2"
   # Return the Rack release as a dotted string.
   def self.release

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.1.4
+  version: 2.1.4.2
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-06-15 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -185,7 +185,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.0.pre1
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: a modular Ruby webserver interface