rack 2.2.1 → 2.2.3.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +18 -0
- data/lib/rack/common_logger.rb +3 -0
- data/lib/rack/handler/thin.rb +8 -14
- data/lib/rack/lint.rb +1 -1
- data/lib/rack/multipart/parser.rb +2 -1
- data/lib/rack/multipart.rb +1 -2
- data/lib/rack/request.rb +2 -2
- data/lib/rack/session/abstract/id.rb +1 -0
- data/lib/rack/session/cookie.rb +0 -1
- data/lib/rack/show_exceptions.rb +4 -4
- data/lib/rack/show_status.rb +4 -4
- data/lib/rack/utils.rb +6 -2
- data/lib/rack/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cd07394d5db5fbf3068cc076eea4059190c06a6e466de13383400bec4ff12e52
|
|
4
|
+
data.tar.gz: ae077819a035b88761b3fffe4f48d948c05e88d2b4942a6589216d929936a47d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 405db34fbc0eca9a8cf15a7887c73a939b33fc25b1283fbc4791a2fbd25053565a19ad891c0b3704b0120157b118997a08b627b856de1dfc088705759930ced2
|
|
7
|
+
data.tar.gz: 98d7b2f6277118a8fa4b7dd7f43eafbc5c4724474b1bb481f798df97b688ec13b61d821d62c04f5839a96ffd298d4a6a2e22f6e2be6d54b0f8485bee37372bc7
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,24 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [2.2.3.1] - 2022-05-27
|
|
6
|
+
|
|
7
|
+
- [CVE-2022-30123] Fix shell escaping issue in Common Logger
|
|
8
|
+
- [CVE-2022-30122] Restrict parsing of broken MIME attachments
|
|
9
|
+
|
|
10
|
+
## [2.2.3] - 2020-02-11
|
|
11
|
+
|
|
12
|
+
- [CVE-2020-8184] Only decode cookie values
|
|
13
|
+
|
|
14
|
+
## [2.2.2] - 2020-02-11
|
|
15
|
+
|
|
16
|
+
### Fixed
|
|
17
|
+
|
|
18
|
+
- Fix incorrect `Rack::Request#host` value. ([#1591](https://github.com/rack/rack/pull/1591), [@ioquatix](https://github.com/ioquatix))
|
|
19
|
+
- Revert `Rack::Handler::Thin` implementation. ([#1583](https://github.com/rack/rack/pull/1583), [@jeremyevans](https://github.com/jeremyevans))
|
|
20
|
+
- Double assignment is still needed to prevent an "unused variable" warning. ([#1589](https://github.com/rack/rack/pull/1589), [@kamipo](https://github.com/kamipo))
|
|
21
|
+
- Fix to handle same_site option for session pool. ([#1587](https://github.com/rack/rack/pull/1587), [@kamipo](https://github.com/kamipo))
|
|
22
|
+
|
|
5
23
|
## [2.2.1] - 2020-02-09
|
|
6
24
|
|
|
7
25
|
### Fixed
|
data/lib/rack/common_logger.rb
CHANGED
|
@@ -60,7 +60,10 @@ module Rack
|
|
|
60
60
|
length,
|
|
61
61
|
Utils.clock_time - began_at ]
|
|
62
62
|
|
|
63
|
+
msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
|
|
64
|
+
|
|
63
65
|
logger = @logger || env[RACK_ERRORS]
|
|
66
|
+
|
|
64
67
|
# Standard library logger doesn't support write but it supports << which actually
|
|
65
68
|
# calls to write on the log device without formatting
|
|
66
69
|
if logger.respond_to?(:write)
|
data/lib/rack/handler/thin.rb
CHANGED
|
@@ -12,20 +12,14 @@ module Rack
|
|
|
12
12
|
environment = ENV['RACK_ENV'] || 'development'
|
|
13
13
|
default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
|
|
14
14
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
server.start
|
|
24
|
-
else
|
|
25
|
-
options[:address] = options[:Host] || default_host
|
|
26
|
-
options[:port] = options[:Port] || 8080
|
|
27
|
-
::Thin::Controllers::Controller.new(options).start
|
|
28
|
-
end
|
|
15
|
+
host = options.delete(:Host) || default_host
|
|
16
|
+
port = options.delete(:Port) || 8080
|
|
17
|
+
args = [host, port, app, options]
|
|
18
|
+
# Thin versions below 0.8.0 do not support additional options
|
|
19
|
+
args.pop if ::Thin::VERSION::MAJOR < 1 && ::Thin::VERSION::MINOR < 8
|
|
20
|
+
server = ::Thin::Server.new(*args)
|
|
21
|
+
yield server if block_given?
|
|
22
|
+
server.start
|
|
29
23
|
end
|
|
30
24
|
|
|
31
25
|
def self.valid_options
|
data/lib/rack/lint.rb
CHANGED
|
@@ -337,7 +337,7 @@ module Rack
|
|
|
337
337
|
check_hijack env
|
|
338
338
|
|
|
339
339
|
## * The <tt>REQUEST_METHOD</tt> must be a valid token.
|
|
340
|
-
assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
|
|
340
|
+
assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
|
|
341
341
|
env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
|
|
342
342
|
}
|
|
343
343
|
|
|
@@ -301,8 +301,9 @@ module Rack
|
|
|
301
301
|
elsif filename = params['filename*']
|
|
302
302
|
encoding, _, filename = filename.split("'", 3)
|
|
303
303
|
end
|
|
304
|
-
when
|
|
304
|
+
when BROKEN
|
|
305
305
|
filename = $1
|
|
306
|
+
filename = $1 if filename =~ /^"(.*)"$/
|
|
306
307
|
end
|
|
307
308
|
|
|
308
309
|
return unless filename
|
data/lib/rack/multipart.rb
CHANGED
|
@@ -16,8 +16,7 @@ module Rack
|
|
|
16
16
|
TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
|
|
17
17
|
CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
|
|
18
18
|
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
|
|
19
|
-
|
|
20
|
-
BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i
|
|
19
|
+
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
|
|
21
20
|
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
|
|
22
21
|
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
|
|
23
22
|
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
|
data/lib/rack/request.rb
CHANGED
|
@@ -598,7 +598,7 @@ module Rack
|
|
|
598
598
|
value ? value.strip.split(/[,\s]+/) : []
|
|
599
599
|
end
|
|
600
600
|
|
|
601
|
-
AUTHORITY =
|
|
601
|
+
AUTHORITY = /^
|
|
602
602
|
# The host:
|
|
603
603
|
(?<host>
|
|
604
604
|
# An IPv6 address:
|
|
@@ -612,7 +612,7 @@ module Rack
|
|
|
612
612
|
)
|
|
613
613
|
# The optional port:
|
|
614
614
|
(:(?<port>\d+))?
|
|
615
|
-
|
|
615
|
+
$/x
|
|
616
616
|
|
|
617
617
|
private_constant :AUTHORITY
|
|
618
618
|
|
|
@@ -252,6 +252,7 @@ module Rack
|
|
|
252
252
|
@default_options = self.class::DEFAULT_OPTIONS.merge(options)
|
|
253
253
|
@key = @default_options.delete(:key)
|
|
254
254
|
@cookie_only = @default_options.delete(:cookie_only)
|
|
255
|
+
@same_site = @default_options.delete(:same_site)
|
|
255
256
|
initialize_sid
|
|
256
257
|
end
|
|
257
258
|
|
data/lib/rack/session/cookie.rb
CHANGED
data/lib/rack/show_exceptions.rb
CHANGED
|
@@ -63,12 +63,12 @@ module Rack
|
|
|
63
63
|
def pretty(env, exception)
|
|
64
64
|
req = Rack::Request.new(env)
|
|
65
65
|
|
|
66
|
-
# This double assignment is to prevent an "unused variable" warning
|
|
67
|
-
#
|
|
66
|
+
# This double assignment is to prevent an "unused variable" warning.
|
|
67
|
+
# Yes, it is dumb, but I don't like Ruby yelling at me.
|
|
68
68
|
path = path = (req.script_name + req.path_info).squeeze("/")
|
|
69
69
|
|
|
70
|
-
# This double assignment is to prevent an "unused variable" warning
|
|
71
|
-
#
|
|
70
|
+
# This double assignment is to prevent an "unused variable" warning.
|
|
71
|
+
# Yes, it is dumb, but I don't like Ruby yelling at me.
|
|
72
72
|
frames = frames = exception.backtrace.map { |line|
|
|
73
73
|
frame = OpenStruct.new
|
|
74
74
|
if line =~ /(.*?):(\d+)(:in `(.*)')?/
|
data/lib/rack/show_status.rb
CHANGED
|
@@ -23,14 +23,14 @@ module Rack
|
|
|
23
23
|
|
|
24
24
|
# client or server error, or explicit message
|
|
25
25
|
if (status.to_i >= 400 && empty) || env[RACK_SHOWSTATUS_DETAIL]
|
|
26
|
-
# This double assignment is to prevent an "unused variable" warning
|
|
27
|
-
#
|
|
26
|
+
# This double assignment is to prevent an "unused variable" warning.
|
|
27
|
+
# Yes, it is dumb, but I don't like Ruby yelling at me.
|
|
28
28
|
req = req = Rack::Request.new(env)
|
|
29
29
|
|
|
30
30
|
message = Rack::Utils::HTTP_STATUS_CODES[status.to_i] || status.to_s
|
|
31
31
|
|
|
32
|
-
# This double assignment is to prevent an "unused variable" warning
|
|
33
|
-
#
|
|
32
|
+
# This double assignment is to prevent an "unused variable" warning.
|
|
33
|
+
# Yes, it is dumb, but I don't like Ruby yelling at me.
|
|
34
34
|
detail = detail = env[RACK_SHOWSTATUS_DETAIL] || message
|
|
35
35
|
|
|
36
36
|
body = @template.result(binding)
|
data/lib/rack/utils.rb
CHANGED
|
@@ -212,8 +212,12 @@ module Rack
|
|
|
212
212
|
# The syntax for cookie headers only supports semicolons
|
|
213
213
|
# User Agent -> Server ==
|
|
214
214
|
# Cookie: SID=31d4d96e407aad42; lang=en-US
|
|
215
|
-
|
|
216
|
-
|
|
215
|
+
return {} unless header
|
|
216
|
+
header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
|
|
217
|
+
next if cookie.empty?
|
|
218
|
+
key, value = cookie.split('=', 2)
|
|
219
|
+
cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
|
|
220
|
+
end
|
|
217
221
|
end
|
|
218
222
|
|
|
219
223
|
def add_cookie_to_header(header, key, value)
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.1
|
|
4
|
+
version: 2.2.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-05-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -184,7 +184,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
184
184
|
- !ruby/object:Gem::Version
|
|
185
185
|
version: '0'
|
|
186
186
|
requirements: []
|
|
187
|
-
rubygems_version: 3.0.
|
|
187
|
+
rubygems_version: 3.0.3.1
|
|
188
188
|
signing_key:
|
|
189
189
|
specification_version: 4
|
|
190
190
|
summary: A modular Ruby webserver interface.
|