rack 2.2.14 → 2.2.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cfe795272720eaaf8af60d73a6f48b8f67363e5fc302f55e58db739c3c934b1a
-  data.tar.gz: 6bb1f296c683cb5fb4628aed7cca3b34613d3a72f86cf2821e0d5ef358def5d9
+  metadata.gz: 2a0c02f8ad516a9e66e1d8ec32ca620dfe46328d5b248fb6a72ed0b8e4a0f91c
+  data.tar.gz: d32193586a1367c718a9a4385b26a4159a8e376c852c624fd9e1ad6b77e5137d
 SHA512:
-  metadata.gz: 40d36f5e876e382aaf49daa1f56506577a4e24a3227be7a3645c599850b7de06e4a4292fafcdc9cd4cb3da207e7fb635f0382cad5ae4d0a25a7a4fc5aaa7551f
-  data.tar.gz: 6a348030a182d2d380ba66bdb99d0f9738b6bd25388ca206b4bec1c50fcd195a1d425388c75509628d8fa345a6ccd509741141841bf66722337504685f4c4c7b
+  metadata.gz: 8ea04755b2f8c7d4482a35e601d5fdc73d1fd7f62fc0bade4cf6ce0769cbe7e182ec6c6659dddc44489069a19959a3d5fa799451573a38fb943f21376356329d
+  data.tar.gz: d8c8032d0fb15a750878a0d4127d79957f21890298b7dbdb743dc276ede56fb0a32b94ece434c7d6bea26bf55167b5318ffc9c0e4c0fe6f5d1baf0cadeba6ba5

data/CHANGELOG.md

@@ -2,6 +2,22 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [2.2.18] - 2025-09-25
+
+- [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
+
+## [2.2.17] - 2025-06-03
+
+- Backport `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
+
+## [2.2.16] - 2025-05-22
+
+- Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
+
+## [2.2.15] - 2025-05-18
+
+- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
+
 ## [2.2.14] - 2025-05-06
 
 ### Security
@@ -777,3 +793,7 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
   - Removed Rails adapter, was too alpha.
 
 ## [0.1] 2007-03-03
+
+[@ioquatix]: https://github.com/ioquatix "Samuel Williams"
+[@jeremyevans]: https://github.com/jeremyevans "Jeremy Evans"
+[@earlopain]: https://github.com/earlopain "Earlopain"

data/lib/rack/handler/thin.rb

@@ -15,8 +15,6 @@ module Rack
         host = options.delete(:Host) || default_host
         port = options.delete(:Port) || 8080
         args = [host, port, app, options]
-        # Thin versions below 0.8.0 do not support additional options
-        args.pop if ::Thin::VERSION::MAJOR < 1 && ::Thin::VERSION::MINOR < 8
         server = ::Thin::Server.new(*args)
         yield server if block_given?
         server.start

data/lib/rack/media_type.rb

@@ -27,6 +27,11 @@ module Rack
       # provided.  e.g., when the CONTENT_TYPE is "text/plain;charset=utf-8",
       # this method responds with the following Hash:
       #   { 'charset' => 'utf-8' }
+      #
+      # This will pass back parameters with empty strings in the hash if they
+      # lack a value (e.g., "text/plain;charset=" will return { 'charset' => '' },
+      # and "text/plain;charset" will return { 'charset' => '' }, similarly to 
+      # the query params parser (barring the latter case, which returns nil instead)).
       def params(content_type)
         return {} if content_type.nil?
 
@@ -40,9 +45,9 @@ module Rack
 
       private
 
-        def strip_doublequotes(str)
-          (str.start_with?('"') && str.end_with?('"')) ? str[1..-2] : str
-        end
+      def strip_doublequotes(str)
+        (str && str.start_with?('"') && str.end_with?('"')) ? str[1..-2] : str || ''
+      end
     end
   end
 end

data/lib/rack/mock.rb

@@ -3,7 +3,6 @@
 require 'uri'
 require 'stringio'
 require_relative '../rack'
-require 'cgi/cookie'
 
 module Rack
   # Rack::MockRequest helps testing your Rack application without
@@ -171,6 +170,36 @@ module Rack
   # MockRequest.
 
   class MockResponse < Rack::Response
+    begin
+      # Recent versions of the CGI gem may not provide `CGI::Cookie`.
+      require 'cgi/cookie'
+      Cookie = CGI::Cookie
+    rescue LoadError
+      class Cookie
+        attr_reader :name, :value, :path, :domain, :expires, :secure
+
+        def initialize(args)
+          @name = args["name"]
+          @value = args["value"]
+          @path = args["path"]
+          @domain = args["domain"]
+          @expires = args["expires"]
+          @secure = args["secure"]
+        end
+
+        def method_missing(method_name, *args, &block)
+          @value.send(method_name, *args, &block)
+        end
+        # :nocov:
+        ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
+        # :nocov:
+
+        def respond_to_missing?(method_name, include_all = false)
+          @value.respond_to?(method_name, include_all) || super
+        end
+      end
+    end
+
     class << self
       alias [] new
     end
@@ -236,7 +265,7 @@ module Rack
         set_cookie_header.split("\n").each do |cookie|
           cookie_name, cookie_filling = cookie.split('=', 2)
           cookie_attributes = identify_cookie_attributes cookie_filling
-          parsed_cookie = CGI::Cookie.new(
+          parsed_cookie = Cookie.new(
             'name' => cookie_name.strip,
             'value' => cookie_attributes.fetch('value'),
             'path' => cookie_attributes.fetch('path', nil),
@@ -253,7 +282,7 @@ module Rack
     def identify_cookie_attributes(cookie_filling)
       cookie_bits = cookie_filling.split(';')
       cookie_attributes = Hash.new
-      cookie_attributes.store('value', cookie_bits[0].strip)
+      cookie_attributes.store('value', Array(cookie_bits[0].strip))
       cookie_bits.each do |bit|
         if bit.include? '='
           cookie_attribute, attribute_value = bit.split('=')

data/lib/rack/query_parser.rb

@@ -188,7 +188,7 @@ module Rack
           raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})"
         end
 
-        if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit
+        if (param_count = qs.count(sep.is_a?(String) ? sep : '&;')) >= @params_limit
           raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})"
         end
 

data/lib/rack/version.rb

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.2.14"
+  RELEASE = "2.2.18"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.2.14
+  version: 2.2.18
 platform: ruby
 authors:
 - Leah Neukirchen
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-05-06 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -77,9 +76,9 @@ executables:
 - rackup
 extensions: []
 extra_rdoc_files:
-- README.rdoc
 - CHANGELOG.md
 - CONTRIBUTING.md
+- README.rdoc
 files:
 - CHANGELOG.md
 - CONTRIBUTING.md
@@ -169,7 +168,6 @@ metadata:
   changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
   documentation_uri: https://rubydoc.info/github/rack/rack
   source_code_uri: https://github.com/rack/rack
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -184,8 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []