rack 2.2.16 → 2.2.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/lib/rack/handler/thin.rb +0 -2
- data/lib/rack/media_type.rb +8 -3
- data/lib/rack/query_parser.rb +1 -1
- data/lib/rack/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2a0c02f8ad516a9e66e1d8ec32ca620dfe46328d5b248fb6a72ed0b8e4a0f91c
|
|
4
|
+
data.tar.gz: d32193586a1367c718a9a4385b26a4159a8e376c852c624fd9e1ad6b77e5137d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8ea04755b2f8c7d4482a35e601d5fdc73d1fd7f62fc0bade4cf6ce0769cbe7e182ec6c6659dddc44489069a19959a3d5fa799451573a38fb943f21376356329d
|
|
7
|
+
data.tar.gz: d8c8032d0fb15a750878a0d4127d79957f21890298b7dbdb743dc276ede56fb0a32b94ece434c7d6bea26bf55167b5318ffc9c0e4c0fe6f5d1baf0cadeba6ba5
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,14 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [2.2.18] - 2025-09-25
|
|
6
|
+
|
|
7
|
+
- [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
|
|
8
|
+
|
|
9
|
+
## [2.2.17] - 2025-06-03
|
|
10
|
+
|
|
11
|
+
- Backport `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
|
|
12
|
+
|
|
5
13
|
## [2.2.16] - 2025-05-22
|
|
6
14
|
|
|
7
15
|
- Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
|
data/lib/rack/handler/thin.rb
CHANGED
|
@@ -15,8 +15,6 @@ module Rack
|
|
|
15
15
|
host = options.delete(:Host) || default_host
|
|
16
16
|
port = options.delete(:Port) || 8080
|
|
17
17
|
args = [host, port, app, options]
|
|
18
|
-
# Thin versions below 0.8.0 do not support additional options
|
|
19
|
-
args.pop if ::Thin::VERSION::MAJOR < 1 && ::Thin::VERSION::MINOR < 8
|
|
20
18
|
server = ::Thin::Server.new(*args)
|
|
21
19
|
yield server if block_given?
|
|
22
20
|
server.start
|
data/lib/rack/media_type.rb
CHANGED
|
@@ -27,6 +27,11 @@ module Rack
|
|
|
27
27
|
# provided. e.g., when the CONTENT_TYPE is "text/plain;charset=utf-8",
|
|
28
28
|
# this method responds with the following Hash:
|
|
29
29
|
# { 'charset' => 'utf-8' }
|
|
30
|
+
#
|
|
31
|
+
# This will pass back parameters with empty strings in the hash if they
|
|
32
|
+
# lack a value (e.g., "text/plain;charset=" will return { 'charset' => '' },
|
|
33
|
+
# and "text/plain;charset" will return { 'charset' => '' }, similarly to
|
|
34
|
+
# the query params parser (barring the latter case, which returns nil instead)).
|
|
30
35
|
def params(content_type)
|
|
31
36
|
return {} if content_type.nil?
|
|
32
37
|
|
|
@@ -40,9 +45,9 @@ module Rack
|
|
|
40
45
|
|
|
41
46
|
private
|
|
42
47
|
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
48
|
+
def strip_doublequotes(str)
|
|
49
|
+
(str && str.start_with?('"') && str.end_with?('"')) ? str[1..-2] : str || ''
|
|
50
|
+
end
|
|
46
51
|
end
|
|
47
52
|
end
|
|
48
53
|
end
|
data/lib/rack/query_parser.rb
CHANGED
|
@@ -188,7 +188,7 @@ module Rack
|
|
|
188
188
|
raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})"
|
|
189
189
|
end
|
|
190
190
|
|
|
191
|
-
if (param_count = qs.count(sep.is_a?(String) ? sep : '
|
|
191
|
+
if (param_count = qs.count(sep.is_a?(String) ? sep : '&;')) >= @params_limit
|
|
192
192
|
raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})"
|
|
193
193
|
end
|
|
194
194
|
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.18
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date:
|
|
10
|
+
date: 1980-01-02 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: minitest
|
|
@@ -76,9 +76,9 @@ executables:
|
|
|
76
76
|
- rackup
|
|
77
77
|
extensions: []
|
|
78
78
|
extra_rdoc_files:
|
|
79
|
-
- README.rdoc
|
|
80
79
|
- CHANGELOG.md
|
|
81
80
|
- CONTRIBUTING.md
|
|
81
|
+
- README.rdoc
|
|
82
82
|
files:
|
|
83
83
|
- CHANGELOG.md
|
|
84
84
|
- CONTRIBUTING.md
|
|
@@ -182,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
182
182
|
- !ruby/object:Gem::Version
|
|
183
183
|
version: '0'
|
|
184
184
|
requirements: []
|
|
185
|
-
rubygems_version: 3.6.
|
|
185
|
+
rubygems_version: 3.6.9
|
|
186
186
|
specification_version: 4
|
|
187
187
|
summary: A modular Ruby webserver interface.
|
|
188
188
|
test_files: []
|