rack 2.2.19 → 2.2.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -6
- data/lib/rack/query_parser.rb +3 -1
- data/lib/rack/request.rb +4 -1
- data/lib/rack/sendfile.rb +40 -10
- data/lib/rack/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ef82ea76fce7ba344410cc419cff56e201f8ec9ded624b01b34ad9521b613f99
|
|
4
|
+
data.tar.gz: de812a77455e5e05e6e2ced224c8cd0ea3c664f9244ed055346a9912ad0091eb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 53b096b3b1d67e810a7dbb880dab8e06a107bb9b9e640f94cc1136b5eb9dc9ca9712d9a0d1c28de7544796095222d71ab589776ea361e56a2136e791bbaf5110
|
|
7
|
+
data.tar.gz: 8fdc0b68d511c84b62d8eaaad9c520928d6e48b75aa2c01ede21b6309231a32652188726bb1e2bff67f849d6b804ad80c8896b3cf28e6a9c700edf8a9fc26ee3
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,13 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [2.2.20] - 2025-10-10
|
|
6
|
+
|
|
7
|
+
### Security
|
|
8
|
+
|
|
9
|
+
- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
|
|
10
|
+
- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
|
|
11
|
+
|
|
5
12
|
## [2.2.19] - 2025-10-07
|
|
6
13
|
|
|
7
14
|
### Security
|
|
@@ -14,7 +21,7 @@ All notable changes to this project will be documented in this file. For info on
|
|
|
14
21
|
|
|
15
22
|
### Security
|
|
16
23
|
|
|
17
|
-
- [CVE-2025-59830](https://github.com/
|
|
24
|
+
- [CVE-2025-59830](https://github.com/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
|
|
18
25
|
|
|
19
26
|
## [2.2.17] - 2025-06-03
|
|
20
27
|
|
|
@@ -32,26 +39,26 @@ All notable changes to this project will be documented in this file. For info on
|
|
|
32
39
|
|
|
33
40
|
### Security
|
|
34
41
|
|
|
35
|
-
- [CVE-2025-32441](https://github.com/
|
|
36
|
-
- [CVE-2025-46727](https://github.com/
|
|
42
|
+
- [CVE-2025-32441](https://github.com/advisories/GHSA-vpfw-47h7-xj4g) Rack session can be restored after deletion.
|
|
43
|
+
- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
37
44
|
|
|
38
45
|
## [2.2.13] - 2025-03-11
|
|
39
46
|
|
|
40
47
|
### Security
|
|
41
48
|
|
|
42
|
-
- [CVE-2025-27610](https://github.com/
|
|
49
|
+
- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
43
50
|
|
|
44
51
|
## [2.2.12] - 2025-03-04
|
|
45
52
|
|
|
46
53
|
### Security
|
|
47
54
|
|
|
48
|
-
- [CVE-2025-27111](https://github.com/
|
|
55
|
+
- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
49
56
|
|
|
50
57
|
## [2.2.11] - 2025-02-12
|
|
51
58
|
|
|
52
59
|
### Security
|
|
53
60
|
|
|
54
|
-
- [CVE-2025-25184](https://github.com/
|
|
61
|
+
- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
55
62
|
|
|
56
63
|
## [2.2.10] - 2024-10-14
|
|
57
64
|
|
data/lib/rack/query_parser.rb
CHANGED
|
@@ -51,6 +51,8 @@ module Rack
|
|
|
51
51
|
PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
|
|
52
52
|
private_constant :PARAMS_LIMIT
|
|
53
53
|
|
|
54
|
+
attr_reader :bytesize_limit
|
|
55
|
+
|
|
54
56
|
def initialize(params_class, key_space_limit, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
|
|
55
57
|
@params_class = params_class
|
|
56
58
|
@key_space_limit = key_space_limit
|
|
@@ -185,7 +187,7 @@ module Rack
|
|
|
185
187
|
def check_query_string(qs, sep)
|
|
186
188
|
if qs
|
|
187
189
|
if qs.bytesize > @bytesize_limit
|
|
188
|
-
raise QueryLimitError, "total query size
|
|
190
|
+
raise QueryLimitError, "total query size exceeds limit (#{@bytesize_limit})"
|
|
189
191
|
end
|
|
190
192
|
|
|
191
193
|
if (param_count = qs.count(sep.is_a?(String) ? sep : '&;')) >= @params_limit
|
data/lib/rack/request.rb
CHANGED
|
@@ -444,7 +444,10 @@ module Rack
|
|
|
444
444
|
get_header(RACK_REQUEST_FORM_HASH)
|
|
445
445
|
elsif form_data? || parseable_data?
|
|
446
446
|
unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart)
|
|
447
|
-
|
|
447
|
+
# Add 2 bytes. One to check whether it is over the limit, and a second
|
|
448
|
+
# in case the slice! call below removes the last byte
|
|
449
|
+
# If read returns nil, use the empty string
|
|
450
|
+
form_vars = get_header(RACK_INPUT).read(query_parser.bytesize_limit + 2) || ''
|
|
448
451
|
|
|
449
452
|
# Fix for Safari Ajax postings that always append \0
|
|
450
453
|
# form_vars.sub!(/\0\z/, '') # performance replacement:
|
data/lib/rack/sendfile.rb
CHANGED
|
@@ -40,18 +40,23 @@ module Rack
|
|
|
40
40
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
41
41
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
42
42
|
#
|
|
43
|
-
# proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
|
44
43
|
# proxy_set_header X-Accel-Mapping /var/www/=/files/;
|
|
45
44
|
#
|
|
46
45
|
# proxy_pass http://127.0.0.1:8080/;
|
|
47
46
|
# }
|
|
48
47
|
#
|
|
49
|
-
# Note that the X-Sendfile-Type header must be set exactly as shown above.
|
|
50
48
|
# The X-Accel-Mapping header should specify the location on the file system,
|
|
51
49
|
# followed by an equals sign (=), followed name of the private URL pattern
|
|
52
50
|
# that it maps to. The middleware performs a simple substitution on the
|
|
53
51
|
# resulting path.
|
|
54
52
|
#
|
|
53
|
+
# To enable X-Accel-Redirect, you must configure the middleware explicitly:
|
|
54
|
+
#
|
|
55
|
+
# use Rack::Sendfile, "X-Accel-Redirect"
|
|
56
|
+
#
|
|
57
|
+
# For security reasons, the X-Sendfile-Type header from requests is ignored.
|
|
58
|
+
# The sendfile variation must be set via the middleware constructor.
|
|
59
|
+
#
|
|
55
60
|
# See Also: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile
|
|
56
61
|
#
|
|
57
62
|
# === lighttpd
|
|
@@ -96,13 +101,25 @@ module Rack
|
|
|
96
101
|
# X-Accel-Mapping header. Mappings should be provided in tuples of internal to
|
|
97
102
|
# external. The internal values may contain regular expression syntax, they
|
|
98
103
|
# will be matched with case indifference.
|
|
104
|
+
#
|
|
105
|
+
# When X-Accel-Redirect is explicitly enabled via the variation parameter,
|
|
106
|
+
# and no application-level mappings are provided, the middleware will read
|
|
107
|
+
# the X-Accel-Mapping header from the proxy. This allows nginx to control
|
|
108
|
+
# the path mapping without requiring application-level configuration.
|
|
109
|
+
#
|
|
110
|
+
# === Security
|
|
111
|
+
#
|
|
112
|
+
# For security reasons, the X-Sendfile-Type header from HTTP requests is
|
|
113
|
+
# ignored. The sendfile variation must be explicitly configured via the
|
|
114
|
+
# middleware constructor to prevent information disclosure vulnerabilities
|
|
115
|
+
# where attackers could bypass proxy restrictions.
|
|
99
116
|
|
|
100
117
|
class Sendfile
|
|
101
118
|
def initialize(app, variation = nil, mappings = [])
|
|
102
119
|
@app = app
|
|
103
120
|
@variation = variation
|
|
104
121
|
@mappings = mappings.map do |internal, external|
|
|
105
|
-
[
|
|
122
|
+
[/\A#{internal}/i, external]
|
|
106
123
|
end
|
|
107
124
|
end
|
|
108
125
|
|
|
@@ -140,22 +157,35 @@ module Rack
|
|
|
140
157
|
end
|
|
141
158
|
|
|
142
159
|
private
|
|
160
|
+
|
|
143
161
|
def variation(env)
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
162
|
+
# Note: HTTP_X_SENDFILE_TYPE is intentionally NOT read for security reasons.
|
|
163
|
+
# Attackers could use this header to enable x-accel-redirect and bypass proxy restrictions.
|
|
164
|
+
@variation || env['sendfile.type']
|
|
165
|
+
end
|
|
166
|
+
|
|
167
|
+
def x_accel_mapping(env)
|
|
168
|
+
# Only allow header when:
|
|
169
|
+
# 1. X-Accel-Redirect is explicitly enabled via constructor.
|
|
170
|
+
# 2. No application-level mappings are configured.
|
|
171
|
+
return nil unless @variation =~ /x-accel-redirect/i
|
|
172
|
+
return nil if @mappings.any?
|
|
173
|
+
|
|
174
|
+
env['HTTP_X_ACCEL_MAPPING']
|
|
147
175
|
end
|
|
148
176
|
|
|
149
177
|
def map_accel_path(env, path)
|
|
150
178
|
if mapping = @mappings.find { |internal, _| internal =~ path }
|
|
151
|
-
path.sub(*mapping)
|
|
152
|
-
elsif mapping = env
|
|
179
|
+
return path.sub(*mapping)
|
|
180
|
+
elsif mapping = x_accel_mapping(env)
|
|
181
|
+
# Safe to use header: explicit config + no app mappings:
|
|
153
182
|
mapping.split(',').map(&:strip).each do |m|
|
|
154
183
|
internal, external = m.split('=', 2).map(&:strip)
|
|
155
|
-
new_path = path.sub(
|
|
184
|
+
new_path = path.sub(/\A#{internal}/i, external)
|
|
156
185
|
return new_path unless path == new_path
|
|
157
186
|
end
|
|
158
|
-
|
|
187
|
+
|
|
188
|
+
return path
|
|
159
189
|
end
|
|
160
190
|
end
|
|
161
191
|
end
|
data/lib/rack/version.rb
CHANGED