rack 2.2.2 → 2.2.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 67bdec7711476ad2de84fac3e118909b94332330645a6d347e09e350c5bf3dd6
4
- data.tar.gz: 301f4cd141d1601d82f3e68cb967566be6422f8020f9a3ec7da1b665c9f2f61c
3
+ metadata.gz: 0b7c25cb392fb659dc54ab275c38e8d838c4357b046f59ff44698d6110129e85
4
+ data.tar.gz: 1f8fbe6d0923969234e772409a98ed6e0a5f0d10efed6a76ac80902257a5bd90
5
5
  SHA512:
6
- metadata.gz: 3c3cca256c84546a8af5faa34d99249d34273f25b7d6b0fc04e9b9212b637872af7c782625674ca07cf33aadee4421c2e82579072613d06349324b7a89733e69
7
- data.tar.gz: 1dd24e07c20fd0b8aca78f93b083549c6c04bcec8e73a8e8aadea1037b359d0ec39b247027ef08bcc7150ee61b22c92cfadf2c3698be30e5101d750bb353ddfa
6
+ metadata.gz: 9021496ff7dce72833074adc1963a0cc5a96bfc14a162cc56d7c54441c3f17de61804f687943a0d07ebe58399c92db540d322576010b4e47c375cdd9aec7d09d
7
+ data.tar.gz: b668e5359266b7ad36387bddd7db329968b5a38ef10290ef22da30e2f7edd082ffebc9e864cc44f09cfb51b491111d27ff1a55a3fa011ad3d45aa6374a8ccb3c
@@ -2,6 +2,10 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [2.2.3] - 2020-02-11
6
+
7
+ - [CVE-2020-8184] Only decode cookie values
8
+
5
9
  ## [2.2.2] - 2020-02-11
6
10
 
7
11
  ### Fixed
data/SPEC.rdoc CHANGED
@@ -42,17 +42,18 @@ below.
42
42
  <tt>QUERY_STRING</tt>:: The portion of the request URL that
43
43
  follows the <tt>?</tt>, if any. May be
44
44
  empty, but is always required!
45
- <tt>SERVER_NAME</tt>, <tt>SERVER_PORT</tt>::
46
- When combined with <tt>SCRIPT_NAME</tt> and
45
+ <tt>SERVER_NAME</tt>:: When combined with <tt>SCRIPT_NAME</tt> and
47
46
  <tt>PATH_INFO</tt>, these variables can be
48
47
  used to complete the URL. Note, however,
49
48
  that <tt>HTTP_HOST</tt>, if present,
50
49
  should be used in preference to
51
50
  <tt>SERVER_NAME</tt> for reconstructing
52
51
  the request URL.
53
- <tt>SERVER_NAME</tt> and <tt>SERVER_PORT</tt>
54
- can never be empty strings, and so
55
- are always required.
52
+ <tt>SERVER_NAME</tt> can never be an empty
53
+ string, and so is always required.
54
+ <tt>SERVER_PORT</tt>:: An optional +Integer+ which is the port the
55
+ server is running on. Should be specified if
56
+ the server is running on a non-standard port.
56
57
  <tt>HTTP_</tt> Variables:: Variables corresponding to the
57
58
  client-supplied HTTP request
58
59
  headers (i.e., variables whose
@@ -122,6 +123,9 @@ and should be prefixed uniquely. The prefix rack.
122
123
  is reserved for use with the Rack core distribution and other
123
124
  accepted specifications and must not be used otherwise.
124
125
 
126
+ The <tt>SERVER_PORT</tt> must be an Integer if set.
127
+ The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
128
+ The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
125
129
  The environment must not contain the keys
126
130
  <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
127
131
  (use the versions without <tt>HTTP_</tt>).
@@ -212,8 +212,12 @@ module Rack
212
212
  # The syntax for cookie headers only supports semicolons
213
213
  # User Agent -> Server ==
214
214
  # Cookie: SID=31d4d96e407aad42; lang=en-US
215
- cookies = parse_query(header, ';') { |s| unescape(s) rescue s }
216
- cookies.each_with_object({}) { |(k, v), hash| hash[k] = Array === v ? v.first : v }
215
+ return {} unless header
216
+ header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
217
+ next if cookie.empty?
218
+ key, value = cookie.split('=', 2)
219
+ cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
220
+ end
217
221
  end
218
222
 
219
223
  def add_cookie_to_header(header, key, value)
@@ -20,7 +20,7 @@ module Rack
20
20
  VERSION.join(".")
21
21
  end
22
22
 
23
- RELEASE = "2.2.2"
23
+ RELEASE = "2.2.3"
24
24
 
25
25
  # Return the Rack release as a dotted string.
26
26
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.2
4
+ version: 2.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-02-10 00:00:00.000000000 Z
11
+ date: 2020-06-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -169,7 +169,7 @@ metadata:
169
169
  changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
170
170
  documentation_uri: https://rubydoc.info/github/rack/rack
171
171
  source_code_uri: https://github.com/rack/rack
172
- post_install_message:
172
+ post_install_message:
173
173
  rdoc_options: []
174
174
  require_paths:
175
175
  - lib
@@ -184,8 +184,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
184
184
  - !ruby/object:Gem::Version
185
185
  version: '0'
186
186
  requirements: []
187
- rubygems_version: 3.0.6
188
- signing_key:
187
+ rubygems_version: 3.2.0.pre1
188
+ signing_key:
189
189
  specification_version: 4
190
190
  summary: A modular Ruby webserver interface.
191
191
  test_files: []