RubyGems - rack - Versions diffs - 2.2.20 → 2.2.21 - Mend

rack 2.2.20 → 2.2.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef82ea76fce7ba344410cc419cff56e201f8ec9ded624b01b34ad9521b613f99
-  data.tar.gz: de812a77455e5e05e6e2ced224c8cd0ea3c664f9244ed055346a9912ad0091eb
+  metadata.gz: 4cc4da8d168e808db0869fd2544c1622e54594336d2b59a265a74bca7492f648
+  data.tar.gz: cba6ff0fa90676ec68f991ab1142f5ece116d2eb01c06af7285e4a49a41d878c
 SHA512:
-  metadata.gz: 53b096b3b1d67e810a7dbb880dab8e06a107bb9b9e640f94cc1136b5eb9dc9ca9712d9a0d1c28de7544796095222d71ab589776ea361e56a2136e791bbaf5110
-  data.tar.gz: 8fdc0b68d511c84b62d8eaaad9c520928d6e48b75aa2c01ede21b6309231a32652188726bb1e2bff67f849d6b804ad80c8896b3cf28e6a9c700edf8a9fc26ee3
+  metadata.gz: 7005387a9a33b47356933082b1b9fa560eb5356def445ab3245c945059360fd0c7f8fd0a18dbafd744b6c4a62da1c65878b879319af5415d69bcf2081a82176a
+  data.tar.gz: 9c0dbbc1b0a69775122fabdb2c18de7a90f6410e219040362c42447c7379e02d01f52d74108a83fa81d62e1443fddcc66c1ef02982ded712c06cf76fe069a242

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,12 @@
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.2.21] - 2025-11-03
+### Fixed
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
 ## [2.2.20] - 2025-10-10
 ### Security
@@ -9,6 +15,13 @@ All notable changes to this project will be documented in this file. For info on
 - [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
 - [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
+## [2.2.20] - 2025-11-03
+### Fixed
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
 ## [2.2.19] - 2025-10-07
 ### Security

data/lib/rack/multipart/parser.rb CHANGED Viewed

@@ -314,7 +314,7 @@ module Rack
         else
           # We raise if the mime part header is too large, to avoid unbounded memory
           # buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default)
-          raise EOFError, "multipart mime part header too large" if @sbuf.string.bytesize > MIME_HEADER_BYTESIZE_LIMIT
+          raise EOFError, "multipart mime part header too large" if @sbuf.rest.bytesize > MIME_HEADER_BYTESIZE_LIMIT
           return :want_read
         end

data/lib/rack/version.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
-  RELEASE = "2.2.20"
+  RELEASE = "2.2.21"
   # Return the Rack release as a dotted string.
   def self.release

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.2.20
+  version: 2.2.21
 platform: ruby
 authors:
 - Leah Neukirchen