rack 2.2.20 → 2.2.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -0
- data/lib/rack/directory.rb +5 -2
- data/lib/rack/multipart/parser.rb +1 -1
- data/lib/rack/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cde47be51f51633c220096db26d6dee3833210970dac5703415a343d9adec7f3
|
|
4
|
+
data.tar.gz: 5aea7ddfbd6bd9257fb7c0586993fe0830effdee2a223173b0924c5909894ad2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: de22c9fd5e8d0f68002522d903913e47c337485112172da4a233777794045c11dee7cceefe5e4573d4791f83fa6ffc90fbc3b5bf8249c0fef69142619bdc8c38
|
|
7
|
+
data.tar.gz: 0cbd1f6fcc12b243467e0e7c03e6a8e775013472061c83a0f33f4404a6347fd1796432bc2779bf49b87f47b4aff64a19e2dcd438a5ff050df44c944e181429dd
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,19 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## Unreleased
|
|
6
|
+
|
|
7
|
+
### Security
|
|
8
|
+
|
|
9
|
+
- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
|
|
10
|
+
- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
|
|
11
|
+
|
|
12
|
+
## [2.2.21] - 2025-11-03
|
|
13
|
+
|
|
14
|
+
### Fixed
|
|
15
|
+
|
|
16
|
+
- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
|
|
17
|
+
|
|
5
18
|
## [2.2.20] - 2025-10-10
|
|
6
19
|
|
|
7
20
|
### Security
|
data/lib/rack/directory.rb
CHANGED
|
@@ -11,7 +11,7 @@ module Rack
|
|
|
11
11
|
# If +app+ is not specified, a Rack::Files of the same +root+ will be used.
|
|
12
12
|
|
|
13
13
|
class Directory
|
|
14
|
-
DIR_FILE = "<tr><td class='name'><a href='
|
|
14
|
+
DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
|
|
15
15
|
DIR_PAGE_HEADER = <<-PAGE
|
|
16
16
|
<html><head>
|
|
17
17
|
<title>%s</title>
|
|
@@ -76,6 +76,7 @@ table { width:100%%; }
|
|
|
76
76
|
# Set the root directory and application for serving files.
|
|
77
77
|
def initialize(root, app = nil)
|
|
78
78
|
@root = ::File.expand_path(root)
|
|
79
|
+
@root_with_separator = @root.end_with?(::File::SEPARATOR) ? @root : "#{@root}#{::File::SEPARATOR}"
|
|
79
80
|
@app = app || Files.new(@root)
|
|
80
81
|
@head = Head.new(method(:get))
|
|
81
82
|
end
|
|
@@ -112,7 +113,9 @@ table { width:100%%; }
|
|
|
112
113
|
# Rack response to use for requests with paths outside the root, or nil if path is inside the root.
|
|
113
114
|
def check_forbidden(path_info)
|
|
114
115
|
return unless path_info.include? ".."
|
|
115
|
-
|
|
116
|
+
|
|
117
|
+
expanded_path = ::File.expand_path(::File.join(@root, path_info))
|
|
118
|
+
return if expanded_path == @root || expanded_path.start_with?(@root_with_separator)
|
|
116
119
|
|
|
117
120
|
body = "Forbidden\n"
|
|
118
121
|
[403, { CONTENT_TYPE => "text/plain",
|
|
@@ -314,7 +314,7 @@ module Rack
|
|
|
314
314
|
else
|
|
315
315
|
# We raise if the mime part header is too large, to avoid unbounded memory
|
|
316
316
|
# buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default)
|
|
317
|
-
raise EOFError, "multipart mime part header too large" if @sbuf.
|
|
317
|
+
raise EOFError, "multipart mime part header too large" if @sbuf.rest.bytesize > MIME_HEADER_BYTESIZE_LIMIT
|
|
318
318
|
|
|
319
319
|
return :want_read
|
|
320
320
|
end
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.22
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
@@ -182,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
182
182
|
- !ruby/object:Gem::Version
|
|
183
183
|
version: '0'
|
|
184
184
|
requirements: []
|
|
185
|
-
rubygems_version:
|
|
185
|
+
rubygems_version: 4.0.3
|
|
186
186
|
specification_version: 4
|
|
187
187
|
summary: A modular Ruby webserver interface.
|
|
188
188
|
test_files: []
|