rack 2.2.21 → 2.2.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +7 -7
  3. data/lib/rack/directory.rb +5 -2
  4. data/lib/rack/version.rb +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4cc4da8d168e808db0869fd2544c1622e54594336d2b59a265a74bca7492f648
4
- data.tar.gz: cba6ff0fa90676ec68f991ab1142f5ece116d2eb01c06af7285e4a49a41d878c
3
+ metadata.gz: cde47be51f51633c220096db26d6dee3833210970dac5703415a343d9adec7f3
4
+ data.tar.gz: 5aea7ddfbd6bd9257fb7c0586993fe0830effdee2a223173b0924c5909894ad2
5
5
  SHA512:
6
- metadata.gz: 7005387a9a33b47356933082b1b9fa560eb5356def445ab3245c945059360fd0c7f8fd0a18dbafd744b6c4a62da1c65878b879319af5415d69bcf2081a82176a
7
- data.tar.gz: 9c0dbbc1b0a69775122fabdb2c18de7a90f6410e219040362c42447c7379e02d01f52d74108a83fa81d62e1443fddcc66c1ef02982ded712c06cf76fe069a242
6
+ metadata.gz: de22c9fd5e8d0f68002522d903913e47c337485112172da4a233777794045c11dee7cceefe5e4573d4791f83fa6ffc90fbc3b5bf8249c0fef69142619bdc8c38
7
+ data.tar.gz: 0cbd1f6fcc12b243467e0e7c03e6a8e775013472061c83a0f33f4404a6347fd1796432bc2779bf49b87f47b4aff64a19e2dcd438a5ff050df44c944e181429dd
data/CHANGELOG.md CHANGED
@@ -2,6 +2,13 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## Unreleased
6
+
7
+ ### Security
8
+
9
+ - [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
10
+ - [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
11
+
5
12
  ## [2.2.21] - 2025-11-03
6
13
 
7
14
  ### Fixed
@@ -15,13 +22,6 @@ All notable changes to this project will be documented in this file. For info on
15
22
  - [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
16
23
  - [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
17
24
 
18
- ## [2.2.20] - 2025-11-03
19
-
20
- ### Fixed
21
-
22
- - Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
23
-
24
-
25
25
  ## [2.2.19] - 2025-10-07
26
26
 
27
27
  ### Security
data/lib/rack/directory.rb CHANGED
@@ -11,7 +11,7 @@ module Rack
11
11
  # If +app+ is not specified, a Rack::Files of the same +root+ will be used.
12
12
 
13
13
  class Directory
14
- DIR_FILE = "<tr><td class='name'><a href='%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
14
+ DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
15
15
  DIR_PAGE_HEADER = <<-PAGE
16
16
  <html><head>
17
17
  <title>%s</title>
@@ -76,6 +76,7 @@ table { width:100%%; }
76
76
  # Set the root directory and application for serving files.
77
77
  def initialize(root, app = nil)
78
78
  @root = ::File.expand_path(root)
79
+ @root_with_separator = @root.end_with?(::File::SEPARATOR) ? @root : "#{@root}#{::File::SEPARATOR}"
79
80
  @app = app || Files.new(@root)
80
81
  @head = Head.new(method(:get))
81
82
  end
@@ -112,7 +113,9 @@ table { width:100%%; }
112
113
  # Rack response to use for requests with paths outside the root, or nil if path is inside the root.
113
114
  def check_forbidden(path_info)
114
115
  return unless path_info.include? ".."
115
- return if ::File.expand_path(::File.join(@root, path_info)).start_with?(@root)
116
+
117
+ expanded_path = ::File.expand_path(::File.join(@root, path_info))
118
+ return if expanded_path == @root || expanded_path.start_with?(@root_with_separator)
116
119
 
117
120
  body = "Forbidden\n"
118
121
  [403, { CONTENT_TYPE => "text/plain",
data/lib/rack/version.rb CHANGED
@@ -20,7 +20,7 @@ module Rack
20
20
  VERSION.join(".")
21
21
  end
22
22
 
23
- RELEASE = "2.2.21"
23
+ RELEASE = "2.2.22"
24
24
 
25
25
  # Return the Rack release as a dotted string.
26
26
  def self.release
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.21
4
+ version: 2.2.22
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
@@ -182,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
182
182
  - !ruby/object:Gem::Version
183
183
  version: '0'
184
184
  requirements: []
185
- rubygems_version: 3.6.9
185
+ rubygems_version: 4.0.3
186
186
  specification_version: 4
187
187
  summary: A modular Ruby webserver interface.
188
188
  test_files: []