rack 2.2.22 → 2.2.23

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cde47be51f51633c220096db26d6dee3833210970dac5703415a343d9adec7f3
-  data.tar.gz: 5aea7ddfbd6bd9257fb7c0586993fe0830effdee2a223173b0924c5909894ad2
+  metadata.gz: f1956bc102141711f91a9f0daa1507098bd8b7ede58febde9472b875dcb0d4e4
+  data.tar.gz: a8945afc610aed0c61ce8062e3b1394a24c6a457789637cc6835cfd881dac635
 SHA512:
-  metadata.gz: de22c9fd5e8d0f68002522d903913e47c337485112172da4a233777794045c11dee7cceefe5e4573d4791f83fa6ffc90fbc3b5bf8249c0fef69142619bdc8c38
-  data.tar.gz: 0cbd1f6fcc12b243467e0e7c03e6a8e775013472061c83a0f33f4404a6347fd1796432bc2779bf49b87f47b4aff64a19e2dcd438a5ff050df44c944e181429dd
+  metadata.gz: afe4c41e29d6112ba8fe825b33b93d10317d576add705a72de25825caa504c21eefe86cf9308df573dd422cfb4aed24e9453ad4e92720188f4f98c4d2f04c5c4
+  data.tar.gz: d28cd489644e2191917b28f39d689d384c21296e4f4a8a2bab7b1413f4110cb2092336039afc571d1278adbbfa4ebac9b2d27cb342b873336aa6efe037a93f4d

data/CHANGELOG.md

@@ -2,7 +2,21 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [2.2.23] - 2026-04-01
+
+### Security
+
+- [CVE-2026-34763](https://github.com/advisories/GHSA-7mqq-6cf9-v2qp) Root directory disclosure via unescaped regex interpolation in `Rack::Directory`.
+- [CVE-2026-34230](https://github.com/advisories/GHSA-v569-hp3g-36wr) Avoid O(n^2) algorithm in `Rack::Utils.select_best_encoding` which could lead to denial of service.
+- [CVE-2026-26961](https://github.com/advisories/GHSA-vgpv-f759-9wx3) Raise error for multipart requests with multiple boundary parameters.
+- [CVE-2026-34786](https://github.com/advisories/GHSA-q4qf-9j86-f5mh) `Rack::Static` `header_rules` bypass via URL-encoded path mismatch.
+- [CVE-2026-34831](https://github.com/advisories/GHSA-q2ww-5357-x388) `Content-Length` mismatch in `Rack::Files` error responses.
+- [CVE-2026-34826](https://github.com/advisories/GHSA-x8cg-fq8g-mxfx) Multipart byte range processing allows denial of service via excessive overlapping ranges.
+- [CVE-2026-34830](https://github.com/advisories/GHSA-qv7j-4883-hwh7) `Rack::Sendfile` header-based `X-Accel-Mapping` regex injection enables unauthorized `X-Accel-Redirect`.
+- [CVE-2026-34785](https://github.com/advisories/GHSA-h2jq-g4cq-5ppq) `Rack::Static` prefix matching can expose unintended files under the static root.
+- [CVE-2026-34829](https://github.com/advisories/GHSA-8vqr-qjwx-82mw) Multipart parsing without `Content-Length` header allows unbounded chunked file uploads.
+
+## [2.2.22] - 2026-02-16
 
 ### Security
 

data/lib/rack/directory.rb

@@ -45,7 +45,7 @@ table { width:100%%; }
     class DirectoryBody < Struct.new(:root, :path, :files)
       # Yield strings for each part of the directory entry
       def each
-        show_path = Utils.escape_html(path.sub(/^#{root}/, ''))
+        show_path = Utils.escape_html(path.sub(/\A#{Regexp.escape(root)}/, ''))
         yield(DIR_PAGE_HEADER % [ show_path, show_path ])
 
         unless path.chomp('/') == root

data/lib/rack/files.rb

@@ -196,7 +196,7 @@ EOF
         status,
         {
           CONTENT_TYPE   => "text/plain",
-          CONTENT_LENGTH => body.size.to_s,
+          CONTENT_LENGTH => body.bytesize.to_s,
           "X-Cascade" => "pass"
         }.merge!(headers),
         [body]

data/lib/rack/multipart/parser.rb

@@ -41,6 +41,10 @@ module Rack
       BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
       private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
 
+      bytesize_limit = env_int.call("RACK_MULTIPART_PARSER_BYTESIZE_LIMIT", 10 * 1024 * 1024 * 1024)
+      PARSER_BYTESIZE_LIMIT = bytesize_limit > 0 ? bytesize_limit : nil
+      private_constant :PARSER_BYTESIZE_LIMIT
+
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -81,7 +85,15 @@ module Rack
         return unless content_type
         data = content_type.match(MULTIPART)
         return unless data
-        data[1]
+
+        unless data[1].empty?
+          raise EOFError, "whitespace between boundary parameter name and equal sign"
+        end
+        if data.post_match =~ /boundary\s*=/i
+          raise EOFError, "multiple boundary parameters found in multipart content type"
+        end
+
+        data[2]
       end
 
       def self.parse(io, content_length, content_type, tmpfile, bufsize, qp)
@@ -90,6 +102,10 @@ module Rack
         boundary = parse_boundary content_type
         return EMPTY unless boundary
 
+        if PARSER_BYTESIZE_LIMIT && content_length && content_length > PARSER_BYTESIZE_LIMIT
+          raise EOFError, "multipart Content-Length #{content_length} exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+        end
+
         io = BoundedIO.new(io, content_length) if content_length
         outbuf = String.new
 
@@ -210,6 +226,7 @@ module Rack
         @mime_index = 0
         @body_retained = nil
         @retained_size = 0
+        @total_bytes_read = (0 if PARSER_BYTESIZE_LIMIT)
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".dup)
@@ -221,6 +238,12 @@ module Rack
 
       def on_read(content)
         handle_empty_content!(content)
+        if @total_bytes_read
+          @total_bytes_read += content.bytesize
+          if @total_bytes_read > PARSER_BYTESIZE_LIMIT
+            raise EOFError, "multipart upload exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+          end
+        end
         @sbuf.concat content
         run_parser
       end

data/lib/rack/multipart.rb

@@ -12,7 +12,7 @@ module Rack
 
     EOL = "\r\n"
     MULTIPART_BOUNDARY = "AaB03x"
-    MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|ni
+    MULTIPART = %r|\Amultipart/.*?boundary(\s*)=\"?([^\";,]+)\"?|ni
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/

data/lib/rack/sendfile.rb

@@ -47,7 +47,7 @@ module Rack
   #
   # The X-Accel-Mapping header should specify the location on the file system,
   # followed by an equals sign (=), followed name of the private URL pattern
-  # that it maps to. The middleware performs a simple substitution on the
+  # that it maps to. The middleware performs a case-insensitive substitution on the
   # resulting path.
   #
   # To enable X-Accel-Redirect, you must configure the middleware explicitly:
@@ -181,7 +181,7 @@ module Rack
         # Safe to use header: explicit config + no app mappings:
         mapping.split(',').map(&:strip).each do |m|
           internal, external = m.split('=', 2).map(&:strip)
-          new_path = path.sub(/\A#{internal}/i, external)
+          new_path = path.sub(/\A#{Regexp.escape(internal)}/i, external)
           return new_path unless path == new_path
         end
 

data/lib/rack/static.rb

@@ -91,6 +91,9 @@ module Rack
     def initialize(app, options = {})
       @app = app
       @urls = options[:urls] || ["/favicon.ico"]
+      if @urls.kind_of?(Array)
+        @urls = @urls.map { |url| [url, url.end_with?('/') ? url : "#{url}/".freeze].freeze }.freeze
+      end
       @index = options[:index]
       @gzip = options[:gzip]
       @cascade = options[:cascade]
@@ -113,7 +116,7 @@ module Rack
     end
 
     def route_file(path)
-      @urls.kind_of?(Array) && @urls.any? { |url| path.index(url) == 0 }
+      @urls.kind_of?(Array) && @urls.any? { |url, url_slash| path == url || path.start_with?(url_slash) }
     end
 
     def can_serve(path)
@@ -165,6 +168,8 @@ module Rack
 
     # Convert HTTP header rules to HTTP headers
     def applicable_rules(path)
+      path = ::Rack::Utils.unescape_path(path)
+
       @header_rules.find_all do |rule, new_headers|
         case rule
         when :all
@@ -172,10 +177,9 @@ module Rack
         when :fonts
           /\.(?:ttf|otf|eot|woff2|woff|svg)\z/.match?(path)
         when String
-          path = ::Rack::Utils.unescape(path)
           path.start_with?(rule) || path.start_with?('/' + rule)
         when Array
-          /\.(#{rule.join('|')})\z/.match?(path)
+          /\.#{Regexp.union(rule)}\z/.match?(path)
         when Regexp
           rule.match?(path)
         else

data/lib/rack/utils.rb

@@ -186,17 +186,41 @@ module Rack
       string.to_s.gsub(ESCAPE_HTML_PATTERN){|c| ESCAPE_HTML[c] }
     end
 
+    # Given an array of available encoding strings, and an array of
+    # acceptable encodings for a request, where each element of the
+    # acceptable encodings array is an array where the first element
+    # is an encoding name and the second element is the numeric
+    # priority for the encoding, return the available encoding with
+    # the highest priority.
+    #
+    # The accept_encoding argument is typically generated by calling
+    # Request#accept_encoding.
+    #
+    # Example:
+    #
+    #   select_best_encoding(%w(compress gzip identity),
+    #                        [["compress", 0.5], ["gzip", 1.0]])
+    #   # => "gzip"
+    #
+    # To reduce denial of service potential, only the first 16
+    # acceptable encodings are considered.
     def select_best_encoding(available_encodings, accept_encoding)
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
 
+      # Only process the first 16 encodings
+      accept_encoding = accept_encoding[0...16]
       expanded_accept_encoding = []
+      wildcard_seen = false
 
       accept_encoding.each do |m, q|
         preference = available_encodings.index(m) || available_encodings.size
 
         if m == "*"
-          (available_encodings - accept_encoding.map(&:first)).each do |m2|
-            expanded_accept_encoding << [m2, q, preference]
+          unless wildcard_seen
+            (available_encodings - accept_encoding.map(&:first)).each do |m2|
+              expanded_accept_encoding << [m2, q, preference]
+            end
+            wildcard_seen = true
           end
         else
           expanded_accept_encoding << [m, q, preference]
@@ -204,7 +228,13 @@ module Rack
       end
 
       encoding_candidates = expanded_accept_encoding
-        .sort_by { |_, q, p| [-q, p] }
+        .sort do |(_, q1, p1), (_, q2, p2)|
+          if r = (q1 <=> q2).nonzero?
+            -r
+          else
+            (p1 <=> p2).nonzero? || 0
+          end
+        end
         .map!(&:first)
 
       unless encoding_candidates.include?("identity")
@@ -350,16 +380,17 @@ module Rack
     # Parses the "Range:" header, if present, into an array of Range objects.
     # Returns nil if the header is missing or syntactically invalid.
     # Returns an empty array if none of the ranges are satisfiable.
-    def byte_ranges(env, size)
-      warn "`byte_ranges` is deprecated, please use `get_byte_ranges`" if $VERBOSE
-      get_byte_ranges env['HTTP_RANGE'], size
+    def byte_ranges(env, size, max_ranges: 100)
+      get_byte_ranges env['HTTP_RANGE'], size, max_ranges: max_ranges
     end
 
-    def get_byte_ranges(http_range, size)
+    def get_byte_ranges(http_range, size, max_ranges: 100)
       # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
+      byte_range = $1
+      return nil if byte_range.count(',') >= max_ranges
       ranges = []
-      $1.split(/,\s*/).each do |range_spec|
+      byte_range.split(/,[ \t]*/).each do |range_spec|
         return nil unless range_spec.include?('-')
         range = range_spec.split('-')
         r0, r1 = range[0], range[1]

data/lib/rack/version.rb

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.2.22"
+  RELEASE = "2.2.23"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.2.22
+  version: 2.2.23
 platform: ruby
 authors:
 - Leah Neukirchen
@@ -182,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.6
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []