rack 2.2.3.1 → 2.2.10
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +57 -0
- data/README.rdoc +17 -3
- data/SPEC.rdoc +9 -5
- data/lib/rack/auth/basic.rb +1 -2
- data/lib/rack/auth/digest/nonce.rb +2 -3
- data/lib/rack/etag.rb +2 -0
- data/lib/rack/lint.rb +177 -188
- data/lib/rack/media_type.rb +9 -4
- data/lib/rack/method_override.rb +1 -1
- data/lib/rack/multipart/parser.rb +25 -6
- data/lib/rack/multipart.rb +2 -2
- data/lib/rack/query_parser.rb +6 -2
- data/lib/rack/request.rb +3 -3
- data/lib/rack/session/cookie.rb +3 -3
- data/lib/rack/urlmap.rb +1 -1
- data/lib/rack/utils.rb +34 -15
- data/lib/rack/version.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 89c25f75ddd66c4ab311ec7afaad215f5417ab7c0478fb8da65bef7288b25ead
|
4
|
+
data.tar.gz: 35bef5623220a06f4f1f54a752c0d5d67b23539d9521470446a323a03b25b3fa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 82b9812778a5e19704f7014a87b5dccffea6122e7a55295cfff5bfc2a581a11d718af4282b1503dc63bd16984ab286367da26ba533081dd7453c5c44d37a3616
|
7
|
+
data.tar.gz: e7231940003fac65c76d7ed327e4f90d3b2ab31f665651e609a607e37952a43ced1b764429f052fef431e849f2bbc6a8841141ce4c51ac898d6bd34f54660b8e
|
data/CHANGELOG.md
CHANGED
@@ -2,13 +2,70 @@
|
|
2
2
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
4
4
|
|
5
|
+
## Unreleased
|
6
|
+
|
7
|
+
## [2.2.10] - 2024-10-14
|
8
|
+
|
9
|
+
- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
|
10
|
+
|
11
|
+
## [2.2.9] - 2023-03-21
|
12
|
+
|
13
|
+
- Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc])
|
14
|
+
|
15
|
+
## [2.2.8] - 2023-07-31
|
16
|
+
|
17
|
+
- Regenerate SPEC ([#2102](https://github.com/rack/rack/pull/2102), [@skipkayhil](https://github.com/skipkayhil))
|
18
|
+
- Limit file extension length of multipart tempfiles ([#2015](https://github.com/rack/rack/pull/2015), [@dentarg](https://github.com/dentarg))
|
19
|
+
- Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" ([#2092](https://github.com/rack/rack/pull/2092), [@onigra](https://github.com/onigra) [@dchandekstark](https://github.com/dchandekstark))
|
20
|
+
|
21
|
+
## [2.2.7] - 2023-03-13
|
22
|
+
|
23
|
+
- Correct the year number in the changelog ([#2015](https://github.com/rack/rack/pull/2015), [@kimulab](https://github.com/kimulab))
|
24
|
+
- Support underscore in host names for Rack 2.2 (Fixes [#2070](https://github.com/rack/rack/issues/2070)) ([#2015](https://github.com/rack/rack/pull/2071), [@jeremyevans](https://github.com/jeremyevans))
|
25
|
+
|
26
|
+
## [2.2.6.4] - 2023-03-13
|
27
|
+
|
28
|
+
- [CVE-2023-27539] Avoid ReDoS in header parsing
|
29
|
+
|
30
|
+
## [2.2.6.3] - 2023-03-02
|
31
|
+
|
32
|
+
- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
|
33
|
+
|
34
|
+
## [2.2.6.2] - 2023-01-17
|
35
|
+
|
36
|
+
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
|
37
|
+
|
38
|
+
## [2.2.6.1] - 2023-01-17
|
39
|
+
|
40
|
+
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
|
41
|
+
- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
|
42
|
+
|
43
|
+
## [2.2.6] - 2023-01-17
|
44
|
+
|
45
|
+
- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot))
|
46
|
+
|
47
|
+
## [2.2.5] - 2022-12-27
|
48
|
+
|
49
|
+
### Fixed
|
50
|
+
|
51
|
+
- `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
|
52
|
+
|
53
|
+
## [2.2.4] - 2022-06-30
|
54
|
+
|
55
|
+
- Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [@ioquatix](https://github.com/ioquatix))
|
56
|
+
- Use custom exception on params too deep error. ([#1838](https://github.com/rack/rack/pull/1838), [@simi](https://github.com/simi))
|
57
|
+
|
5
58
|
## [2.2.3.1] - 2022-05-27
|
6
59
|
|
60
|
+
### Security
|
61
|
+
|
7
62
|
- [CVE-2022-30123] Fix shell escaping issue in Common Logger
|
8
63
|
- [CVE-2022-30122] Restrict parsing of broken MIME attachments
|
9
64
|
|
10
65
|
## [2.2.3] - 2020-02-11
|
11
66
|
|
67
|
+
### Security
|
68
|
+
|
12
69
|
- [CVE-2020-8184] Only decode cookie values
|
13
70
|
|
14
71
|
## [2.2.2] - 2020-02-11
|
data/README.rdoc
CHANGED
@@ -202,16 +202,30 @@ Limiting the depth prevents a possible stack overflow when parsing parameters.
|
|
202
202
|
|
203
203
|
Defaults to 100.
|
204
204
|
|
205
|
-
===
|
205
|
+
=== multipart_file_limit
|
206
206
|
|
207
|
-
The maximum number of parts a request can contain.
|
207
|
+
The maximum number of parts with a filename a request can contain.
|
208
208
|
Accepting too many part can lead to the server running out of file handles.
|
209
209
|
|
210
210
|
The default is 128, which means that a single request can't upload more than 128 files at once.
|
211
211
|
|
212
212
|
Set to 0 for no limit.
|
213
213
|
|
214
|
-
Can also be set via the +
|
214
|
+
Can also be set via the +RACK_MULTIPART_FILE_LIMIT+ environment variable.
|
215
|
+
|
216
|
+
(This is also aliased as +multipart_part_limit+ and +RACK_MULTIPART_PART_LIMIT+ for compatibility)
|
217
|
+
|
218
|
+
=== multipart_total_part_limit
|
219
|
+
|
220
|
+
The maximum total number of parts a request can contain of any type, including
|
221
|
+
both file and non-file form fields.
|
222
|
+
|
223
|
+
The default is 4096, which means that a single request can't contain more than
|
224
|
+
4096 parts.
|
225
|
+
|
226
|
+
Set to 0 for no limit.
|
227
|
+
|
228
|
+
Can also be set via the +RACK_MULTIPART_TOTAL_PART_LIMIT+ environment variable.
|
215
229
|
|
216
230
|
== Changelog
|
217
231
|
|
data/SPEC.rdoc
CHANGED
@@ -42,17 +42,18 @@ below.
|
|
42
42
|
<tt>QUERY_STRING</tt>:: The portion of the request URL that
|
43
43
|
follows the <tt>?</tt>, if any. May be
|
44
44
|
empty, but is always required!
|
45
|
-
<tt>SERVER_NAME</tt
|
46
|
-
When combined with <tt>SCRIPT_NAME</tt> and
|
45
|
+
<tt>SERVER_NAME</tt>:: When combined with <tt>SCRIPT_NAME</tt> and
|
47
46
|
<tt>PATH_INFO</tt>, these variables can be
|
48
47
|
used to complete the URL. Note, however,
|
49
48
|
that <tt>HTTP_HOST</tt>, if present,
|
50
49
|
should be used in preference to
|
51
50
|
<tt>SERVER_NAME</tt> for reconstructing
|
52
51
|
the request URL.
|
53
|
-
<tt>SERVER_NAME</tt>
|
54
|
-
|
55
|
-
|
52
|
+
<tt>SERVER_NAME</tt> can never be an empty
|
53
|
+
string, and so is always required.
|
54
|
+
<tt>SERVER_PORT</tt>:: An optional +Integer+ which is the port the
|
55
|
+
server is running on. Should be specified if
|
56
|
+
the server is running on a non-standard port.
|
56
57
|
<tt>HTTP_</tt> Variables:: Variables corresponding to the
|
57
58
|
client-supplied HTTP request
|
58
59
|
headers (i.e., variables whose
|
@@ -122,6 +123,9 @@ and should be prefixed uniquely. The prefix <tt>rack.</tt>
|
|
122
123
|
is reserved for use with the Rack core distribution and other
|
123
124
|
accepted specifications and must not be used otherwise.
|
124
125
|
|
126
|
+
The <tt>SERVER_PORT</tt> must be an Integer if set.
|
127
|
+
The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
|
128
|
+
The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
|
125
129
|
The environment must not contain the keys
|
126
130
|
<tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
|
127
131
|
(use the versions without <tt>HTTP_</tt>).
|
data/lib/rack/auth/basic.rb
CHANGED
@@ -2,7 +2,6 @@
|
|
2
2
|
|
3
3
|
require_relative 'abstract/handler'
|
4
4
|
require_relative 'abstract/request'
|
5
|
-
require 'base64'
|
6
5
|
|
7
6
|
module Rack
|
8
7
|
module Auth
|
@@ -48,7 +47,7 @@ module Rack
|
|
48
47
|
end
|
49
48
|
|
50
49
|
def credentials
|
51
|
-
@credentials ||=
|
50
|
+
@credentials ||= params.unpack("m").first.split(':', 2)
|
52
51
|
end
|
53
52
|
|
54
53
|
def username
|
@@ -1,7 +1,6 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'digest/md5'
|
4
|
-
require 'base64'
|
5
4
|
|
6
5
|
module Rack
|
7
6
|
module Auth
|
@@ -21,7 +20,7 @@ module Rack
|
|
21
20
|
end
|
22
21
|
|
23
22
|
def self.parse(string)
|
24
|
-
new(*
|
23
|
+
new(*string.unpack("m").first.split(' ', 2))
|
25
24
|
end
|
26
25
|
|
27
26
|
def initialize(timestamp = Time.now, given_digest = nil)
|
@@ -29,7 +28,7 @@ module Rack
|
|
29
28
|
end
|
30
29
|
|
31
30
|
def to_s
|
32
|
-
|
31
|
+
["#{@timestamp} #{digest}"].pack("m").strip
|
33
32
|
end
|
34
33
|
|
35
34
|
def digest
|
data/lib/rack/etag.rb
CHANGED
data/lib/rack/lint.rb
CHANGED
@@ -40,7 +40,7 @@ module Rack
|
|
40
40
|
|
41
41
|
def _call(env)
|
42
42
|
## It takes exactly one argument, the *environment*
|
43
|
-
|
43
|
+
raise LintError, "No env given" unless env
|
44
44
|
check_env env
|
45
45
|
|
46
46
|
env[RACK_INPUT] = InputWrapper.new(env[RACK_INPUT])
|
@@ -48,12 +48,8 @@ module Rack
|
|
48
48
|
|
49
49
|
## and returns an Array of exactly three values:
|
50
50
|
ary = @app.call(env)
|
51
|
-
|
52
|
-
|
53
|
-
}
|
54
|
-
assert("response array #{ary.inspect} has #{ary.size} elements instead of 3") {
|
55
|
-
ary.size == 3
|
56
|
-
}
|
51
|
+
raise LintError, "response is not an Array, but #{ary.class}" unless ary.kind_of? Array
|
52
|
+
raise LintError, "response array has #{ary.size} elements instead of 3" unless ary.size == 3
|
57
53
|
|
58
54
|
status, headers, @body = ary
|
59
55
|
## The *status*,
|
@@ -78,12 +74,8 @@ module Rack
|
|
78
74
|
## The environment must be an unfrozen instance of Hash that includes
|
79
75
|
## CGI-like headers. The application is free to modify the
|
80
76
|
## environment.
|
81
|
-
|
82
|
-
|
83
|
-
}
|
84
|
-
assert("env should not be frozen, but is") {
|
85
|
-
!env.frozen?
|
86
|
-
}
|
77
|
+
raise LintError, "env #{env.inspect} is not a Hash, but #{env.class}" unless env.kind_of? Hash
|
78
|
+
raise LintError, "env should not be frozen, but is" if env.frozen?
|
87
79
|
|
88
80
|
##
|
89
81
|
## The environment is required to include these variables
|
@@ -195,73 +187,73 @@ module Rack
|
|
195
187
|
## The store must implement:
|
196
188
|
if session = env[RACK_SESSION]
|
197
189
|
## store(key, value) (aliased as []=);
|
198
|
-
|
199
|
-
session.
|
200
|
-
|
190
|
+
unless session.respond_to?(:store) && session.respond_to?(:[]=)
|
191
|
+
raise LintError, "session #{session.inspect} must respond to store and []="
|
192
|
+
end
|
201
193
|
|
202
194
|
## fetch(key, default = nil) (aliased as []);
|
203
|
-
|
204
|
-
session.
|
205
|
-
|
195
|
+
unless session.respond_to?(:fetch) && session.respond_to?(:[])
|
196
|
+
raise LintError, "session #{session.inspect} must respond to fetch and []"
|
197
|
+
end
|
206
198
|
|
207
199
|
## delete(key);
|
208
|
-
|
209
|
-
session.
|
210
|
-
|
200
|
+
unless session.respond_to?(:delete)
|
201
|
+
raise LintError, "session #{session.inspect} must respond to delete"
|
202
|
+
end
|
211
203
|
|
212
204
|
## clear;
|
213
|
-
|
214
|
-
session.
|
215
|
-
|
205
|
+
unless session.respond_to?(:clear)
|
206
|
+
raise LintError, "session #{session.inspect} must respond to clear"
|
207
|
+
end
|
216
208
|
|
217
209
|
## to_hash (returning unfrozen Hash instance);
|
218
|
-
|
219
|
-
session.
|
220
|
-
|
210
|
+
unless session.respond_to?(:to_hash) && session.to_hash.kind_of?(Hash) && !session.to_hash.frozen?
|
211
|
+
raise LintError, "session #{session.inspect} must respond to to_hash and return unfrozen Hash instance"
|
212
|
+
end
|
221
213
|
end
|
222
214
|
|
223
215
|
## <tt>rack.logger</tt>:: A common object interface for logging messages.
|
224
216
|
## The object must implement:
|
225
217
|
if logger = env[RACK_LOGGER]
|
226
218
|
## info(message, &block)
|
227
|
-
|
228
|
-
logger.
|
229
|
-
|
219
|
+
unless logger.respond_to?(:info)
|
220
|
+
raise LintError, "logger #{logger.inspect} must respond to info"
|
221
|
+
end
|
230
222
|
|
231
223
|
## debug(message, &block)
|
232
|
-
|
233
|
-
logger.
|
234
|
-
|
224
|
+
unless logger.respond_to?(:debug)
|
225
|
+
raise LintError, "logger #{logger.inspect} must respond to debug"
|
226
|
+
end
|
235
227
|
|
236
228
|
## warn(message, &block)
|
237
|
-
|
238
|
-
logger.
|
239
|
-
|
229
|
+
unless logger.respond_to?(:warn)
|
230
|
+
raise LintError, "logger #{logger.inspect} must respond to warn"
|
231
|
+
end
|
240
232
|
|
241
233
|
## error(message, &block)
|
242
|
-
|
243
|
-
logger.
|
244
|
-
|
234
|
+
unless logger.respond_to?(:error)
|
235
|
+
raise LintError, "logger #{logger.inspect} must respond to error"
|
236
|
+
end
|
245
237
|
|
246
238
|
## fatal(message, &block)
|
247
|
-
|
248
|
-
logger.
|
249
|
-
|
239
|
+
unless logger.respond_to?(:fatal)
|
240
|
+
raise LintError, "logger #{logger.inspect} must respond to fatal"
|
241
|
+
end
|
250
242
|
end
|
251
243
|
|
252
244
|
## <tt>rack.multipart.buffer_size</tt>:: An Integer hint to the multipart parser as to what chunk size to use for reads and writes.
|
253
245
|
if bufsize = env[RACK_MULTIPART_BUFFER_SIZE]
|
254
|
-
|
255
|
-
|
256
|
-
|
246
|
+
unless bufsize.is_a?(Integer) && bufsize > 0
|
247
|
+
raise LintError, "rack.multipart.buffer_size must be an Integer > 0 if specified"
|
248
|
+
end
|
257
249
|
end
|
258
250
|
|
259
251
|
## <tt>rack.multipart.tempfile_factory</tt>:: An object responding to #call with two arguments, the filename and content_type given for the multipart form field, and returning an IO-like object that responds to #<< and optionally #rewind. This factory will be used to instantiate the tempfile for each multipart form file upload field, rather than the default class of Tempfile.
|
260
252
|
if tempfile_factory = env[RACK_MULTIPART_TEMPFILE_FACTORY]
|
261
|
-
|
253
|
+
raise LintError, "rack.multipart.tempfile_factory must respond to #call" unless tempfile_factory.respond_to?(:call)
|
262
254
|
env[RACK_MULTIPART_TEMPFILE_FACTORY] = lambda do |filename, content_type|
|
263
255
|
io = tempfile_factory.call(filename, content_type)
|
264
|
-
|
256
|
+
raise LintError, "rack.multipart.tempfile_factory return value must respond to #<<" unless io.respond_to?(:<<)
|
265
257
|
io
|
266
258
|
end
|
267
259
|
end
|
@@ -276,32 +268,32 @@ module Rack
|
|
276
268
|
%w[REQUEST_METHOD SERVER_NAME QUERY_STRING
|
277
269
|
rack.version rack.input rack.errors
|
278
270
|
rack.multithread rack.multiprocess rack.run_once].each { |header|
|
279
|
-
|
271
|
+
raise LintError, "env missing required key #{header}" unless env.include? header
|
280
272
|
}
|
281
273
|
|
282
274
|
## The <tt>SERVER_PORT</tt> must be an Integer if set.
|
283
|
-
|
284
|
-
|
285
|
-
|
275
|
+
server_port = env["SERVER_PORT"]
|
276
|
+
unless server_port.nil? || (Integer(server_port) rescue false)
|
277
|
+
raise LintError, "env[SERVER_PORT] is not an Integer"
|
286
278
|
end
|
287
279
|
|
288
280
|
## The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
|
289
|
-
|
290
|
-
|
281
|
+
unless (URI.parse("http://#{env[SERVER_NAME]}/") rescue false)
|
282
|
+
raise LintError, "#{env[SERVER_NAME]} must be a valid authority"
|
291
283
|
end
|
292
284
|
|
293
285
|
## The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
|
294
|
-
|
295
|
-
|
286
|
+
unless (URI.parse("http://#{env[HTTP_HOST]}/") rescue false)
|
287
|
+
raise LintError, "#{env[HTTP_HOST]} must be a valid authority"
|
296
288
|
end
|
297
289
|
|
298
290
|
## The environment must not contain the keys
|
299
291
|
## <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
|
300
292
|
## (use the versions without <tt>HTTP_</tt>).
|
301
293
|
%w[HTTP_CONTENT_TYPE HTTP_CONTENT_LENGTH].each { |header|
|
302
|
-
|
303
|
-
|
304
|
-
|
294
|
+
if env.include? header
|
295
|
+
raise LintError, "env contains #{header}, must use #{header[5, -1]}"
|
296
|
+
end
|
305
297
|
}
|
306
298
|
|
307
299
|
## The CGI keys (named without a period) must have String values.
|
@@ -309,25 +301,25 @@ module Rack
|
|
309
301
|
## they should use ASCII-8BIT encoding.
|
310
302
|
env.each { |key, value|
|
311
303
|
next if key.include? "." # Skip extensions
|
312
|
-
|
313
|
-
value.
|
314
|
-
|
304
|
+
unless value.kind_of? String
|
305
|
+
raise LintError, "env variable #{key} has non-string value #{value.inspect}"
|
306
|
+
end
|
315
307
|
next if value.encoding == Encoding::ASCII_8BIT
|
316
|
-
|
317
|
-
value.
|
318
|
-
|
308
|
+
unless value.b !~ /[\x80-\xff]/n
|
309
|
+
raise LintError, "env variable #{key} has value containing non-ASCII characters and has non-ASCII-8BIT encoding #{value.inspect} encoding: #{value.encoding}"
|
310
|
+
end
|
319
311
|
}
|
320
312
|
|
321
313
|
## There are the following restrictions:
|
322
314
|
|
323
315
|
## * <tt>rack.version</tt> must be an array of Integers.
|
324
|
-
|
325
|
-
env[RACK_VERSION].
|
326
|
-
|
316
|
+
unless env[RACK_VERSION].kind_of? Array
|
317
|
+
raise LintError, "rack.version must be an Array, was #{env[RACK_VERSION].class}"
|
318
|
+
end
|
327
319
|
## * <tt>rack.url_scheme</tt> must either be +http+ or +https+.
|
328
|
-
|
329
|
-
|
330
|
-
|
320
|
+
unless %w[http https].include?(env[RACK_URL_SCHEME])
|
321
|
+
raise LintError, "rack.url_scheme unknown: #{env[RACK_URL_SCHEME].inspect}"
|
322
|
+
end
|
331
323
|
|
332
324
|
## * There must be a valid input stream in <tt>rack.input</tt>.
|
333
325
|
check_input env[RACK_INPUT]
|
@@ -337,37 +329,33 @@ module Rack
|
|
337
329
|
check_hijack env
|
338
330
|
|
339
331
|
## * The <tt>REQUEST_METHOD</tt> must be a valid token.
|
340
|
-
|
341
|
-
|
342
|
-
|
332
|
+
unless env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
|
333
|
+
raise LintError, "REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}"
|
334
|
+
end
|
343
335
|
|
344
336
|
## * The <tt>SCRIPT_NAME</tt>, if non-empty, must start with <tt>/</tt>
|
345
|
-
|
346
|
-
|
347
|
-
|
348
|
-
env[SCRIPT_NAME] =~ /\A\//
|
349
|
-
}
|
337
|
+
if env.include?(SCRIPT_NAME) && env[SCRIPT_NAME] != "" && env[SCRIPT_NAME] !~ /\A\//
|
338
|
+
raise LintError, "SCRIPT_NAME must start with /"
|
339
|
+
end
|
350
340
|
## * The <tt>PATH_INFO</tt>, if non-empty, must start with <tt>/</tt>
|
351
|
-
|
352
|
-
|
353
|
-
|
354
|
-
env[PATH_INFO] =~ /\A\//
|
355
|
-
}
|
341
|
+
if env.include?(PATH_INFO) && env[PATH_INFO] != "" && env[PATH_INFO] !~ /\A\//
|
342
|
+
raise LintError, "PATH_INFO must start with /"
|
343
|
+
end
|
356
344
|
## * The <tt>CONTENT_LENGTH</tt>, if given, must consist of digits only.
|
357
|
-
|
358
|
-
|
359
|
-
|
345
|
+
if env.include?("CONTENT_LENGTH") && env["CONTENT_LENGTH"] !~ /\A\d+\z/
|
346
|
+
raise LintError, "Invalid CONTENT_LENGTH: #{env["CONTENT_LENGTH"]}"
|
347
|
+
end
|
360
348
|
|
361
349
|
## * One of <tt>SCRIPT_NAME</tt> or <tt>PATH_INFO</tt> must be
|
362
350
|
## set. <tt>PATH_INFO</tt> should be <tt>/</tt> if
|
363
351
|
## <tt>SCRIPT_NAME</tt> is empty.
|
364
|
-
|
365
|
-
|
366
|
-
|
352
|
+
unless env[SCRIPT_NAME] || env[PATH_INFO]
|
353
|
+
raise LintError, "One of SCRIPT_NAME or PATH_INFO must be set (make PATH_INFO '/' if SCRIPT_NAME is empty)"
|
354
|
+
end
|
367
355
|
## <tt>SCRIPT_NAME</tt> never should be <tt>/</tt>, but instead be empty.
|
368
|
-
|
369
|
-
|
370
|
-
|
356
|
+
unless env[SCRIPT_NAME] != "/"
|
357
|
+
raise LintError, "SCRIPT_NAME cannot be '/', make it '' and PATH_INFO '/'"
|
358
|
+
end
|
371
359
|
end
|
372
360
|
|
373
361
|
## === The Input Stream
|
@@ -377,18 +365,18 @@ module Rack
|
|
377
365
|
def check_input(input)
|
378
366
|
## When applicable, its external encoding must be "ASCII-8BIT" and it
|
379
367
|
## must be opened in binary mode, for Ruby 1.9 compatibility.
|
380
|
-
|
381
|
-
input
|
382
|
-
|
383
|
-
|
384
|
-
input
|
385
|
-
|
368
|
+
if input.respond_to?(:external_encoding) && input.external_encoding != Encoding::ASCII_8BIT
|
369
|
+
raise LintError, "rack.input #{input} does not have ASCII-8BIT as its external encoding"
|
370
|
+
end
|
371
|
+
if input.respond_to?(:binmode?) && !input.binmode?
|
372
|
+
raise LintError, "rack.input #{input} is not opened in binary mode"
|
373
|
+
end
|
386
374
|
|
387
375
|
## The input stream must respond to +gets+, +each+, +read+ and +rewind+.
|
388
376
|
[:gets, :each, :read, :rewind].each { |method|
|
389
|
-
|
390
|
-
input
|
391
|
-
|
377
|
+
unless input.respond_to? method
|
378
|
+
raise LintError, "rack.input #{input} does not respond to ##{method}"
|
379
|
+
end
|
392
380
|
}
|
393
381
|
end
|
394
382
|
|
@@ -402,11 +390,11 @@ module Rack
|
|
402
390
|
## * +gets+ must be called without arguments and return a string,
|
403
391
|
## or +nil+ on EOF.
|
404
392
|
def gets(*args)
|
405
|
-
|
393
|
+
raise LintError, "rack.input#gets called with arguments" unless args.size == 0
|
406
394
|
v = @input.gets
|
407
|
-
|
408
|
-
|
409
|
-
|
395
|
+
unless v.nil? or v.kind_of? String
|
396
|
+
raise LintError, "rack.input#gets didn't return a String"
|
397
|
+
end
|
410
398
|
v
|
411
399
|
end
|
412
400
|
|
@@ -428,32 +416,32 @@ module Rack
|
|
428
416
|
## If +buffer+ is given, then the read data will be placed
|
429
417
|
## into +buffer+ instead of a newly created String object.
|
430
418
|
def read(*args)
|
431
|
-
|
432
|
-
|
433
|
-
|
419
|
+
unless args.size <= 2
|
420
|
+
raise LintError, "rack.input#read called with too many arguments"
|
421
|
+
end
|
434
422
|
if args.size >= 1
|
435
|
-
|
436
|
-
|
437
|
-
|
438
|
-
|
439
|
-
|
440
|
-
|
423
|
+
unless args.first.kind_of?(Integer) || args.first.nil?
|
424
|
+
raise LintError, "rack.input#read called with non-integer and non-nil length"
|
425
|
+
end
|
426
|
+
unless args.first.nil? || args.first >= 0
|
427
|
+
raise LintError, "rack.input#read called with a negative length"
|
428
|
+
end
|
441
429
|
end
|
442
430
|
if args.size >= 2
|
443
|
-
|
444
|
-
|
445
|
-
|
431
|
+
unless args[1].kind_of?(String)
|
432
|
+
raise LintError, "rack.input#read called with non-String buffer"
|
433
|
+
end
|
446
434
|
end
|
447
435
|
|
448
436
|
v = @input.read(*args)
|
449
437
|
|
450
|
-
|
451
|
-
|
452
|
-
|
438
|
+
unless v.nil? or v.kind_of? String
|
439
|
+
raise LintError, "rack.input#read didn't return nil or a String"
|
440
|
+
end
|
453
441
|
if args[0].nil?
|
454
|
-
|
455
|
-
|
456
|
-
|
442
|
+
unless !v.nil?
|
443
|
+
raise LintError, "rack.input#read(nil) returned nil on EOF"
|
444
|
+
end
|
457
445
|
end
|
458
446
|
|
459
447
|
v
|
@@ -461,11 +449,11 @@ module Rack
|
|
461
449
|
|
462
450
|
## * +each+ must be called without arguments and only yield Strings.
|
463
451
|
def each(*args)
|
464
|
-
|
452
|
+
raise LintError, "rack.input#each called with arguments" unless args.size == 0
|
465
453
|
@input.each { |line|
|
466
|
-
|
467
|
-
|
468
|
-
|
454
|
+
unless line.kind_of? String
|
455
|
+
raise LintError, "rack.input#each didn't yield a String"
|
456
|
+
end
|
469
457
|
yield line
|
470
458
|
}
|
471
459
|
end
|
@@ -476,20 +464,18 @@ module Rack
|
|
476
464
|
## developers must buffer the input data into some rewindable object
|
477
465
|
## if the underlying input stream is not rewindable.
|
478
466
|
def rewind(*args)
|
479
|
-
|
480
|
-
|
481
|
-
|
482
|
-
|
483
|
-
|
484
|
-
|
485
|
-
|
486
|
-
end
|
487
|
-
}
|
467
|
+
raise LintError, "rack.input#rewind called with arguments" unless args.size == 0
|
468
|
+
begin
|
469
|
+
@input.rewind
|
470
|
+
true
|
471
|
+
rescue Errno::ESPIPE
|
472
|
+
raise LintError, "rack.input#rewind raised Errno::ESPIPE"
|
473
|
+
end
|
488
474
|
end
|
489
475
|
|
490
476
|
## * +close+ must never be called on the input stream.
|
491
477
|
def close(*args)
|
492
|
-
|
478
|
+
raise LintError, "rack.input#close must not be called"
|
493
479
|
end
|
494
480
|
end
|
495
481
|
|
@@ -497,9 +483,9 @@ module Rack
|
|
497
483
|
def check_error(error)
|
498
484
|
## The error stream must respond to +puts+, +write+ and +flush+.
|
499
485
|
[:puts, :write, :flush].each { |method|
|
500
|
-
|
501
|
-
error
|
502
|
-
|
486
|
+
unless error.respond_to? method
|
487
|
+
raise LintError, "rack.error #{error} does not respond to ##{method}"
|
488
|
+
end
|
503
489
|
}
|
504
490
|
end
|
505
491
|
|
@@ -517,7 +503,7 @@ module Rack
|
|
517
503
|
|
518
504
|
## * +write+ must be called with a single argument that is a String.
|
519
505
|
def write(str)
|
520
|
-
|
506
|
+
raise LintError, "rack.errors#write not called with a String" unless str.kind_of? String
|
521
507
|
@error.write str
|
522
508
|
end
|
523
509
|
|
@@ -529,7 +515,7 @@ module Rack
|
|
529
515
|
|
530
516
|
## * +close+ must never be called on the error stream.
|
531
517
|
def close(*args)
|
532
|
-
|
518
|
+
raise LintError, "rack.errors#close must not be called"
|
533
519
|
end
|
534
520
|
end
|
535
521
|
|
@@ -547,7 +533,7 @@ module Rack
|
|
547
533
|
def initialize(io)
|
548
534
|
@io = io
|
549
535
|
REQUIRED_METHODS.each do |meth|
|
550
|
-
|
536
|
+
raise LintError, "rack.hijack_io must respond to #{meth}" unless io.respond_to? meth
|
551
537
|
end
|
552
538
|
end
|
553
539
|
end
|
@@ -563,7 +549,7 @@ module Rack
|
|
563
549
|
if env[RACK_IS_HIJACK]
|
564
550
|
## If rack.hijack? is true then rack.hijack must respond to #call.
|
565
551
|
original_hijack = env[RACK_HIJACK]
|
566
|
-
|
552
|
+
raise LintError, "rack.hijack must respond to call" unless original_hijack.respond_to?(:call)
|
567
553
|
env[RACK_HIJACK] = proc do
|
568
554
|
## rack.hijack must return the io that will also be assigned (or is
|
569
555
|
## already present, in rack.hijack_io.
|
@@ -596,10 +582,10 @@ module Rack
|
|
596
582
|
else
|
597
583
|
##
|
598
584
|
## If rack.hijack? is false, then rack.hijack should not be set.
|
599
|
-
|
585
|
+
raise LintError, "rack.hijack? is false, but rack.hijack is present" unless env[RACK_HIJACK].nil?
|
600
586
|
##
|
601
587
|
## If rack.hijack? is false, then rack.hijack_io should not be set.
|
602
|
-
|
588
|
+
raise LintError, "rack.hijack? is false, but rack.hijack_io is present" unless env[RACK_HIJACK_IO].nil?
|
603
589
|
end
|
604
590
|
end
|
605
591
|
|
@@ -630,9 +616,9 @@ module Rack
|
|
630
616
|
## the <tt>rack.hijack</tt> response API is in use.
|
631
617
|
|
632
618
|
if env[RACK_IS_HIJACK] && headers[RACK_HIJACK]
|
633
|
-
|
634
|
-
|
635
|
-
|
619
|
+
unless headers[RACK_HIJACK].respond_to? :call
|
620
|
+
raise LintError, 'rack.hijack header must respond to #call'
|
621
|
+
end
|
636
622
|
original_hijack = headers[RACK_HIJACK]
|
637
623
|
proc do |io|
|
638
624
|
original_hijack.call HijackWrapper.new(io)
|
@@ -641,9 +627,9 @@ module Rack
|
|
641
627
|
##
|
642
628
|
## The special response header <tt>rack.hijack</tt> must only be set
|
643
629
|
## if the request env has <tt>rack.hijack?</tt> <tt>true</tt>.
|
644
|
-
|
645
|
-
|
646
|
-
|
630
|
+
unless headers[RACK_HIJACK].nil?
|
631
|
+
raise LintError, 'rack.hijack header must not be present if server does not support hijacking'
|
632
|
+
end
|
647
633
|
|
648
634
|
nil
|
649
635
|
end
|
@@ -661,42 +647,45 @@ module Rack
|
|
661
647
|
def check_status(status)
|
662
648
|
## This is an HTTP status. When parsed as integer (+to_i+), it must be
|
663
649
|
## greater than or equal to 100.
|
664
|
-
|
650
|
+
unless status.to_i >= 100
|
651
|
+
raise LintError, "Status must be >=100 seen as integer"
|
652
|
+
end
|
665
653
|
end
|
666
654
|
|
667
655
|
## === The Headers
|
668
656
|
def check_headers(header)
|
669
657
|
## The header must respond to +each+, and yield values of key and value.
|
670
|
-
|
671
|
-
|
672
|
-
|
658
|
+
unless header.respond_to? :each
|
659
|
+
raise LintError, "headers object should respond to #each, but doesn't (got #{header.class} as headers)"
|
660
|
+
end
|
673
661
|
|
674
662
|
header.each { |key, value|
|
675
663
|
## The header keys must be Strings.
|
676
|
-
|
677
|
-
key.
|
678
|
-
|
664
|
+
unless key.kind_of? String
|
665
|
+
raise LintError, "header key must be a string, was #{key.class}"
|
666
|
+
end
|
679
667
|
|
680
668
|
## Special headers starting "rack." are for communicating with the
|
681
669
|
## server, and must not be sent back to the client.
|
682
670
|
next if key =~ /^rack\..+$/
|
683
671
|
|
684
672
|
## The header must not contain a +Status+ key.
|
685
|
-
|
673
|
+
raise LintError, "header must not contain Status" if key.downcase == "status"
|
686
674
|
## The header must conform to RFC7230 token specification, i.e. cannot
|
687
675
|
## contain non-printable ASCII, DQUOTE or "(),/:;<=>?@[\]{}".
|
688
|
-
|
676
|
+
raise LintError, "invalid header name: #{key}" if key =~ /[\(\),\/:;<=>\?@\[\\\]{}[:cntrl:]]/
|
689
677
|
|
690
678
|
## The values of the header must be Strings,
|
691
|
-
|
692
|
-
"'#{key}' is a #{value.class}"
|
679
|
+
unless value.kind_of? String
|
680
|
+
raise LintError, "a header value must be a String, but the value of '#{key}' is a #{value.class}"
|
681
|
+
end
|
693
682
|
## consisting of lines (for multiple header values, e.g. multiple
|
694
683
|
## <tt>Set-Cookie</tt> values) separated by "\\n".
|
695
684
|
value.split("\n").each { |item|
|
696
685
|
## The lines must not contain characters below 037.
|
697
|
-
|
698
|
-
|
699
|
-
|
686
|
+
if item =~ /[\000-\037]/
|
687
|
+
raise LintError, "invalid header value #{key}: #{item.inspect}"
|
688
|
+
end
|
700
689
|
}
|
701
690
|
}
|
702
691
|
end
|
@@ -707,9 +696,9 @@ module Rack
|
|
707
696
|
## There must not be a <tt>Content-Type</tt>, when the +Status+ is 1xx,
|
708
697
|
## 204 or 304.
|
709
698
|
if key.downcase == "content-type"
|
710
|
-
|
711
|
-
|
712
|
-
|
699
|
+
if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i
|
700
|
+
raise LintError, "Content-Type header found in #{status} response, not allowed"
|
701
|
+
end
|
713
702
|
return
|
714
703
|
end
|
715
704
|
}
|
@@ -721,9 +710,9 @@ module Rack
|
|
721
710
|
if key.downcase == 'content-length'
|
722
711
|
## There must not be a <tt>Content-Length</tt> header when the
|
723
712
|
## +Status+ is 1xx, 204 or 304.
|
724
|
-
|
725
|
-
|
726
|
-
|
713
|
+
if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i
|
714
|
+
raise LintError, "Content-Length header found in #{status} response, not allowed"
|
715
|
+
end
|
727
716
|
@content_length = value
|
728
717
|
end
|
729
718
|
}
|
@@ -731,13 +720,13 @@ module Rack
|
|
731
720
|
|
732
721
|
def verify_content_length(bytes)
|
733
722
|
if @head_request
|
734
|
-
|
735
|
-
|
736
|
-
|
723
|
+
unless bytes == 0
|
724
|
+
raise LintError, "Response body was given for HEAD request, but should be empty"
|
725
|
+
end
|
737
726
|
elsif @content_length
|
738
|
-
|
739
|
-
@content_length
|
740
|
-
|
727
|
+
unless @content_length == bytes.to_s
|
728
|
+
raise LintError, "Content-Length header was #{@content_length}, but should be #{bytes}"
|
729
|
+
end
|
741
730
|
end
|
742
731
|
end
|
743
732
|
|
@@ -747,15 +736,15 @@ module Rack
|
|
747
736
|
bytes = 0
|
748
737
|
|
749
738
|
## The Body must respond to +each+
|
750
|
-
|
751
|
-
|
739
|
+
unless @body.respond_to?(:each)
|
740
|
+
raise LintError, "Response body must respond to each"
|
752
741
|
end
|
753
742
|
|
754
743
|
@body.each { |part|
|
755
744
|
## and must only yield String values.
|
756
|
-
|
757
|
-
part.
|
758
|
-
|
745
|
+
unless part.kind_of? String
|
746
|
+
raise LintError, "Body yielded non-string value #{part.inspect}"
|
747
|
+
end
|
759
748
|
bytes += part.bytesize
|
760
749
|
yield part
|
761
750
|
}
|
@@ -768,7 +757,7 @@ module Rack
|
|
768
757
|
## If the Body responds to +close+, it will be called after iteration. If
|
769
758
|
## the body is replaced by a middleware after action, the original body
|
770
759
|
## must be closed first, if it responds to close.
|
771
|
-
# XXX howto:
|
760
|
+
# XXX howto: raise LintError, "Body has not been closed" unless @closed
|
772
761
|
|
773
762
|
|
774
763
|
##
|
@@ -779,9 +768,9 @@ module Rack
|
|
779
768
|
## transport the response.
|
780
769
|
|
781
770
|
if @body.respond_to?(:to_path)
|
782
|
-
|
783
|
-
|
784
|
-
|
771
|
+
unless ::File.exist? @body.to_path
|
772
|
+
raise LintError, "The file identified by body.to_path does not exist"
|
773
|
+
end
|
785
774
|
end
|
786
775
|
|
787
776
|
##
|
data/lib/rack/media_type.rb
CHANGED
@@ -4,7 +4,7 @@ module Rack
|
|
4
4
|
# Rack::MediaType parse media type and parameters out of content_type string
|
5
5
|
|
6
6
|
class MediaType
|
7
|
-
SPLIT_PATTERN =
|
7
|
+
SPLIT_PATTERN = /[;,]/
|
8
8
|
|
9
9
|
class << self
|
10
10
|
# The media type (type/subtype) portion of the CONTENT_TYPE header
|
@@ -15,7 +15,11 @@ module Rack
|
|
15
15
|
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
|
16
16
|
def type(content_type)
|
17
17
|
return nil unless content_type
|
18
|
-
content_type.split(SPLIT_PATTERN, 2).first
|
18
|
+
if type = content_type.split(SPLIT_PATTERN, 2).first
|
19
|
+
type.rstrip!
|
20
|
+
type.downcase!
|
21
|
+
type
|
22
|
+
end
|
19
23
|
end
|
20
24
|
|
21
25
|
# The media type parameters provided in CONTENT_TYPE as a Hash, or
|
@@ -27,9 +31,10 @@ module Rack
|
|
27
31
|
return {} if content_type.nil?
|
28
32
|
|
29
33
|
content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
|
34
|
+
s.strip!
|
30
35
|
k, v = s.split('=', 2)
|
31
|
-
|
32
|
-
hsh[k
|
36
|
+
k.downcase!
|
37
|
+
hsh[k] = strip_doublequotes(v)
|
33
38
|
end
|
34
39
|
end
|
35
40
|
|
data/lib/rack/method_override.rb
CHANGED
@@ -43,7 +43,7 @@ module Rack
|
|
43
43
|
|
44
44
|
def method_override_param(req)
|
45
45
|
req.POST[METHOD_OVERRIDE_PARAM_KEY]
|
46
|
-
rescue Utils::InvalidParameterError, Utils::ParameterTypeError
|
46
|
+
rescue Utils::InvalidParameterError, Utils::ParameterTypeError, QueryParser::ParamsTooDeepError
|
47
47
|
req.get_header(RACK_ERRORS).puts "Invalid or incomplete POST params"
|
48
48
|
rescue EOFError
|
49
49
|
req.get_header(RACK_ERRORS).puts "Bad request content body"
|
@@ -5,6 +5,7 @@ require 'strscan'
|
|
5
5
|
module Rack
|
6
6
|
module Multipart
|
7
7
|
class MultipartPartLimitError < Errno::EMFILE; end
|
8
|
+
class MultipartTotalPartLimitError < StandardError; end
|
8
9
|
|
9
10
|
class Parser
|
10
11
|
(require_relative '../core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4'
|
@@ -12,7 +13,9 @@ module Rack
|
|
12
13
|
BUFSIZE = 1_048_576
|
13
14
|
TEXT_PLAIN = "text/plain"
|
14
15
|
TEMPFILE_FACTORY = lambda { |filename, content_type|
|
15
|
-
|
16
|
+
extension = ::File.extname(filename.gsub("\0", '%00'))[0, 129]
|
17
|
+
|
18
|
+
Tempfile.new(["RackMultipart", extension])
|
16
19
|
}
|
17
20
|
|
18
21
|
BOUNDARY_REGEX = /\A([^\n]*(?:\n|\Z))/
|
@@ -140,7 +143,7 @@ module Rack
|
|
140
143
|
|
141
144
|
@mime_parts[mime_index] = klass.new(body, head, filename, content_type, name)
|
142
145
|
|
143
|
-
|
146
|
+
check_part_limits
|
144
147
|
end
|
145
148
|
|
146
149
|
def on_mime_body(mime_index, content)
|
@@ -152,13 +155,23 @@ module Rack
|
|
152
155
|
|
153
156
|
private
|
154
157
|
|
155
|
-
def
|
156
|
-
|
157
|
-
|
158
|
+
def check_part_limits
|
159
|
+
file_limit = Utils.multipart_file_limit
|
160
|
+
part_limit = Utils.multipart_total_part_limit
|
161
|
+
|
162
|
+
if file_limit && file_limit > 0
|
163
|
+
if @open_files >= file_limit
|
158
164
|
@mime_parts.each(&:close)
|
159
165
|
raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
|
160
166
|
end
|
161
167
|
end
|
168
|
+
|
169
|
+
if part_limit && part_limit > 0
|
170
|
+
if @mime_parts.size >= part_limit
|
171
|
+
@mime_parts.each(&:close)
|
172
|
+
raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached'
|
173
|
+
end
|
174
|
+
end
|
162
175
|
end
|
163
176
|
end
|
164
177
|
|
@@ -178,6 +191,7 @@ module Rack
|
|
178
191
|
|
179
192
|
@sbuf = StringScanner.new("".dup)
|
180
193
|
@body_regex = /(?:#{EOL})?#{Regexp.quote(@boundary)}(?:#{EOL}|--)/m
|
194
|
+
@end_boundary_size = boundary.bytesize + 6 # (-- at start, -- at finish, EOL at end)
|
181
195
|
@rx_max_size = EOL.size + @boundary.bytesize + [EOL.size, '--'.size].max
|
182
196
|
@head_regex = /(.*?#{EOL})#{EOL}/m
|
183
197
|
end
|
@@ -218,7 +232,12 @@ module Rack
|
|
218
232
|
end
|
219
233
|
|
220
234
|
def handle_fast_forward
|
221
|
-
|
235
|
+
tok = consume_boundary
|
236
|
+
|
237
|
+
if tok == :END_BOUNDARY && @sbuf.pos == @end_boundary_size && @sbuf.eos?
|
238
|
+
# stop parsing a buffer if a buffer is only an end boundary.
|
239
|
+
@state = :DONE
|
240
|
+
elsif tok
|
222
241
|
@state = :MIME_HEAD
|
223
242
|
else
|
224
243
|
raise EOFError, "bad content body" if @sbuf.rest_size >= @bufsize
|
data/lib/rack/multipart.rb
CHANGED
@@ -18,10 +18,10 @@ module Rack
|
|
18
18
|
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
|
19
19
|
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
|
20
20
|
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
|
21
|
-
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition
|
21
|
+
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
|
22
22
|
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
|
23
23
|
# Updated definitions from RFC 2231
|
24
|
-
ATTRIBUTE_CHAR = %r{[^ \
|
24
|
+
ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
|
25
25
|
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
|
26
26
|
SECTION = /\*[0-9]+/
|
27
27
|
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
|
data/lib/rack/query_parser.rb
CHANGED
@@ -16,6 +16,10 @@ module Rack
|
|
16
16
|
# sequence.
|
17
17
|
class InvalidParameterError < ArgumentError; end
|
18
18
|
|
19
|
+
# ParamsTooDeepError is the error that is raised when params are recursively
|
20
|
+
# nested over the specified limit.
|
21
|
+
class ParamsTooDeepError < RangeError; end
|
22
|
+
|
19
23
|
def self.make_default(key_space_limit, param_depth_limit)
|
20
24
|
new Params, key_space_limit, param_depth_limit
|
21
25
|
end
|
@@ -81,7 +85,7 @@ module Rack
|
|
81
85
|
# the structural types represented by two different parameter names are in
|
82
86
|
# conflict, a ParameterTypeError is raised.
|
83
87
|
def normalize_params(params, name, v, depth)
|
84
|
-
raise
|
88
|
+
raise ParamsTooDeepError if depth <= 0
|
85
89
|
|
86
90
|
name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
|
87
91
|
k = $1 || ''
|
@@ -168,7 +172,7 @@ module Rack
|
|
168
172
|
|
169
173
|
def []=(key, value)
|
170
174
|
@size += key.size if key && !@params.key?(key)
|
171
|
-
raise
|
175
|
+
raise ParamsTooDeepError, 'exceeded available parameter key space' if @size > @limit
|
172
176
|
@params[key] = value
|
173
177
|
end
|
174
178
|
|
data/lib/rack/request.rb
CHANGED
@@ -572,8 +572,8 @@ module Rack
|
|
572
572
|
end
|
573
573
|
|
574
574
|
def parse_http_accept_header(header)
|
575
|
-
header.to_s.split(
|
576
|
-
attribute, parameters = part.split(
|
575
|
+
header.to_s.split(",").each(&:strip!).map do |part|
|
576
|
+
attribute, parameters = part.split(";", 2).each(&:strip!)
|
577
577
|
quality = 1.0
|
578
578
|
if parameters and /\Aq=([\d.]+)/ =~ parameters
|
579
579
|
quality = $1.to_f
|
@@ -608,7 +608,7 @@ module Rack
|
|
608
608
|
(?<ip4>[\d\.]+)
|
609
609
|
|
|
610
610
|
# A hostname:
|
611
|
-
(?<name>[a-zA-Z0-9\.\-]+)
|
611
|
+
(?<name>[a-zA-Z0-9\.\-_]+)
|
612
612
|
)
|
613
613
|
# The optional port:
|
614
614
|
(:(?<port>\d+))?
|
data/lib/rack/session/cookie.rb
CHANGED
@@ -4,7 +4,7 @@ require 'openssl'
|
|
4
4
|
require 'zlib'
|
5
5
|
require_relative 'abstract/id'
|
6
6
|
require 'json'
|
7
|
-
require '
|
7
|
+
require 'delegate'
|
8
8
|
|
9
9
|
module Rack
|
10
10
|
|
@@ -50,11 +50,11 @@ module Rack
|
|
50
50
|
# Encode session cookies as Base64
|
51
51
|
class Base64
|
52
52
|
def encode(str)
|
53
|
-
|
53
|
+
[str].pack("m0")
|
54
54
|
end
|
55
55
|
|
56
56
|
def decode(str)
|
57
|
-
|
57
|
+
str.unpack("m").first
|
58
58
|
end
|
59
59
|
|
60
60
|
# Encode session cookies as Marshaled Base64 data
|
data/lib/rack/urlmap.rb
CHANGED
@@ -35,7 +35,7 @@ module Rack
|
|
35
35
|
end
|
36
36
|
|
37
37
|
location = location.chomp('/')
|
38
|
-
match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)",
|
38
|
+
match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)", Regexp::NOENCODING)
|
39
39
|
|
40
40
|
[host, location, match, app]
|
41
41
|
}.sort_by do |(host, location, _, _)|
|
data/lib/rack/utils.rb
CHANGED
@@ -22,6 +22,10 @@ module Rack
|
|
22
22
|
COMMON_SEP = QueryParser::COMMON_SEP
|
23
23
|
KeySpaceConstrainedParams = QueryParser::Params
|
24
24
|
|
25
|
+
RFC2822_DAY_NAME = [ 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' ]
|
26
|
+
RFC2822_MONTH_NAME = [ 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
|
27
|
+
RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
|
28
|
+
|
25
29
|
class << self
|
26
30
|
attr_accessor :default_query_parser
|
27
31
|
end
|
@@ -39,13 +43,13 @@ module Rack
|
|
39
43
|
# Like URI escaping, but with %20 instead of +. Strictly speaking this is
|
40
44
|
# true URI escaping.
|
41
45
|
def escape_path(s)
|
42
|
-
|
46
|
+
RFC2396_PARSER.escape s
|
43
47
|
end
|
44
48
|
|
45
49
|
# Unescapes the **path** component of a URI. See Rack::Utils.unescape for
|
46
50
|
# unescaping query parameters or form components.
|
47
51
|
def unescape_path(s)
|
48
|
-
|
52
|
+
RFC2396_PARSER.unescape s
|
49
53
|
end
|
50
54
|
|
51
55
|
# Unescapes a URI escaped string with +encoding+. +encoding+ will be the
|
@@ -55,13 +59,24 @@ module Rack
|
|
55
59
|
end
|
56
60
|
|
57
61
|
class << self
|
58
|
-
attr_accessor :
|
62
|
+
attr_accessor :multipart_total_part_limit
|
63
|
+
|
64
|
+
attr_accessor :multipart_file_limit
|
65
|
+
|
66
|
+
# multipart_part_limit is the original name of multipart_file_limit, but
|
67
|
+
# the limit only counts parts with filenames.
|
68
|
+
alias multipart_part_limit multipart_file_limit
|
69
|
+
alias multipart_part_limit= multipart_file_limit=
|
59
70
|
end
|
60
71
|
|
61
|
-
# The maximum number of parts a request can contain. Accepting too
|
62
|
-
# can lead to the server running out of file handles.
|
72
|
+
# The maximum number of file parts a request can contain. Accepting too
|
73
|
+
# many parts can lead to the server running out of file handles.
|
63
74
|
# Set to `0` for no limit.
|
64
|
-
self.
|
75
|
+
self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
|
76
|
+
|
77
|
+
# The maximum total number of parts a request can contain. Accepting too
|
78
|
+
# many can lead to excessive memory use and parsing time.
|
79
|
+
self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
|
65
80
|
|
66
81
|
def self.param_depth_limit
|
67
82
|
default_query_parser.param_depth_limit
|
@@ -128,8 +143,8 @@ module Rack
|
|
128
143
|
end
|
129
144
|
|
130
145
|
def q_values(q_value_header)
|
131
|
-
q_value_header.to_s.split(
|
132
|
-
value, parameters = part.split(
|
146
|
+
q_value_header.to_s.split(',').map do |part|
|
147
|
+
value, parameters = part.split(';', 2).map(&:strip)
|
133
148
|
quality = 1.0
|
134
149
|
if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
|
135
150
|
quality = md[1].to_f
|
@@ -327,8 +342,8 @@ module Rack
|
|
327
342
|
# weekday and month.
|
328
343
|
#
|
329
344
|
def rfc2109(time)
|
330
|
-
wday =
|
331
|
-
mon =
|
345
|
+
wday = RFC2822_DAY_NAME[time.wday]
|
346
|
+
mon = RFC2822_MONTH_NAME[time.mon - 1]
|
332
347
|
time.strftime("#{wday}, %d-#{mon}-%Y %H:%M:%S GMT")
|
333
348
|
end
|
334
349
|
|
@@ -345,17 +360,18 @@ module Rack
|
|
345
360
|
return nil unless http_range && http_range =~ /bytes=([^;]+)/
|
346
361
|
ranges = []
|
347
362
|
$1.split(/,\s*/).each do |range_spec|
|
348
|
-
return nil
|
349
|
-
|
350
|
-
|
351
|
-
|
363
|
+
return nil unless range_spec.include?('-')
|
364
|
+
range = range_spec.split('-')
|
365
|
+
r0, r1 = range[0], range[1]
|
366
|
+
if r0.nil? || r0.empty?
|
367
|
+
return nil if r1.nil?
|
352
368
|
# suffix-byte-range-spec, represents trailing suffix of file
|
353
369
|
r0 = size - r1.to_i
|
354
370
|
r0 = 0 if r0 < 0
|
355
371
|
r1 = size - 1
|
356
372
|
else
|
357
373
|
r0 = r0.to_i
|
358
|
-
if r1.
|
374
|
+
if r1.nil?
|
359
375
|
r1 = size - 1
|
360
376
|
else
|
361
377
|
r1 = r1.to_i
|
@@ -365,6 +381,9 @@ module Rack
|
|
365
381
|
end
|
366
382
|
ranges << (r0..r1) if r0 <= r1
|
367
383
|
end
|
384
|
+
|
385
|
+
return [] if ranges.map(&:size).inject(0, :+) > size
|
386
|
+
|
368
387
|
ranges
|
369
388
|
end
|
370
389
|
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.2.
|
4
|
+
version: 2.2.10
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Leah Neukirchen
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-10-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -169,7 +169,7 @@ metadata:
|
|
169
169
|
changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
|
170
170
|
documentation_uri: https://rubydoc.info/github/rack/rack
|
171
171
|
source_code_uri: https://github.com/rack/rack
|
172
|
-
post_install_message:
|
172
|
+
post_install_message:
|
173
173
|
rdoc_options: []
|
174
174
|
require_paths:
|
175
175
|
- lib
|
@@ -184,8 +184,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
184
184
|
- !ruby/object:Gem::Version
|
185
185
|
version: '0'
|
186
186
|
requirements: []
|
187
|
-
rubygems_version: 3.
|
188
|
-
signing_key:
|
187
|
+
rubygems_version: 3.5.11
|
188
|
+
signing_key:
|
189
189
|
specification_version: 4
|
190
190
|
summary: A modular Ruby webserver interface.
|
191
191
|
test_files: []
|