rack 2.2.3.1 → 2.2.6.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +28 -0
  3. data/lib/rack/etag.rb +2 -0
  4. data/lib/rack/lint.rb +2 -2
  5. data/lib/rack/method_override.rb +1 -1
  6. data/lib/rack/multipart.rb +2 -2
  7. data/lib/rack/query_parser.rb +6 -2
  8. data/lib/rack/urlmap.rb +1 -1
  9. data/lib/rack/utils.rb +11 -7
  10. data/lib/rack/version.rb +1 -1
  11. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cd07394d5db5fbf3068cc076eea4059190c06a6e466de13383400bec4ff12e52
4
- data.tar.gz: ae077819a035b88761b3fffe4f48d948c05e88d2b4942a6589216d929936a47d
3
+ metadata.gz: 58f641d1882668bf5e150710676e3067def0089d87706cf4b233b11eb5e36cc7
4
+ data.tar.gz: 1ea7a963d41498945e0377b9637ca37df23c9fa41139e83517b37de512be41d7
5
5
  SHA512:
6
- metadata.gz: 405db34fbc0eca9a8cf15a7887c73a939b33fc25b1283fbc4791a2fbd25053565a19ad891c0b3704b0120157b118997a08b627b856de1dfc088705759930ced2
7
- data.tar.gz: 98d7b2f6277118a8fa4b7dd7f43eafbc5c4724474b1bb481f798df97b688ec13b61d821d62c04f5839a96ffd298d4a6a2e22f6e2be6d54b0f8485bee37372bc7
6
+ metadata.gz: cafc52d78b4b998df9a973915ccd925de929d9b3b263369c76d3c3efb46d636752dd7260947507c3b4a5a51bab628c007567ef5e5b0759b8b59753ecab93c0f3
7
+ data.tar.gz: c161e73e76fea22a0ef5b4c53c747a63591975c417e426697694d399f204806e6e39ff45e382f7f1938b3c8add90f4492c0c5d754d57685cfc12b486b8ef897f
data/CHANGELOG.md CHANGED
@@ -2,13 +2,41 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [2.2.6.2] - 2022-01-17
6
+
7
+ - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
8
+
9
+ ## [2.2.6.1] - 2022-01-17
10
+
11
+ - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
12
+ - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
13
+
14
+ ## [2.2.6] - 2022-01-17
15
+
16
+ - Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot))
17
+
18
+ ## [2.2.5] - 2022-12-27
19
+
20
+ ### Fixed
21
+
22
+ - `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
23
+
24
+ ## [2.2.4] - 2022-06-30
25
+
26
+ - Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [@ioquatix](https://github.com/ioquatix))
27
+ - Use custom exception on params too deep error. ([#1838](https://github.com/rack/rack/pull/1838), [@simi](https://github.com/simi))
28
+
5
29
  ## [2.2.3.1] - 2022-05-27
6
30
 
31
+ ### Security
32
+
7
33
  - [CVE-2022-30123] Fix shell escaping issue in Common Logger
8
34
  - [CVE-2022-30122] Restrict parsing of broken MIME attachments
9
35
 
10
36
  ## [2.2.3] - 2020-02-11
11
37
 
38
+ ### Security
39
+
12
40
  - [CVE-2020-8184] Only decode cookie values
13
41
 
14
42
  ## [2.2.2] - 2020-02-11
data/lib/rack/etag.rb CHANGED
@@ -26,6 +26,8 @@ module Rack
26
26
  def call(env)
27
27
  status, headers, body = @app.call(env)
28
28
 
29
+ headers = Utils::HeaderHash[headers]
30
+
29
31
  if etag_status?(status) && etag_body?(body) && !skip_caching?(headers)
30
32
  original_body = body
31
33
  digest, new_body = digest_body(body)
data/lib/rack/lint.rb CHANGED
@@ -48,10 +48,10 @@ module Rack
48
48
 
49
49
  ## and returns an Array of exactly three values:
50
50
  ary = @app.call(env)
51
- assert("response #{ary.inspect} is not an Array , but #{ary.class}") {
51
+ assert("response is not an Array, but #{ary.class}") {
52
52
  ary.kind_of? Array
53
53
  }
54
- assert("response array #{ary.inspect} has #{ary.size} elements instead of 3") {
54
+ assert("response array has #{ary.size} elements instead of 3") {
55
55
  ary.size == 3
56
56
  }
57
57
 
data/lib/rack/method_override.rb CHANGED
@@ -43,7 +43,7 @@ module Rack
43
43
 
44
44
  def method_override_param(req)
45
45
  req.POST[METHOD_OVERRIDE_PARAM_KEY]
46
- rescue Utils::InvalidParameterError, Utils::ParameterTypeError
46
+ rescue Utils::InvalidParameterError, Utils::ParameterTypeError, QueryParser::ParamsTooDeepError
47
47
  req.get_header(RACK_ERRORS).puts "Invalid or incomplete POST params"
48
48
  rescue EOFError
49
49
  req.get_header(RACK_ERRORS).puts "Bad request content body"
data/lib/rack/multipart.rb CHANGED
@@ -18,10 +18,10 @@ module Rack
18
18
  VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
19
19
  BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
20
20
  MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
21
- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
21
+ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
22
22
  MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
23
23
  # Updated definitions from RFC 2231
24
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
24
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
25
25
  ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
26
26
  SECTION = /\*[0-9]+/
27
27
  REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
data/lib/rack/query_parser.rb CHANGED
@@ -16,6 +16,10 @@ module Rack
16
16
  # sequence.
17
17
  class InvalidParameterError < ArgumentError; end
18
18
 
19
+ # ParamsTooDeepError is the error that is raised when params are recursively
20
+ # nested over the specified limit.
21
+ class ParamsTooDeepError < RangeError; end
22
+
19
23
  def self.make_default(key_space_limit, param_depth_limit)
20
24
  new Params, key_space_limit, param_depth_limit
21
25
  end
@@ -81,7 +85,7 @@ module Rack
81
85
  # the structural types represented by two different parameter names are in
82
86
  # conflict, a ParameterTypeError is raised.
83
87
  def normalize_params(params, name, v, depth)
84
- raise RangeError if depth <= 0
88
+ raise ParamsTooDeepError if depth <= 0
85
89
 
86
90
  name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
87
91
  k = $1 || ''
@@ -168,7 +172,7 @@ module Rack
168
172
 
169
173
  def []=(key, value)
170
174
  @size += key.size if key && !@params.key?(key)
171
- raise RangeError, 'exceeded available parameter key space' if @size > @limit
175
+ raise ParamsTooDeepError, 'exceeded available parameter key space' if @size > @limit
172
176
  @params[key] = value
173
177
  end
174
178
 
data/lib/rack/urlmap.rb CHANGED
@@ -35,7 +35,7 @@ module Rack
35
35
  end
36
36
 
37
37
  location = location.chomp('/')
38
- match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)", nil, 'n')
38
+ match = Regexp.new("^#{Regexp.quote(location).gsub('/', '/+')}(.*)", Regexp::NOENCODING)
39
39
 
40
40
  [host, location, match, app]
41
41
  }.sort_by do |(host, location, _, _)|
data/lib/rack/utils.rb CHANGED
@@ -22,6 +22,9 @@ module Rack
22
22
  COMMON_SEP = QueryParser::COMMON_SEP
23
23
  KeySpaceConstrainedParams = QueryParser::Params
24
24
 
25
+ RFC2822_DAY_NAME = [ 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' ]
26
+ RFC2822_MONTH_NAME = [ 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
27
+
25
28
  class << self
26
29
  attr_accessor :default_query_parser
27
30
  end
@@ -327,8 +330,8 @@ module Rack
327
330
  # weekday and month.
328
331
  #
329
332
  def rfc2109(time)
330
- wday = Time::RFC2822_DAY_NAME[time.wday]
331
- mon = Time::RFC2822_MONTH_NAME[time.mon - 1]
333
+ wday = RFC2822_DAY_NAME[time.wday]
334
+ mon = RFC2822_MONTH_NAME[time.mon - 1]
332
335
  time.strftime("#{wday}, %d-#{mon}-%Y %H:%M:%S GMT")
333
336
  end
334
337
 
@@ -345,17 +348,18 @@ module Rack
345
348
  return nil unless http_range && http_range =~ /bytes=([^;]+)/
346
349
  ranges = []
347
350
  $1.split(/,\s*/).each do |range_spec|
348
- return nil unless range_spec =~ /(\d*)-(\d*)/
349
- r0, r1 = $1, $2
350
- if r0.empty?
351
- return nil if r1.empty?
351
+ return nil unless range_spec.include?('-')
352
+ range = range_spec.split('-')
353
+ r0, r1 = range[0], range[1]
354
+ if r0.nil? || r0.empty?
355
+ return nil if r1.nil?
352
356
  # suffix-byte-range-spec, represents trailing suffix of file
353
357
  r0 = size - r1.to_i
354
358
  r0 = 0 if r0 < 0
355
359
  r1 = size - 1
356
360
  else
357
361
  r0 = r0.to_i
358
- if r1.empty?
362
+ if r1.nil?
359
363
  r1 = size - 1
360
364
  else
361
365
  r1 = r1.to_i
data/lib/rack/version.rb CHANGED
@@ -20,7 +20,7 @@ module Rack
20
20
  VERSION.join(".")
21
21
  end
22
22
 
23
- RELEASE = "2.2.3.1"
23
+ RELEASE = "2.2.6.2"
24
24
 
25
25
  # Return the Rack release as a dotted string.
26
26
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.3.1
4
+ version: 2.2.6.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-05-27 00:00:00.000000000 Z
11
+ date: 2023-01-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -169,7 +169,7 @@ metadata:
169
169
  changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
170
170
  documentation_uri: https://rubydoc.info/github/rack/rack
171
171
  source_code_uri: https://github.com/rack/rack
172
- post_install_message:
172
+ post_install_message:
173
173
  rdoc_options: []
174
174
  require_paths:
175
175
  - lib
@@ -184,8 +184,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
184
184
  - !ruby/object:Gem::Version
185
185
  version: '0'
186
186
  requirements: []
187
- rubygems_version: 3.0.3.1
188
- signing_key:
187
+ rubygems_version: 3.5.0.dev
188
+ signing_key:
189
189
  specification_version: 4
190
190
  summary: A modular Ruby webserver interface.
191
191
  test_files: []