rack 2.2.3 → 2.2.3.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0b7c25cb392fb659dc54ab275c38e8d838c4357b046f59ff44698d6110129e85
4
- data.tar.gz: 1f8fbe6d0923969234e772409a98ed6e0a5f0d10efed6a76ac80902257a5bd90
3
+ metadata.gz: cd07394d5db5fbf3068cc076eea4059190c06a6e466de13383400bec4ff12e52
4
+ data.tar.gz: ae077819a035b88761b3fffe4f48d948c05e88d2b4942a6589216d929936a47d
5
5
  SHA512:
6
- metadata.gz: 9021496ff7dce72833074adc1963a0cc5a96bfc14a162cc56d7c54441c3f17de61804f687943a0d07ebe58399c92db540d322576010b4e47c375cdd9aec7d09d
7
- data.tar.gz: b668e5359266b7ad36387bddd7db329968b5a38ef10290ef22da30e2f7edd082ffebc9e864cc44f09cfb51b491111d27ff1a55a3fa011ad3d45aa6374a8ccb3c
6
+ metadata.gz: 405db34fbc0eca9a8cf15a7887c73a939b33fc25b1283fbc4791a2fbd25053565a19ad891c0b3704b0120157b118997a08b627b856de1dfc088705759930ced2
7
+ data.tar.gz: 98d7b2f6277118a8fa4b7dd7f43eafbc5c4724474b1bb481f798df97b688ec13b61d821d62c04f5839a96ffd298d4a6a2e22f6e2be6d54b0f8485bee37372bc7
data/CHANGELOG.md CHANGED
@@ -2,6 +2,11 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [2.2.3.1] - 2022-05-27
6
+
7
+ - [CVE-2022-30123] Fix shell escaping issue in Common Logger
8
+ - [CVE-2022-30122] Restrict parsing of broken MIME attachments
9
+
5
10
  ## [2.2.3] - 2020-02-11
6
11
 
7
12
  - [CVE-2020-8184] Only decode cookie values
data/SPEC.rdoc CHANGED
@@ -42,18 +42,17 @@ below.
42
42
  <tt>QUERY_STRING</tt>:: The portion of the request URL that
43
43
  follows the <tt>?</tt>, if any. May be
44
44
  empty, but is always required!
45
- <tt>SERVER_NAME</tt>:: When combined with <tt>SCRIPT_NAME</tt> and
45
+ <tt>SERVER_NAME</tt>, <tt>SERVER_PORT</tt>::
46
+ When combined with <tt>SCRIPT_NAME</tt> and
46
47
  <tt>PATH_INFO</tt>, these variables can be
47
48
  used to complete the URL. Note, however,
48
49
  that <tt>HTTP_HOST</tt>, if present,
49
50
  should be used in preference to
50
51
  <tt>SERVER_NAME</tt> for reconstructing
51
52
  the request URL.
52
- <tt>SERVER_NAME</tt> can never be an empty
53
- string, and so is always required.
54
- <tt>SERVER_PORT</tt>:: An optional +Integer+ which is the port the
55
- server is running on. Should be specified if
56
- the server is running on a non-standard port.
53
+ <tt>SERVER_NAME</tt> and <tt>SERVER_PORT</tt>
54
+ can never be empty strings, and so
55
+ are always required.
57
56
  <tt>HTTP_</tt> Variables:: Variables corresponding to the
58
57
  client-supplied HTTP request
59
58
  headers (i.e., variables whose
@@ -123,9 +122,6 @@ and should be prefixed uniquely. The prefix <tt>rack.</tt>
123
122
  is reserved for use with the Rack core distribution and other
124
123
  accepted specifications and must not be used otherwise.
125
124
 
126
- The <tt>SERVER_PORT</tt> must be an Integer if set.
127
- The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
128
- The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
129
125
  The environment must not contain the keys
130
126
  <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
131
127
  (use the versions without <tt>HTTP_</tt>).
@@ -60,7 +60,10 @@ module Rack
60
60
  length,
61
61
  Utils.clock_time - began_at ]
62
62
 
63
+ msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
64
+
63
65
  logger = @logger || env[RACK_ERRORS]
66
+
64
67
  # Standard library logger doesn't support write but it supports << which actually
65
68
  # calls to write on the log device without formatting
66
69
  if logger.respond_to?(:write)
data/lib/rack/lint.rb CHANGED
@@ -337,7 +337,7 @@ module Rack
337
337
  check_hijack env
338
338
 
339
339
  ## * The <tt>REQUEST_METHOD</tt> must be a valid token.
340
- assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
340
+ assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
341
341
  env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
342
342
  }
343
343
 
@@ -301,8 +301,9 @@ module Rack
301
301
  elsif filename = params['filename*']
302
302
  encoding, _, filename = filename.split("'", 3)
303
303
  end
304
- when BROKEN_QUOTED, BROKEN_UNQUOTED
304
+ when BROKEN
305
305
  filename = $1
306
+ filename = $1 if filename =~ /^"(.*)"$/
306
307
  end
307
308
 
308
309
  return unless filename
@@ -16,8 +16,7 @@ module Rack
16
16
  TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
17
17
  CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
18
18
  VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
19
- BROKEN_QUOTED = /^#{CONDISP}.*;\s*filename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
20
- BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i
19
+ BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
21
20
  MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
22
21
  MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
23
22
  MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
data/lib/rack/version.rb CHANGED
@@ -20,7 +20,7 @@ module Rack
20
20
  VERSION.join(".")
21
21
  end
22
22
 
23
- RELEASE = "2.2.3"
23
+ RELEASE = "2.2.3.1"
24
24
 
25
25
  # Return the Rack release as a dotted string.
26
26
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.3
4
+ version: 2.2.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-06-15 00:00:00.000000000 Z
11
+ date: 2022-05-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -169,7 +169,7 @@ metadata:
169
169
  changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
170
170
  documentation_uri: https://rubydoc.info/github/rack/rack
171
171
  source_code_uri: https://github.com/rack/rack
172
- post_install_message:
172
+ post_install_message:
173
173
  rdoc_options: []
174
174
  require_paths:
175
175
  - lib
@@ -184,8 +184,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
184
184
  - !ruby/object:Gem::Version
185
185
  version: '0'
186
186
  requirements: []
187
- rubygems_version: 3.2.0.pre1
188
- signing_key:
187
+ rubygems_version: 3.0.3.1
188
+ signing_key:
189
189
  specification_version: 4
190
190
  summary: A modular Ruby webserver interface.
191
191
  test_files: []