rack 2.2.3 → 2.2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/SPEC.rdoc +5 -9
  4. data/lib/rack/common_logger.rb +3 -0
  5. data/lib/rack/lint.rb +1 -1
  6. data/lib/rack/multipart/parser.rb +2 -1
  7. data/lib/rack/multipart.rb +1 -2
  8. data/lib/rack/version.rb +1 -1
  9. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0b7c25cb392fb659dc54ab275c38e8d838c4357b046f59ff44698d6110129e85
4
- data.tar.gz: 1f8fbe6d0923969234e772409a98ed6e0a5f0d10efed6a76ac80902257a5bd90
3
+ metadata.gz: cd07394d5db5fbf3068cc076eea4059190c06a6e466de13383400bec4ff12e52
4
+ data.tar.gz: ae077819a035b88761b3fffe4f48d948c05e88d2b4942a6589216d929936a47d
5
5
  SHA512:
6
- metadata.gz: 9021496ff7dce72833074adc1963a0cc5a96bfc14a162cc56d7c54441c3f17de61804f687943a0d07ebe58399c92db540d322576010b4e47c375cdd9aec7d09d
7
- data.tar.gz: b668e5359266b7ad36387bddd7db329968b5a38ef10290ef22da30e2f7edd082ffebc9e864cc44f09cfb51b491111d27ff1a55a3fa011ad3d45aa6374a8ccb3c
6
+ metadata.gz: 405db34fbc0eca9a8cf15a7887c73a939b33fc25b1283fbc4791a2fbd25053565a19ad891c0b3704b0120157b118997a08b627b856de1dfc088705759930ced2
7
+ data.tar.gz: 98d7b2f6277118a8fa4b7dd7f43eafbc5c4724474b1bb481f798df97b688ec13b61d821d62c04f5839a96ffd298d4a6a2e22f6e2be6d54b0f8485bee37372bc7
data/CHANGELOG.md CHANGED
@@ -2,6 +2,11 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [2.2.3.1] - 2022-05-27
6
+
7
+ - [CVE-2022-30123] Fix shell escaping issue in Common Logger
8
+ - [CVE-2022-30122] Restrict parsing of broken MIME attachments
9
+
5
10
  ## [2.2.3] - 2020-02-11
6
11
 
7
12
  - [CVE-2020-8184] Only decode cookie values
data/SPEC.rdoc CHANGED
@@ -42,18 +42,17 @@ below.
42
42
  <tt>QUERY_STRING</tt>:: The portion of the request URL that
43
43
  follows the <tt>?</tt>, if any. May be
44
44
  empty, but is always required!
45
- <tt>SERVER_NAME</tt>:: When combined with <tt>SCRIPT_NAME</tt> and
45
+ <tt>SERVER_NAME</tt>, <tt>SERVER_PORT</tt>::
46
+ When combined with <tt>SCRIPT_NAME</tt> and
46
47
  <tt>PATH_INFO</tt>, these variables can be
47
48
  used to complete the URL. Note, however,
48
49
  that <tt>HTTP_HOST</tt>, if present,
49
50
  should be used in preference to
50
51
  <tt>SERVER_NAME</tt> for reconstructing
51
52
  the request URL.
52
- <tt>SERVER_NAME</tt> can never be an empty
53
- string, and so is always required.
54
- <tt>SERVER_PORT</tt>:: An optional +Integer+ which is the port the
55
- server is running on. Should be specified if
56
- the server is running on a non-standard port.
53
+ <tt>SERVER_NAME</tt> and <tt>SERVER_PORT</tt>
54
+ can never be empty strings, and so
55
+ are always required.
57
56
  <tt>HTTP_</tt> Variables:: Variables corresponding to the
58
57
  client-supplied HTTP request
59
58
  headers (i.e., variables whose
@@ -123,9 +122,6 @@ and should be prefixed uniquely. The prefix <tt>rack.</tt>
123
122
  is reserved for use with the Rack core distribution and other
124
123
  accepted specifications and must not be used otherwise.
125
124
 
126
- The <tt>SERVER_PORT</tt> must be an Integer if set.
127
- The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
128
- The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
129
125
  The environment must not contain the keys
130
126
  <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
131
127
  (use the versions without <tt>HTTP_</tt>).
data/lib/rack/common_logger.rb CHANGED
@@ -60,7 +60,10 @@ module Rack
60
60
  length,
61
61
  Utils.clock_time - began_at ]
62
62
 
63
+ msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
64
+
63
65
  logger = @logger || env[RACK_ERRORS]
66
+
64
67
  # Standard library logger doesn't support write but it supports << which actually
65
68
  # calls to write on the log device without formatting
66
69
  if logger.respond_to?(:write)
data/lib/rack/lint.rb CHANGED
@@ -337,7 +337,7 @@ module Rack
337
337
  check_hijack env
338
338
 
339
339
  ## * The <tt>REQUEST_METHOD</tt> must be a valid token.
340
- assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
340
+ assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
341
341
  env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
342
342
  }
343
343
 
data/lib/rack/multipart/parser.rb CHANGED
@@ -301,8 +301,9 @@ module Rack
301
301
  elsif filename = params['filename*']
302
302
  encoding, _, filename = filename.split("'", 3)
303
303
  end
304
- when BROKEN_QUOTED, BROKEN_UNQUOTED
304
+ when BROKEN
305
305
  filename = $1
306
+ filename = $1 if filename =~ /^"(.*)"$/
306
307
  end
307
308
 
308
309
  return unless filename
data/lib/rack/multipart.rb CHANGED
@@ -16,8 +16,7 @@ module Rack
16
16
  TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
17
17
  CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
18
18
  VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
19
- BROKEN_QUOTED = /^#{CONDISP}.*;\s*filename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
20
- BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i
19
+ BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
21
20
  MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
22
21
  MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
23
22
  MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
data/lib/rack/version.rb CHANGED
@@ -20,7 +20,7 @@ module Rack
20
20
  VERSION.join(".")
21
21
  end
22
22
 
23
- RELEASE = "2.2.3"
23
+ RELEASE = "2.2.3.1"
24
24
 
25
25
  # Return the Rack release as a dotted string.
26
26
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.3
4
+ version: 2.2.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-06-15 00:00:00.000000000 Z
11
+ date: 2022-05-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -169,7 +169,7 @@ metadata:
169
169
  changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
170
170
  documentation_uri: https://rubydoc.info/github/rack/rack
171
171
  source_code_uri: https://github.com/rack/rack
172
- post_install_message:
172
+ post_install_message:
173
173
  rdoc_options: []
174
174
  require_paths:
175
175
  - lib
@@ -184,8 +184,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
184
184
  - !ruby/object:Gem::Version
185
185
  version: '0'
186
186
  requirements: []
187
- rubygems_version: 3.2.0.pre1
188
- signing_key:
187
+ rubygems_version: 3.0.3.1
188
+ signing_key:
189
189
  specification_version: 4
190
190
  summary: A modular Ruby webserver interface.
191
191
  test_files: []