rack 2.2.6.2 → 2.2.6.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.rdoc +17 -3
- data/lib/rack/multipart/parser.rb +15 -4
- data/lib/rack/utils.rb +15 -4
- data/lib/rack/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d517f89e9d4a3b285e9c2ff8237b9b2be6b3e0f22ca3cae561c25abcf26f8295
|
|
4
|
+
data.tar.gz: 4624db01efdb9f726474cf11d9367980035e5de69e73914438f08fae8027da21
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ed9122b13f58ea985d68404d486a55f892d306d4310692e9a28ce5cd9b76884486ae1e1f100b5792dffc945e9d2f3a01b9fb58b68fdfea7e7bdb80a93a3e8c35
|
|
7
|
+
data.tar.gz: c5b179332ac41def44c3e2e03571b2b8115bb4e18f54e69643495176bc084d96f27d2a827b3e7564ce74cd2a7f4c4bec974b57d58cdced78e5e01e2de20d075b
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [2.2.6.3] - 2023-03-02
|
|
6
|
+
|
|
7
|
+
- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
|
|
8
|
+
|
|
5
9
|
## [2.2.6.2] - 2022-01-17
|
|
6
10
|
|
|
7
11
|
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
|
data/README.rdoc
CHANGED
|
@@ -202,16 +202,30 @@ Limiting the depth prevents a possible stack overflow when parsing parameters.
|
|
|
202
202
|
|
|
203
203
|
Defaults to 100.
|
|
204
204
|
|
|
205
|
-
===
|
|
205
|
+
=== multipart_file_limit
|
|
206
206
|
|
|
207
|
-
The maximum number of parts a request can contain.
|
|
207
|
+
The maximum number of parts with a filename a request can contain.
|
|
208
208
|
Accepting too many part can lead to the server running out of file handles.
|
|
209
209
|
|
|
210
210
|
The default is 128, which means that a single request can't upload more than 128 files at once.
|
|
211
211
|
|
|
212
212
|
Set to 0 for no limit.
|
|
213
213
|
|
|
214
|
-
Can also be set via the +
|
|
214
|
+
Can also be set via the +RACK_MULTIPART_FILE_LIMIT+ environment variable.
|
|
215
|
+
|
|
216
|
+
(This is also aliased as +multipart_part_limit+ and +RACK_MULTIPART_PART_LIMIT+ for compatibility)
|
|
217
|
+
|
|
218
|
+
=== multipart_total_part_limit
|
|
219
|
+
|
|
220
|
+
The maximum total number of parts a request can contain of any type, including
|
|
221
|
+
both file and non-file form fields.
|
|
222
|
+
|
|
223
|
+
The default is 4096, which means that a single request can't contain more than
|
|
224
|
+
4096 parts.
|
|
225
|
+
|
|
226
|
+
Set to 0 for no limit.
|
|
227
|
+
|
|
228
|
+
Can also be set via the +RACK_MULTIPART_TOTAL_PART_LIMIT+ environment variable.
|
|
215
229
|
|
|
216
230
|
== Changelog
|
|
217
231
|
|
|
@@ -5,6 +5,7 @@ require 'strscan'
|
|
|
5
5
|
module Rack
|
|
6
6
|
module Multipart
|
|
7
7
|
class MultipartPartLimitError < Errno::EMFILE; end
|
|
8
|
+
class MultipartTotalPartLimitError < StandardError; end
|
|
8
9
|
|
|
9
10
|
class Parser
|
|
10
11
|
(require_relative '../core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4'
|
|
@@ -140,7 +141,7 @@ module Rack
|
|
|
140
141
|
|
|
141
142
|
@mime_parts[mime_index] = klass.new(body, head, filename, content_type, name)
|
|
142
143
|
|
|
143
|
-
|
|
144
|
+
check_part_limits
|
|
144
145
|
end
|
|
145
146
|
|
|
146
147
|
def on_mime_body(mime_index, content)
|
|
@@ -152,13 +153,23 @@ module Rack
|
|
|
152
153
|
|
|
153
154
|
private
|
|
154
155
|
|
|
155
|
-
def
|
|
156
|
-
|
|
157
|
-
|
|
156
|
+
def check_part_limits
|
|
157
|
+
file_limit = Utils.multipart_file_limit
|
|
158
|
+
part_limit = Utils.multipart_total_part_limit
|
|
159
|
+
|
|
160
|
+
if file_limit && file_limit > 0
|
|
161
|
+
if @open_files >= file_limit
|
|
158
162
|
@mime_parts.each(&:close)
|
|
159
163
|
raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
|
|
160
164
|
end
|
|
161
165
|
end
|
|
166
|
+
|
|
167
|
+
if part_limit && part_limit > 0
|
|
168
|
+
if @mime_parts.size >= part_limit
|
|
169
|
+
@mime_parts.each(&:close)
|
|
170
|
+
raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached'
|
|
171
|
+
end
|
|
172
|
+
end
|
|
162
173
|
end
|
|
163
174
|
end
|
|
164
175
|
|
data/lib/rack/utils.rb
CHANGED
|
@@ -58,13 +58,24 @@ module Rack
|
|
|
58
58
|
end
|
|
59
59
|
|
|
60
60
|
class << self
|
|
61
|
-
attr_accessor :
|
|
61
|
+
attr_accessor :multipart_total_part_limit
|
|
62
|
+
|
|
63
|
+
attr_accessor :multipart_file_limit
|
|
64
|
+
|
|
65
|
+
# multipart_part_limit is the original name of multipart_file_limit, but
|
|
66
|
+
# the limit only counts parts with filenames.
|
|
67
|
+
alias multipart_part_limit multipart_file_limit
|
|
68
|
+
alias multipart_part_limit= multipart_file_limit=
|
|
62
69
|
end
|
|
63
70
|
|
|
64
|
-
# The maximum number of parts a request can contain. Accepting too
|
|
65
|
-
# can lead to the server running out of file handles.
|
|
71
|
+
# The maximum number of file parts a request can contain. Accepting too
|
|
72
|
+
# many parts can lead to the server running out of file handles.
|
|
66
73
|
# Set to `0` for no limit.
|
|
67
|
-
self.
|
|
74
|
+
self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
|
|
75
|
+
|
|
76
|
+
# The maximum total number of parts a request can contain. Accepting too
|
|
77
|
+
# many can lead to excessive memory use and parsing time.
|
|
78
|
+
self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
|
|
68
79
|
|
|
69
80
|
def self.param_depth_limit
|
|
70
81
|
default_query_parser.param_depth_limit
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.6.
|
|
4
|
+
version: 2.2.6.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-03-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -184,7 +184,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
184
184
|
- !ruby/object:Gem::Version
|
|
185
185
|
version: '0'
|
|
186
186
|
requirements: []
|
|
187
|
-
rubygems_version: 3.
|
|
187
|
+
rubygems_version: 3.4.1
|
|
188
188
|
signing_key:
|
|
189
189
|
specification_version: 4
|
|
190
190
|
summary: A modular Ruby webserver interface.
|