rack 2.2.8.1 → 2.2.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7707e75748cda81d20950b3a934018fdc136c5e4c9b551911bdb993418adf31c
-  data.tar.gz: 7a87520904eb86c7e1761d2895e0ed3c11bb2bded7cbd7d716e75488e27f9b37
+  metadata.gz: 5a52d0aaca2ecd96be997b263d21b759f488a509acbe537dd49daa71b58ee7a9
+  data.tar.gz: 87e641041f1e3269a0c21c932efe8ae4462777696408e4782dcdc69d0aa01579
 SHA512:
-  metadata.gz: c38c9c18ec842262eeb25e1c06bbfe0c6b7ef5f74ee43f9952105a53e96d9dfaead4c0786a0a9f2bb999004d45d738e05104b9e3c612f16b35a30b6441afa2e6
-  data.tar.gz: 890b77739013bc80a83a74c2ecc112dfdd8a68a090d831f7ca3ea5106cf5cad1d61baf4df0c2d39bef3cb3b37e1bb30f44109d8e85ceded57345611090f85a75
+  metadata.gz: f4eb2e25547ce0a4fbab24a4f2629f2492e4da9fbcdd152e0d10ff335bd1e312c8aa8c0937612196878cc046c7f991d092c40b3856117a00c8e725dea2853d4a
+  data.tar.gz: 2188b85ac67e13c93304ef3c4b9c4f6e045dedba6c62cb2ad2d0520288b72caff4bffac0a0862d6e7d07c42f0123435ebea99a887ef7d8a76a60b8cf38cd515c

data/CHANGELOG.md

@@ -2,6 +2,28 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## Unreleased
+
+## [3.1.11] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in Rack::CommonLogger.
+
+## [2.2.10] - 2024-10-14
+
+- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
+
+## [2.2.9] - 2023-03-21
+
+- Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc])
+
+## [2.2.8] - 2023-07-31
+
+- Regenerate SPEC ([#2102](https://github.com/rack/rack/pull/2102), [@skipkayhil](https://github.com/skipkayhil))
+- Limit file extension length of multipart tempfiles ([#2015](https://github.com/rack/rack/pull/2015), [@dentarg](https://github.com/dentarg))
+- Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" ([#2092](https://github.com/rack/rack/pull/2092), [@onigra](https://github.com/onigra) [@dchandekstark](https://github.com/dchandekstark))
+
 ## [2.2.7] - 2023-03-13
 
 - Correct the year number in the changelog ([#2015](https://github.com/rack/rack/pull/2015), [@kimulab](https://github.com/kimulab))

data/lib/rack/auth/basic.rb

@@ -2,7 +2,6 @@
 
 require_relative 'abstract/handler'
 require_relative 'abstract/request'
-require 'base64'
 
 module Rack
   module Auth
@@ -48,7 +47,7 @@ module Rack
         end
 
         def credentials
-          @credentials ||= Base64.decode64(params).split(':', 2)
+          @credentials ||= params.unpack("m").first.split(':', 2)
         end
 
         def username

data/lib/rack/auth/digest/nonce.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'digest/md5'
-require 'base64'
 
 module Rack
   module Auth
@@ -21,7 +20,7 @@ module Rack
         end
 
         def self.parse(string)
-          new(*Base64.decode64(string).split(' ', 2))
+          new(*string.unpack("m").first.split(' ', 2))
         end
 
         def initialize(timestamp = Time.now, given_digest = nil)
@@ -29,7 +28,7 @@ module Rack
         end
 
         def to_s
-          Base64.encode64("#{@timestamp} #{digest}").strip
+          ["#{@timestamp} #{digest}"].pack("m").strip
         end
 
         def digest

data/lib/rack/common_logger.rb

@@ -15,7 +15,7 @@ module Rack
     # The actual format is slightly different than the above due to the
     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
     # time in seconds is included at the end.
-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
 
     # +logger+ can be any object that supports the +write+ or +<<+ methods,
     # which includes the standard library Logger.  These methods are called
@@ -60,7 +60,8 @@ module Rack
         length,
         Utils.clock_time - began_at ]
 
-      msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
+      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+      msg[-1] = "\n"
 
       logger = @logger || env[RACK_ERRORS]
 

data/lib/rack/multipart/parser.rb

@@ -191,6 +191,7 @@ module Rack
 
         @sbuf = StringScanner.new("".dup)
         @body_regex = /(?:#{EOL})?#{Regexp.quote(@boundary)}(?:#{EOL}|--)/m
+        @end_boundary_size = boundary.bytesize + 6 # (-- at start, -- at finish, EOL at end)
         @rx_max_size = EOL.size + @boundary.bytesize + [EOL.size, '--'.size].max
         @head_regex = /(.*?#{EOL})#{EOL}/m
       end
@@ -231,7 +232,12 @@ module Rack
       end
 
       def handle_fast_forward
-        if consume_boundary
+        tok = consume_boundary
+
+        if tok == :END_BOUNDARY && @sbuf.pos == @end_boundary_size && @sbuf.eos?
+          # stop parsing a buffer if a buffer is only an end boundary.
+          @state = :DONE
+        elsif tok
           @state = :MIME_HEAD
         else
           raise EOFError, "bad content body" if @sbuf.rest_size >= @bufsize

data/lib/rack/session/cookie.rb

@@ -4,7 +4,6 @@ require 'openssl'
 require 'zlib'
 require_relative 'abstract/id'
 require 'json'
-require 'base64'
 require 'delegate'
 
 module Rack
@@ -51,11 +50,11 @@ module Rack
       # Encode session cookies as Base64
       class Base64
         def encode(str)
-          ::Base64.strict_encode64(str)
+          [str].pack("m0")
         end
 
         def decode(str)
-          ::Base64.decode64(str)
+          str.unpack("m").first
         end
 
         # Encode session cookies as Marshaled Base64 data

data/lib/rack/utils.rb

@@ -24,6 +24,7 @@ module Rack
 
     RFC2822_DAY_NAME = [ 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' ]
     RFC2822_MONTH_NAME = [ 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
+    RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
 
     class << self
       attr_accessor :default_query_parser
@@ -42,13 +43,13 @@ module Rack
     # Like URI escaping, but with %20 instead of +. Strictly speaking this is
     # true URI escaping.
     def escape_path(s)
-      ::URI::DEFAULT_PARSER.escape s
+      RFC2396_PARSER.escape s
     end
 
     # Unescapes the **path** component of a URI.  See Rack::Utils.unescape for
     # unescaping query parameters or form components.
     def unescape_path(s)
-      ::URI::DEFAULT_PARSER.unescape s
+      RFC2396_PARSER.unescape s
     end
 
     # Unescapes a URI escaped string with +encoding+. +encoding+ will be the
@@ -381,7 +382,7 @@ module Rack
         ranges << (r0..r1)  if r0 <= r1
       end
 
-      return [] if ranges.map(&:size).sum > size
+      return [] if ranges.map(&:size).inject(0, :+) > size
 
       ranges
     end

data/lib/rack/version.rb

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.2.8.1"
+  RELEASE = "2.2.11"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.2.8.1
+  version: 2.2.11
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-21 00:00:00.000000000 Z
+date: 2025-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -184,7 +184,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: A modular Ruby webserver interface.