rack 2.2.9 → 2.2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +10 -0
  3. data/lib/rack/auth/basic.rb +1 -2
  4. data/lib/rack/auth/digest/nonce.rb +2 -3
  5. data/lib/rack/common_logger.rb +3 -2
  6. data/lib/rack/session/cookie.rb +2 -3
  7. data/lib/rack/utils.rb +4 -3
  8. data/lib/rack/version.rb +1 -1
  9. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 24180b9a6b3542ecca924c20de2c2e7b35a752dcbf7617ad91e1bc561fe902f5
4
- data.tar.gz: d63a4ba670c4c095de71d04fbed0b1db951b0c2e77b3f6f3c693a379595be1ec
3
+ metadata.gz: 5a52d0aaca2ecd96be997b263d21b759f488a509acbe537dd49daa71b58ee7a9
4
+ data.tar.gz: 87e641041f1e3269a0c21c932efe8ae4462777696408e4782dcdc69d0aa01579
5
5
  SHA512:
6
- metadata.gz: 7b7e807808b0cfd510b044cff94bce487e7210d66c3bece906ead9bcd7787580f8cc9c7195ff30dd939a20fa9ea8919adbc938d32f75d22c5dbe3702ff9ed634
7
- data.tar.gz: 60b1ede1565fe39363bc03f7ff7402f23ee4540dd30e1ec0302b6ca7ca1e1772b746929ec036e747c5a83fd6e5c0f23e623241e5176dcb24eddb8eac2c72f2c8
6
+ metadata.gz: f4eb2e25547ce0a4fbab24a4f2629f2492e4da9fbcdd152e0d10ff335bd1e312c8aa8c0937612196878cc046c7f991d092c40b3856117a00c8e725dea2853d4a
7
+ data.tar.gz: 2188b85ac67e13c93304ef3c4b9c4f6e045dedba6c62cb2ad2d0520288b72caff4bffac0a0862d6e7d07c42f0123435ebea99a887ef7d8a76a60b8cf38cd515c
data/CHANGELOG.md CHANGED
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file. For info on
4
4
 
5
5
  ## Unreleased
6
6
 
7
+ ## [3.1.11] - 2025-02-12
8
+
9
+ ### Security
10
+
11
+ - [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in Rack::CommonLogger.
12
+
13
+ ## [2.2.10] - 2024-10-14
14
+
15
+ - Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
16
+
7
17
  ## [2.2.9] - 2023-03-21
8
18
 
9
19
  - Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc])
data/lib/rack/auth/basic.rb CHANGED
@@ -2,7 +2,6 @@
2
2
 
3
3
  require_relative 'abstract/handler'
4
4
  require_relative 'abstract/request'
5
- require 'base64'
6
5
 
7
6
  module Rack
8
7
  module Auth
@@ -48,7 +47,7 @@ module Rack
48
47
  end
49
48
 
50
49
  def credentials
51
- @credentials ||= Base64.decode64(params).split(':', 2)
50
+ @credentials ||= params.unpack("m").first.split(':', 2)
52
51
  end
53
52
 
54
53
  def username
data/lib/rack/auth/digest/nonce.rb CHANGED
@@ -1,7 +1,6 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'digest/md5'
4
- require 'base64'
5
4
 
6
5
  module Rack
7
6
  module Auth
@@ -21,7 +20,7 @@ module Rack
21
20
  end
22
21
 
23
22
  def self.parse(string)
24
- new(*Base64.decode64(string).split(' ', 2))
23
+ new(*string.unpack("m").first.split(' ', 2))
25
24
  end
26
25
 
27
26
  def initialize(timestamp = Time.now, given_digest = nil)
@@ -29,7 +28,7 @@ module Rack
29
28
  end
30
29
 
31
30
  def to_s
32
- Base64.encode64("#{@timestamp} #{digest}").strip
31
+ ["#{@timestamp} #{digest}"].pack("m").strip
33
32
  end
34
33
 
35
34
  def digest
data/lib/rack/common_logger.rb CHANGED
@@ -15,7 +15,7 @@ module Rack
15
15
  # The actual format is slightly different than the above due to the
16
16
  # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
17
17
  # time in seconds is included at the end.
18
- FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
18
+ FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
19
19
 
20
20
  # +logger+ can be any object that supports the +write+ or +<<+ methods,
21
21
  # which includes the standard library Logger. These methods are called
@@ -60,7 +60,8 @@ module Rack
60
60
  length,
61
61
  Utils.clock_time - began_at ]
62
62
 
63
- msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
63
+ msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
64
+ msg[-1] = "\n"
64
65
 
65
66
  logger = @logger || env[RACK_ERRORS]
66
67
 
data/lib/rack/session/cookie.rb CHANGED
@@ -4,7 +4,6 @@ require 'openssl'
4
4
  require 'zlib'
5
5
  require_relative 'abstract/id'
6
6
  require 'json'
7
- require 'base64'
8
7
  require 'delegate'
9
8
 
10
9
  module Rack
@@ -51,11 +50,11 @@ module Rack
51
50
  # Encode session cookies as Base64
52
51
  class Base64
53
52
  def encode(str)
54
- ::Base64.strict_encode64(str)
53
+ [str].pack("m0")
55
54
  end
56
55
 
57
56
  def decode(str)
58
- ::Base64.decode64(str)
57
+ str.unpack("m").first
59
58
  end
60
59
 
61
60
  # Encode session cookies as Marshaled Base64 data
data/lib/rack/utils.rb CHANGED
@@ -24,6 +24,7 @@ module Rack
24
24
 
25
25
  RFC2822_DAY_NAME = [ 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' ]
26
26
  RFC2822_MONTH_NAME = [ 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
27
+ RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
27
28
 
28
29
  class << self
29
30
  attr_accessor :default_query_parser
@@ -42,13 +43,13 @@ module Rack
42
43
  # Like URI escaping, but with %20 instead of +. Strictly speaking this is
43
44
  # true URI escaping.
44
45
  def escape_path(s)
45
- ::URI::DEFAULT_PARSER.escape s
46
+ RFC2396_PARSER.escape s
46
47
  end
47
48
 
48
49
  # Unescapes the **path** component of a URI. See Rack::Utils.unescape for
49
50
  # unescaping query parameters or form components.
50
51
  def unescape_path(s)
51
- ::URI::DEFAULT_PARSER.unescape s
52
+ RFC2396_PARSER.unescape s
52
53
  end
53
54
 
54
55
  # Unescapes a URI escaped string with +encoding+. +encoding+ will be the
@@ -381,7 +382,7 @@ module Rack
381
382
  ranges << (r0..r1) if r0 <= r1
382
383
  end
383
384
 
384
- return [] if ranges.map(&:size).sum > size
385
+ return [] if ranges.map(&:size).inject(0, :+) > size
385
386
 
386
387
  ranges
387
388
  end
data/lib/rack/version.rb CHANGED
@@ -20,7 +20,7 @@ module Rack
20
20
  VERSION.join(".")
21
21
  end
22
22
 
23
- RELEASE = "2.2.9"
23
+ RELEASE = "2.2.11"
24
24
 
25
25
  # Return the Rack release as a dotted string.
26
26
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.9
4
+ version: 2.2.11
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-03-21 00:00:00.000000000 Z
11
+ date: 2025-02-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -184,7 +184,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
184
184
  - !ruby/object:Gem::Version
185
185
  version: '0'
186
186
  requirements: []
187
- rubygems_version: 3.5.3
187
+ rubygems_version: 3.5.22
188
188
  signing_key:
189
189
  specification_version: 4
190
190
  summary: A modular Ruby webserver interface.