rack 2.2.9 → 2.2.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24180b9a6b3542ecca924c20de2c2e7b35a752dcbf7617ad91e1bc561fe902f5
-  data.tar.gz: d63a4ba670c4c095de71d04fbed0b1db951b0c2e77b3f6f3c693a379595be1ec
+  metadata.gz: '09a6d038df42d0af44940110fca3a8f9eb37a56a2acea9f1ad02f6fc39c685a9'
+  data.tar.gz: d4a25103cf82081f357f621ee9a44027a799cda9c566f1ad4ffff3ec9d45a603
 SHA512:
-  metadata.gz: 7b7e807808b0cfd510b044cff94bce487e7210d66c3bece906ead9bcd7787580f8cc9c7195ff30dd939a20fa9ea8919adbc938d32f75d22c5dbe3702ff9ed634
-  data.tar.gz: 60b1ede1565fe39363bc03f7ff7402f23ee4540dd30e1ec0302b6ca7ca1e1772b746929ec036e747c5a83fd6e5c0f23e623241e5176dcb24eddb8eac2c72f2c8
+  metadata.gz: 6324e627506aa9605cab9ad4778303ccb24dffa41d2877e5a9008813556f84cc4660f2638fa00431b36a23cac528c81fa23884d21e907f56370634a67f94070c
+  data.tar.gz: bc7cabae2f718457165de32fa8905028d0cbb85bcfe150ac2a7871e78ad57b3651d1881aedfc9a366fb9aa11ca009a1344e180ad2c470f1792b4e2befb629034

data/CHANGELOG.md

@@ -2,7 +2,27 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [2.2.13] - 2025-03-11
+
+### Security
+
+- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+
+## [2.2.12] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+## [2.2.11] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+
+## [2.2.10] - 2024-10-14
+
+- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
 
 ## [2.2.9] - 2023-03-21
 

data/lib/rack/auth/basic.rb

@@ -2,7 +2,6 @@
 
 require_relative 'abstract/handler'
 require_relative 'abstract/request'
-require 'base64'
 
 module Rack
   module Auth
@@ -48,7 +47,7 @@ module Rack
         end
 
         def credentials
-          @credentials ||= Base64.decode64(params).split(':', 2)
+          @credentials ||= params.unpack("m").first.split(':', 2)
         end
 
         def username

data/lib/rack/auth/digest/nonce.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'digest/md5'
-require 'base64'
 
 module Rack
   module Auth
@@ -21,7 +20,7 @@ module Rack
         end
 
         def self.parse(string)
-          new(*Base64.decode64(string).split(' ', 2))
+          new(*string.unpack("m").first.split(' ', 2))
         end
 
         def initialize(timestamp = Time.now, given_digest = nil)
@@ -29,7 +28,7 @@ module Rack
         end
 
         def to_s
-          Base64.encode64("#{@timestamp} #{digest}").strip
+          ["#{@timestamp} #{digest}"].pack("m").strip
         end
 
         def digest

data/lib/rack/common_logger.rb

@@ -15,7 +15,7 @@ module Rack
     # The actual format is slightly different than the above due to the
     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
     # time in seconds is included at the end.
-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
 
     # +logger+ can be any object that supports the +write+ or +<<+ methods,
     # which includes the standard library Logger.  These methods are called
@@ -60,7 +60,8 @@ module Rack
         length,
         Utils.clock_time - began_at ]
 
-      msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
+      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+      msg[-1] = "\n"
 
       logger = @logger || env[RACK_ERRORS]
 

data/lib/rack/sendfile.rb

@@ -133,7 +133,7 @@ module Rack
           end
         when '', nil
         else
-          env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n"
+          env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
         end
       end
       [status, headers, body]

data/lib/rack/session/cookie.rb

@@ -4,7 +4,6 @@ require 'openssl'
 require 'zlib'
 require_relative 'abstract/id'
 require 'json'
-require 'base64'
 require 'delegate'
 
 module Rack
@@ -51,11 +50,11 @@ module Rack
       # Encode session cookies as Base64
       class Base64
         def encode(str)
-          ::Base64.strict_encode64(str)
+          [str].pack("m0")
         end
 
         def decode(str)
-          ::Base64.decode64(str)
+          str.unpack("m").first
         end
 
         # Encode session cookies as Marshaled Base64 data

data/lib/rack/static.rb

@@ -122,8 +122,9 @@ module Rack
 
     def call(env)
       path = env[PATH_INFO]
+      actual_path = Utils.clean_path_info(Utils.unescape_path(path))
 
-      if can_serve(path)
+      if can_serve(actual_path)
         if overwrite_file_path(path)
           env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
         elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])

data/lib/rack/utils.rb

@@ -24,6 +24,7 @@ module Rack
 
     RFC2822_DAY_NAME = [ 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' ]
     RFC2822_MONTH_NAME = [ 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
+    RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
 
     class << self
       attr_accessor :default_query_parser
@@ -42,13 +43,13 @@ module Rack
     # Like URI escaping, but with %20 instead of +. Strictly speaking this is
     # true URI escaping.
     def escape_path(s)
-      ::URI::DEFAULT_PARSER.escape s
+      RFC2396_PARSER.escape s
     end
 
     # Unescapes the **path** component of a URI.  See Rack::Utils.unescape for
     # unescaping query parameters or form components.
     def unescape_path(s)
-      ::URI::DEFAULT_PARSER.unescape s
+      RFC2396_PARSER.unescape s
     end
 
     # Unescapes a URI escaped string with +encoding+. +encoding+ will be the
@@ -381,7 +382,7 @@ module Rack
         ranges << (r0..r1)  if r0 <= r1
       end
 
-      return [] if ranges.map(&:size).sum > size
+      return [] if ranges.map(&:size).inject(0, :+) > size
 
       ranges
     end

data/lib/rack/version.rb

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.2.9"
+  RELEASE = "2.2.13"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.2.9
+  version: 2.2.13
 platform: ruby
 authors:
 - Leah Neukirchen
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-21 00:00:00.000000000 Z
+date: 2025-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -169,7 +168,6 @@ metadata:
   changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
   documentation_uri: https://rubydoc.info/github/rack/rack
   source_code_uri: https://github.com/rack/rack
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -184,8 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []