rack 3.0.10 → 3.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +28 -2
- data/lib/rack/body_proxy.rb +18 -2
- data/lib/rack/common_logger.rb +3 -2
- data/lib/rack/response.rb +1 -1
- data/lib/rack/version.rb +1 -1
- metadata +3 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f4cd617243053c032b45f1eb8f73158d61aa295bf866072d85324ae696de1e2d
|
|
4
|
+
data.tar.gz: 84e26d26314c4e7877e21e770e6622cfe57379add2bce818f93fd50b362cd9a9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f41b2be1181d9c56dee9b2264fadfd8667a27242ec254403658476d8dd9b4d142d2bd528dc74464f4d5748a8a420341a5361057d27fe5a2633c926f3c62ba46b
|
|
7
|
+
data.tar.gz: daa0660d8c5bddcf6e9d1091d1ae0ee3c614cedd64ba2f8a0ad47ed742806517cd2552108116cebe53bb8bec60d97b46e00c3ec6520fa9f85d54b56d07f20939
|
data/CHANGELOG.md
CHANGED
|
@@ -2,12 +2,32 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
-
##
|
|
5
|
+
## [3.0.12] - 2025-02-12
|
|
6
|
+
|
|
7
|
+
### Security
|
|
8
|
+
|
|
9
|
+
- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in Rack::CommonLogger.
|
|
10
|
+
|
|
11
|
+
## [3.0.11] - 2024-05-10
|
|
12
|
+
|
|
13
|
+
- Backport #2062 to 3-0-stable: Do not allow `BodyProxy` to respond to `to_str`, make `to_ary` call close . ([#2062](https://github.com/rack/rack/pull/2062), [@jeremyevans](https://github.com/jeremyevans))
|
|
6
14
|
|
|
7
15
|
## [3.0.10] - 2024-03-21
|
|
8
16
|
|
|
9
17
|
- Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. ([#2164](https://github.com/rack/rack/pull/2164), [@JoeDupuis](https://github.com/JoeDupuis))
|
|
10
18
|
|
|
19
|
+
## [3.0.9.1] - 2024-02-21
|
|
20
|
+
|
|
21
|
+
### Security
|
|
22
|
+
|
|
23
|
+
* [CVE-2024-26146] Fixed ReDoS in Accept header parsing
|
|
24
|
+
* [CVE-2024-25126] Fixed ReDoS in Content Type header parsing
|
|
25
|
+
* [CVE-2024-26141] Reject Range headers which are too large
|
|
26
|
+
|
|
27
|
+
[CVE-2024-26146]: https://github.com/advisories/GHSA-54rr-7fvw-6x8f
|
|
28
|
+
[CVE-2024-25126]: https://github.com/advisories/GHSA-22f2-v57c-j9cx
|
|
29
|
+
[CVE-2024-26141]: https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
|
|
30
|
+
|
|
11
31
|
## [3.0.9] - 2024-01-31
|
|
12
32
|
|
|
13
33
|
- Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson](https://github.com/mattbrictson))
|
|
@@ -22,6 +42,8 @@ All notable changes to this project will be documented in this file. For info on
|
|
|
22
42
|
|
|
23
43
|
## [3.0.6.1] - 2023-03-13
|
|
24
44
|
|
|
45
|
+
### Security
|
|
46
|
+
|
|
25
47
|
- [CVE-2023-27539] Avoid ReDoS in header parsing
|
|
26
48
|
|
|
27
49
|
## [3.0.6] - 2023-03-13
|
|
@@ -32,12 +54,16 @@ All notable changes to this project will be documented in this file. For info on
|
|
|
32
54
|
|
|
33
55
|
- Split form/query parsing into two steps. ([#2038](https://github.com/rack/rack/pull/2038), [@matthewd](https://github.com/matthewd))
|
|
34
56
|
|
|
35
|
-
## [3.0.4.
|
|
57
|
+
## [3.0.4.2] - 2023-03-02
|
|
58
|
+
|
|
59
|
+
### Security
|
|
36
60
|
|
|
37
61
|
- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
|
|
38
62
|
|
|
39
63
|
## [3.0.4.1] - 2023-01-17
|
|
40
64
|
|
|
65
|
+
### Security
|
|
66
|
+
|
|
41
67
|
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
|
|
42
68
|
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
|
|
43
69
|
- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
|
data/lib/rack/body_proxy.rb
CHANGED
|
@@ -15,7 +15,12 @@ module Rack
|
|
|
15
15
|
|
|
16
16
|
# Return whether the wrapped body responds to the method.
|
|
17
17
|
def respond_to_missing?(method_name, include_all = false)
|
|
18
|
-
|
|
18
|
+
case method_name
|
|
19
|
+
when :to_str
|
|
20
|
+
false
|
|
21
|
+
else
|
|
22
|
+
super or @body.respond_to?(method_name, include_all)
|
|
23
|
+
end
|
|
19
24
|
end
|
|
20
25
|
|
|
21
26
|
# If not already closed, close the wrapped body and
|
|
@@ -38,7 +43,18 @@ module Rack
|
|
|
38
43
|
|
|
39
44
|
# Delegate missing methods to the wrapped body.
|
|
40
45
|
def method_missing(method_name, *args, &block)
|
|
41
|
-
|
|
46
|
+
case method_name
|
|
47
|
+
when :to_str
|
|
48
|
+
super
|
|
49
|
+
when :to_ary
|
|
50
|
+
begin
|
|
51
|
+
@body.__send__(method_name, *args, &block)
|
|
52
|
+
ensure
|
|
53
|
+
close
|
|
54
|
+
end
|
|
55
|
+
else
|
|
56
|
+
@body.__send__(method_name, *args, &block)
|
|
57
|
+
end
|
|
42
58
|
end
|
|
43
59
|
# :nocov:
|
|
44
60
|
ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
|
data/lib/rack/common_logger.rb
CHANGED
|
@@ -20,7 +20,7 @@ module Rack
|
|
|
20
20
|
# The actual format is slightly different than the above due to the
|
|
21
21
|
# separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
|
|
22
22
|
# time in seconds is included at the end.
|
|
23
|
-
FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f
|
|
23
|
+
FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
|
|
24
24
|
|
|
25
25
|
# +logger+ can be any object that supports the +write+ or +<<+ methods,
|
|
26
26
|
# which includes the standard library Logger. These methods are called
|
|
@@ -66,7 +66,8 @@ module Rack
|
|
|
66
66
|
length,
|
|
67
67
|
Utils.clock_time - began_at)
|
|
68
68
|
|
|
69
|
-
msg.gsub!(/[^[:print:]
|
|
69
|
+
msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
|
|
70
|
+
msg[-1] = "\n"
|
|
70
71
|
|
|
71
72
|
logger = @logger || request.get_header(RACK_ERRORS)
|
|
72
73
|
# Standard library logger doesn't support write but it supports << which actually
|
data/lib/rack/response.rb
CHANGED
|
@@ -33,7 +33,7 @@ module Rack
|
|
|
33
33
|
|
|
34
34
|
# Deprecated, use headers instead.
|
|
35
35
|
def header
|
|
36
|
-
warn 'Rack::Response#header is deprecated and will be removed in Rack 3.1', uplevel: 1
|
|
36
|
+
warn 'Rack::Response#header is deprecated and will be removed in Rack 3.1, use #headers instead', uplevel: 1
|
|
37
37
|
|
|
38
38
|
headers
|
|
39
39
|
end
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.0.
|
|
4
|
+
version: 3.0.12
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: bin
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date:
|
|
10
|
+
date: 2025-02-12 00:00:00.000000000 Z
|
|
12
11
|
dependencies:
|
|
13
12
|
- !ruby/object:Gem::Dependency
|
|
14
13
|
name: minitest
|
|
@@ -149,7 +148,6 @@ metadata:
|
|
|
149
148
|
changelog_uri: https://github.com/rack/rack/blob/main/CHANGELOG.md
|
|
150
149
|
documentation_uri: https://rubydoc.info/github/rack/rack
|
|
151
150
|
source_code_uri: https://github.com/rack/rack
|
|
152
|
-
post_install_message:
|
|
153
151
|
rdoc_options: []
|
|
154
152
|
require_paths:
|
|
155
153
|
- lib
|
|
@@ -164,8 +162,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
164
162
|
- !ruby/object:Gem::Version
|
|
165
163
|
version: '0'
|
|
166
164
|
requirements: []
|
|
167
|
-
rubygems_version: 3.
|
|
168
|
-
signing_key:
|
|
165
|
+
rubygems_version: 3.6.2
|
|
169
166
|
specification_version: 4
|
|
170
167
|
summary: A modular Ruby webserver interface.
|
|
171
168
|
test_files: []
|