rack 3.0.11 → 3.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 28b82d44ba189d0bbbc8bde52faa4aad3e333926291cdc20f62ede702b9cf02b
-  data.tar.gz: a40e034c12ec76cd6f9506dfac3ab12438e3c9ffb5c40a7417b0b463758dd40b
+  metadata.gz: f4cd617243053c032b45f1eb8f73158d61aa295bf866072d85324ae696de1e2d
+  data.tar.gz: 84e26d26314c4e7877e21e770e6622cfe57379add2bce818f93fd50b362cd9a9
 SHA512:
-  metadata.gz: 04b8e6d85dc1667f282320d629931407897342cfa2c04ec673ed7150dcb27592fd7c0624ee8d02d5f71dcd8370237b5bc425f43b5d92b6fd58aa311153b75e8f
-  data.tar.gz: b2720568c6fbc1b192e2b0dbbff7231ca4db86f56ff9c12e70385ba7d324c6f44938426071c022789a0f8d6d73a78e383b477332d39e873569860cc059ea1158
+  metadata.gz: f41b2be1181d9c56dee9b2264fadfd8667a27242ec254403658476d8dd9b4d142d2bd528dc74464f4d5748a8a420341a5361057d27fe5a2633c926f3c62ba46b
+  data.tar.gz: daa0660d8c5bddcf6e9d1091d1ae0ee3c614cedd64ba2f8a0ad47ed742806517cd2552108116cebe53bb8bec60d97b46e00c3ec6520fa9f85d54b56d07f20939

data/CHANGELOG.md

@@ -2,7 +2,13 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [3.0.12] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in Rack::CommonLogger.
+
+## [3.0.11] - 2024-05-10
 
 - Backport #2062 to 3-0-stable: Do not allow `BodyProxy` to respond to `to_str`, make `to_ary` call close . ([#2062](https://github.com/rack/rack/pull/2062), [@jeremyevans](https://github.com/jeremyevans))
 
@@ -10,6 +16,18 @@ All notable changes to this project will be documented in this file. For info on
 
 - Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. ([#2164](https://github.com/rack/rack/pull/2164), [@JoeDupuis](https://github.com/JoeDupuis))
 
+## [3.0.9.1] - 2024-02-21
+
+### Security
+
+* [CVE-2024-26146] Fixed ReDoS in Accept header parsing
+* [CVE-2024-25126] Fixed ReDoS in Content Type header parsing
+* [CVE-2024-26141] Reject Range headers which are too large
+
+[CVE-2024-26146]: https://github.com/advisories/GHSA-54rr-7fvw-6x8f
+[CVE-2024-25126]: https://github.com/advisories/GHSA-22f2-v57c-j9cx
+[CVE-2024-26141]: https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
+
 ## [3.0.9] - 2024-01-31
 
 - Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson](https://github.com/mattbrictson))
@@ -24,6 +42,8 @@ All notable changes to this project will be documented in this file. For info on
 
 ## [3.0.6.1] - 2023-03-13
 
+### Security
+
 - [CVE-2023-27539] Avoid ReDoS in header parsing
 
 ## [3.0.6] - 2023-03-13
@@ -34,12 +54,16 @@ All notable changes to this project will be documented in this file. For info on
 
 - Split form/query parsing into two steps. ([#2038](https://github.com/rack/rack/pull/2038), [@matthewd](https://github.com/matthewd))
 
-## [3.0.4.1] - 2023-03-02
+## [3.0.4.2] - 2023-03-02
+
+### Security
 
 - [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
 
 ## [3.0.4.1] - 2023-01-17
 
+### Security
+
 - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
 - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
 - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)

data/lib/rack/common_logger.rb

@@ -20,7 +20,7 @@ module Rack
     # The actual format is slightly different than the above due to the
     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
     # time in seconds is included at the end.
-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
 
     # +logger+ can be any object that supports the +write+ or +<<+ methods,
     # which includes the standard library Logger.  These methods are called
@@ -66,7 +66,8 @@ module Rack
         length,
         Utils.clock_time - began_at)
 
-      msg.gsub!(/[^[:print:]\n]/) { |c| sprintf("\\x%x", c.ord) }
+      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+      msg[-1] = "\n"
 
       logger = @logger || request.get_header(RACK_ERRORS)
       # Standard library logger doesn't support write but it supports << which actually

data/lib/rack/version.rb

@@ -25,7 +25,7 @@ module Rack
     VERSION
   end
 
-  RELEASE = "3.0.11"
+  RELEASE = "3.0.12"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.0.11
+  version: 3.0.12
 platform: ruby
 authors:
 - Leah Neukirchen
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-09 00:00:00.000000000 Z
+date: 2025-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -149,7 +148,6 @@ metadata:
   changelog_uri: https://github.com/rack/rack/blob/main/CHANGELOG.md
   documentation_uri: https://rubydoc.info/github/rack/rack
   source_code_uri: https://github.com/rack/rack
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -164,8 +162,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []