rack 3.0.11 → 3.0.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 28b82d44ba189d0bbbc8bde52faa4aad3e333926291cdc20f62ede702b9cf02b
-  data.tar.gz: a40e034c12ec76cd6f9506dfac3ab12438e3c9ffb5c40a7417b0b463758dd40b
+  metadata.gz: 1c864d1b0b86355469b17edefb5ac47e659ae4e47d156070615f12ba012117ce
+  data.tar.gz: 82fd6ccbc59081e2483e8bf541d669c3c1be5caa36418306b1009d0a2c396fff
 SHA512:
-  metadata.gz: 04b8e6d85dc1667f282320d629931407897342cfa2c04ec673ed7150dcb27592fd7c0624ee8d02d5f71dcd8370237b5bc425f43b5d92b6fd58aa311153b75e8f
-  data.tar.gz: b2720568c6fbc1b192e2b0dbbff7231ca4db86f56ff9c12e70385ba7d324c6f44938426071c022789a0f8d6d73a78e383b477332d39e873569860cc059ea1158
+  metadata.gz: f1425831596a8893831d295947e6cb33936616397aaf106855a2f30410b3b8b590d04a405d7de5211ff8a64608abd5a7fa9b02e1fce0b182bff37a0f9a57f095
+  data.tar.gz: a84716c10271fd19d6d3ae199424358615252136dcab72baf87ccf8ed9384c1b59a66a316d016937d28c555b556afd6d81084b3dfd75d5832ad14b05edb190c1

data/CHANGELOG.md

@@ -2,7 +2,23 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [3.0.13] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+### Fixed
+
+- Remove autoloads for constants no longer shipped with Rack. ([#2269](https://github.com/rack/rack/pull/2269), [@ccutrer](https://github.com/ccutrer))
+
+## [3.0.12] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+
+## [3.0.11] - 2024-05-10
 
 - Backport #2062 to 3-0-stable: Do not allow `BodyProxy` to respond to `to_str`, make `to_ary` call close . ([#2062](https://github.com/rack/rack/pull/2062), [@jeremyevans](https://github.com/jeremyevans))
 
@@ -10,6 +26,18 @@ All notable changes to this project will be documented in this file. For info on
 
 - Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. ([#2164](https://github.com/rack/rack/pull/2164), [@JoeDupuis](https://github.com/JoeDupuis))
 
+## [3.0.9.1] - 2024-02-21
+
+### Security
+
+* [CVE-2024-26146] Fixed ReDoS in Accept header parsing
+* [CVE-2024-25126] Fixed ReDoS in Content Type header parsing
+* [CVE-2024-26141] Reject Range headers which are too large
+
+[CVE-2024-26146]: https://github.com/advisories/GHSA-54rr-7fvw-6x8f
+[CVE-2024-25126]: https://github.com/advisories/GHSA-22f2-v57c-j9cx
+[CVE-2024-26141]: https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
+
 ## [3.0.9] - 2024-01-31
 
 - Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson](https://github.com/mattbrictson))
@@ -24,6 +52,8 @@ All notable changes to this project will be documented in this file. For info on
 
 ## [3.0.6.1] - 2023-03-13
 
+### Security
+
 - [CVE-2023-27539] Avoid ReDoS in header parsing
 
 ## [3.0.6] - 2023-03-13
@@ -34,12 +64,16 @@ All notable changes to this project will be documented in this file. For info on
 
 - Split form/query parsing into two steps. ([#2038](https://github.com/rack/rack/pull/2038), [@matthewd](https://github.com/matthewd))
 
-## [3.0.4.1] - 2023-03-02
+## [3.0.4.2] - 2023-03-02
+
+### Security
 
 - [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
 
 ## [3.0.4.1] - 2023-01-17
 
+### Security
+
 - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
 - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
 - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
@@ -160,6 +194,64 @@ All notable changes to this project will be documented in this file. For info on
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.12] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+## [2.2.11] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+
+## [2.2.10] - 2024-10-14
+
+- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
+
+## [2.2.9] - 2023-03-21
+
+- Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc])
+
+## [2.2.8] - 2023-07-31
+
+- Regenerate SPEC ([#2102](https://github.com/rack/rack/pull/2102), [@skipkayhil](https://github.com/skipkayhil))
+- Limit file extension length of multipart tempfiles ([#2015](https://github.com/rack/rack/pull/2015), [@dentarg](https://github.com/dentarg))
+- Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" ([#2092](https://github.com/rack/rack/pull/2092), [@onigra](https://github.com/onigra) [@dchandekstark](https://github.com/dchandekstark))
+
+## [2.2.7] - 2023-03-13
+
+- Correct the year number in the changelog ([#2015](https://github.com/rack/rack/pull/2015), [@kimulab](https://github.com/kimulab))
+- Support underscore in host names for Rack 2.2 (Fixes [#2070](https://github.com/rack/rack/issues/2070)) ([#2015](https://github.com/rack/rack/pull/2071), [@jeremyevans](https://github.com/jeremyevans))
+
+## [2.2.6.4] - 2023-03-13
+
+- [CVE-2023-27539] Avoid ReDoS in header parsing
+
+## [2.2.6.3] - 2023-03-02
+
+- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+
+## [2.2.6.2] - 2023-01-17
+
+- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+
+## [2.2.6.1] - 2023-01-17
+
+- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+## [2.2.6] - 2023-01-17
+
+- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot))
+
+## [2.2.5] - 2022-12-27
+
+### Fixed
+
+- `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
+
 ## [2.2.4] - 2022-06-30
 
 - Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [@ioquatix](https://github.com/ioquatix))

data/lib/rack/common_logger.rb

@@ -20,7 +20,7 @@ module Rack
     # The actual format is slightly different than the above due to the
     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
     # time in seconds is included at the end.
-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
 
     # +logger+ can be any object that supports the +write+ or +<<+ methods,
     # which includes the standard library Logger.  These methods are called
@@ -66,7 +66,8 @@ module Rack
         length,
         Utils.clock_time - began_at)
 
-      msg.gsub!(/[^[:print:]\n]/) { |c| sprintf("\\x%x", c.ord) }
+      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+      msg[-1] = "\n"
 
       logger = @logger || request.get_header(RACK_ERRORS)
       # Standard library logger doesn't support write but it supports << which actually

data/lib/rack/sendfile.rb

@@ -138,7 +138,7 @@ module Rack
           end
         when '', nil
         else
-          env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n"
+          env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
         end
       end
       response

data/lib/rack/version.rb

@@ -25,7 +25,7 @@ module Rack
     VERSION
   end
 
-  RELEASE = "3.0.11"
+  RELEASE = "3.0.13"
 
   # Return the Rack release as a dotted string.
   def self.release

data/lib/rack.rb

@@ -15,8 +15,8 @@ require_relative 'rack/version'
 require_relative 'rack/constants'
 
 module Rack
-  autoload :Builder, "rack/builder"
   autoload :BodyProxy, "rack/body_proxy"
+  autoload :Builder, "rack/builder"
   autoload :Cascade, "rack/cascade"
   autoload :Chunked, "rack/chunked"
   autoload :CommonLogger, "rack/common_logger"
@@ -24,14 +24,13 @@ module Rack
   autoload :Config, "rack/config"
   autoload :ContentLength, "rack/content_length"
   autoload :ContentType, "rack/content_type"
+  autoload :Deflater, "rack/deflater"
+  autoload :Directory, "rack/directory"
   autoload :ETag, "rack/etag"
   autoload :Events, "rack/events"
   autoload :File, "rack/file"
   autoload :Files, "rack/files"
-  autoload :Deflater, "rack/deflater"
-  autoload :Directory, "rack/directory"
   autoload :ForwardRequest, "rack/recursive"
-  autoload :Handler, "rack/handler"
   autoload :Head, "rack/head"
   autoload :Headers, "rack/headers"
   autoload :Lint, "rack/lint"
@@ -40,32 +39,29 @@ module Rack
   autoload :MediaType, "rack/media_type"
   autoload :MethodOverride, "rack/method_override"
   autoload :Mime, "rack/mime"
+  autoload :MockRequest, "rack/mock_request"
+  autoload :MockResponse, "rack/mock_response"
+  autoload :Multipart, "rack/multipart"
   autoload :NullLogger, "rack/null_logger"
   autoload :QueryParser, "rack/query_parser"
   autoload :Recursive, "rack/recursive"
   autoload :Reloader, "rack/reloader"
+  autoload :Request, "rack/request"
+  autoload :Response, "rack/response"
   autoload :RewindableInput, "rack/rewindable_input"
   autoload :Runtime, "rack/runtime"
   autoload :Sendfile, "rack/sendfile"
-  autoload :Server, "rack/server"
   autoload :ShowExceptions, "rack/show_exceptions"
   autoload :ShowStatus, "rack/show_status"
   autoload :Static, "rack/static"
   autoload :TempfileReaper, "rack/tempfile_reaper"
   autoload :URLMap, "rack/urlmap"
   autoload :Utils, "rack/utils"
-  autoload :Multipart, "rack/multipart"
-
-  autoload :MockRequest, "rack/mock_request"
-  autoload :MockResponse, "rack/mock_response"
-
-  autoload :Request, "rack/request"
-  autoload :Response, "rack/response"
 
   module Auth
     autoload :Basic, "rack/auth/basic"
-    autoload :AbstractRequest, "rack/auth/abstract/request"
-    autoload :AbstractHandler, "rack/auth/abstract/handler"
     autoload :Digest, "rack/auth/digest"
+    autoload :AbstractHandler, "rack/auth/abstract/handler"
+    autoload :AbstractRequest, "rack/auth/abstract/request"
   end
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.0.11
+  version: 3.0.13
 platform: ruby
 authors:
 - Leah Neukirchen
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-09 00:00:00.000000000 Z
+date: 2025-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -149,7 +148,6 @@ metadata:
   changelog_uri: https://github.com/rack/rack/blob/main/CHANGELOG.md
   documentation_uri: https://rubydoc.info/github/rack/rack
   source_code_uri: https://github.com/rack/rack
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -164,8 +162,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []