RubyGems - rack - Versions diffs - 3.0.15 → 3.0.17 - Mend

rack 3.0.15 → 3.0.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 37139bb900e9ae14b78c8d89e0bca433ac72b21e1a0a49b7fc583d90af333f03
-  data.tar.gz: d6ecdfd611b84d0871c08225c78dde2ca0c13c19f7d167638129098ba820472e
+  metadata.gz: 3edf21b75cf99b2e46bdeca610592537a1bf049ca57602943af9d7f8bd446666
+  data.tar.gz: 2619cfe2fd66de38a387978af8db591635402a66c841b532dc52abe841058454
 SHA512:
-  metadata.gz: 1bc716b5dc779109737a6bb703926e6ef9355c9ccb254c687fc0c95c1fe66563175c908b077f7dd826ac28e14640a9459dc3788668f5fd84577fd0db3c59737b
-  data.tar.gz: f943c6da9fe9008b8eb6bc19d68fbd041f5ed925965f74fe1dade8c115da67faf3710c46102a716160be30ee7e5df99ddc72ac1a1ac7cf8b44cbcaffc234cc84
+  metadata.gz: fd6d0fdc1d2f981c38ae3c1a0a84c126b440d39394d9ec18c5c5ed07770efe01c95d0c6a64a195b2ad4bd5d4d900e1eff08872fd972cb979aec8429331cabc40
+  data.tar.gz: 61b44c13230df6379b8c760d2e7e5c6756f7b42a2f81d14c2cc21cf94eefa781d7e4b53d8f411fc724fef5b987959d791463cef4aa42a9a5e2c480b7470b8e1d

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,16 @@
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+## [3.0.17] - 2025-05-18
+- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
+## [3.0.16] - 2025-05-06
+### Security
+- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 ## [3.0.15] - 2025-04-13
 - Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
@@ -204,6 +214,16 @@ All notable changes to this project will be documented in this file. For info on
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
+## [2.2.15] - 2025-05-18
+- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
+## [2.2.14] - 2025-05-06
+### Security
+- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 ## [2.2.13] - 2025-03-11
 ### Security
@@ -982,3 +1002,4 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
 [@amatsuda]: https://github.com/amatsuda "Akira Matsuda"
 [@wjordan]: https://github.com/wjordan "Will Jordan"
 [@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
+[@earlopain]: https://github.com/earlopain "Earlopain"

data/README.md CHANGED Viewed

@@ -165,6 +165,33 @@ quickly and without doing the same web stuff all over:
 Rack exposes several configuration parameters to control various features of the
 implementation.
+### `RACK_QUERY_PARSER_BYTESIZE_LIMIT`
+This environment variable sets the default for the maximum query string bytesize
+that `Rack::QueryParser` will attempt to parse.  Attempts to use a query string
+that exceeds this number of bytes will result in a
+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
+provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
+The default limit can be overridden on a per-`Rack::QueryParser` basis using
+the `bytesize_limit` keyword argument when creating the `Rack::QueryParser`.
+### `RACK_QUERY_PARSER_PARAMS_LIMIT`
+This environment variable sets the default for the maximum number of query
+parameters that `Rack::QueryParser` will attempt to parse.  Attempts to use a
+query string with more than this many query parameters will result in a
+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
+provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
+The default limit can be overridden on a per-`Rack::QueryParser` basis using
+the `params_limit` keyword argument when creating the `Rack::QueryParser`.
+This is implemented by counting the number of parameter separators in the
+query string, before attempting parsing, so if the same parameter key is
+used multiple times in the query, each counts as a separate parameter for
+this check.
 ### `param_depth_limit`
 ```ruby

data/lib/rack/mock_response.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
-require 'cgi/cookie'
 require 'time'
 require_relative 'response'
@@ -11,6 +10,36 @@ module Rack
   # MockRequest.
   class MockResponse < Rack::Response
+    begin
+      # Recent versions of the CGI gem may not provide `CGI::Cookie`.
+      require 'cgi/cookie'
+      Cookie = CGI::Cookie
+    rescue LoadError
+      class Cookie
+        attr_reader :name, :value, :path, :domain, :expires, :secure
+        def initialize(args)
+          @name = args["name"]
+          @value = args["value"]
+          @path = args["path"]
+          @domain = args["domain"]
+          @expires = args["expires"]
+          @secure = args["secure"]
+        end
+        def method_missing(method_name, *args, &block)
+          @value.send(method_name, *args, &block)
+        end
+        # :nocov:
+        ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
+        # :nocov:
+        def respond_to_missing?(method_name, include_all = false)
+          @value.respond_to?(method_name, include_all) || super
+        end
+      end
+    end
     class << self
       alias [] new
     end
@@ -84,7 +113,7 @@ module Rack
           header_value.split("\n").each do |cookie|
             cookie_name, cookie_filling = cookie.split('=', 2)
             cookie_attributes = identify_cookie_attributes cookie_filling
-            parsed_cookie = CGI::Cookie.new(
+            parsed_cookie = Cookie.new(
               'name' => cookie_name.strip,
               'value' => cookie_attributes.fetch('value'),
               'path' => cookie_attributes.fetch('path', nil),

data/lib/rack/query_parser.rb CHANGED Viewed

@@ -16,27 +16,54 @@ module Rack
     # sequence.
     class InvalidParameterError < ArgumentError; end
-    # ParamsTooDeepError is the error that is raised when params are recursively
-    # nested over the specified limit.
-    class ParamsTooDeepError < RangeError; end
+    # QueryLimitError is for errors raised when the query provided exceeds one
+    # of the query parser limits.
+    class QueryLimitError < RangeError
+    end
+    # ParamsTooDeepError is the old name for the error that is raised when params
+    # are recursively nested over the specified limit. Make it the same as
+    # as QueryLimitError, so that code that rescues ParamsTooDeepError error
+    # to handle bad query strings also now handles other limits.
+    ParamsTooDeepError = QueryLimitError
-    def self.make_default(_key_space_limit=(not_deprecated = true; nil), param_depth_limit)
+    def self.make_default(_key_space_limit=(not_deprecated = true; nil), param_depth_limit, **options)
       unless not_deprecated
         warn("`first argument `key_space limit` is deprecated and no longer has an effect. Please call with only one argument, which will be required in a future version of Rack", uplevel: 1)
       end
-      new Params, param_depth_limit
+      new Params, param_depth_limit, **options
     end
     attr_reader :param_depth_limit
-    def initialize(params_class, _key_space_limit=(not_deprecated = true; nil), param_depth_limit)
+    env_int = lambda do |key, val|
+      if str_val = ENV[key]
+        begin
+          val = Integer(str_val, 10)
+        rescue ArgumentError
+          raise ArgumentError, "non-integer value provided for environment variable #{key}"
+        end
+      end
+      val
+    end
+    BYTESIZE_LIMIT = env_int.call("RACK_QUERY_PARSER_BYTESIZE_LIMIT", 4194304)
+    private_constant :BYTESIZE_LIMIT
+    PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
+    private_constant :PARAMS_LIMIT
+    def initialize(params_class, _key_space_limit=(not_deprecated = true; nil), param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
       unless not_deprecated
         warn("`second argument `key_space limit` is deprecated and no longer has an effect. Please call with only two arguments, which will be required in a future version of Rack", uplevel: 1)
       end
       @params_class = params_class
       @param_depth_limit = param_depth_limit
+      @bytesize_limit = bytesize_limit
+      @params_limit = params_limit
     end
     # Stolen from Mongrel, with some small modifications:
@@ -48,7 +75,7 @@ module Rack
       params = make_params
-      (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
+      check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
         next if p.empty?
         k, v = p.split('=', 2).map!(&unescaper)
@@ -75,7 +102,7 @@ module Rack
       params = make_params
       unless qs.nil? || qs.empty?
-        (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
+        check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
           k, v = p.split('=', 2).map! { |s| unescape(s) }
           _normalize_params(params, k, v, 0)
@@ -190,6 +217,22 @@ module Rack
       true
     end
+    def check_query_string(qs, sep)
+      if qs
+        if qs.bytesize > @bytesize_limit
+          raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})"
+        end
+        if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit
+          raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})"
+        end
+        qs
+      else
+        ''
+      end
+    end
     def unescape(string, encoding = Encoding::UTF_8)
       URI.decode_www_form_component(string, encoding)
     end

data/lib/rack/version.rb CHANGED Viewed

@@ -25,7 +25,7 @@ module Rack
     VERSION
   end
-  RELEASE = "3.0.15"
+  RELEASE = "3.0.17"
   # Return the Rack release as a dotted string.
   def self.release

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.0.15
+  version: 3.0.17
 platform: ruby
 authors:
 - Leah Neukirchen
 bindir: bin
 cert_chain: []
-date: 2025-04-13 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -75,9 +75,9 @@ email: leah@vuxu.org
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.md
 - CHANGELOG.md
 - CONTRIBUTING.md
+- README.md
 files:
 - CHANGELOG.md
 - CONTRIBUTING.md
@@ -162,7 +162,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.7
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []