rack 3.0.3 → 3.0.4.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/lib/rack/constants.rb +1 -0
- data/lib/rack/lint.rb +1 -1
- data/lib/rack/method_override.rb +1 -1
- data/lib/rack/multipart/parser.rb +2 -2
- data/lib/rack/request.rb +28 -19
- data/lib/rack/utils.rb +6 -5
- data/lib/rack/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 966e37b13d3b25138d48a0a120a35b23f8821c95e55ae1132208dbf6e4d01f3e
|
4
|
+
data.tar.gz: 849cf474ff1e7d79f4d1bc6a7b6396c174c21f6f2c5100d7b63030e9cc3fd808
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 781ff34ba58e47c262f239af6d76b697a2d6df26329b21e5d055609c95b2855f13a9355d470c85f0055b6ff135edebdf83dba845452645a7a2965443b49bca8f
|
7
|
+
data.tar.gz: 8a56368346afee246702533dfed7b444d2fab999bcc4d405484cb3af0b8e674ffa35509ddd402ed73b7a36bc9f9bb99dd09e2c31dafcb170c4cdbc63a095bd21
|
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,18 @@
|
|
2
2
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
4
4
|
|
5
|
+
## [3.0.4.1] - 2023-01-17
|
6
|
+
|
7
|
+
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
|
8
|
+
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
|
9
|
+
- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
|
10
|
+
|
11
|
+
## [3.0.4] - 2022-01-17
|
12
|
+
|
13
|
+
- `Rack::Request#POST` should consistently raise errors. Cache errors that occur when invoking `Rack::Request#POST` so they can be raised again later. ([#2010](https://github.com/rack/rack/pull/2010), [@ioquatix])
|
14
|
+
- Fix `Rack::Lint` error message for `HTTP_CONTENT_TYPE` and `HTTP_CONTENT_LENGTH`. ([#2007](https://github.com/rack/rack/pull/2007), [@byroot](https://github.com/byroot))
|
15
|
+
- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2006](https://github.com/rack/rack/pull/2006), [@byroot](https://github.com/byroot))
|
16
|
+
|
5
17
|
## [3.0.3] - 2022-12-27
|
6
18
|
|
7
19
|
### Fixed
|
data/lib/rack/constants.rb
CHANGED
@@ -55,6 +55,7 @@ module Rack
|
|
55
55
|
RACK_REQUEST_FORM_INPUT = 'rack.request.form_input'
|
56
56
|
RACK_REQUEST_FORM_HASH = 'rack.request.form_hash'
|
57
57
|
RACK_REQUEST_FORM_VARS = 'rack.request.form_vars'
|
58
|
+
RACK_REQUEST_FORM_ERROR = 'rack.request.form_error'
|
58
59
|
RACK_REQUEST_COOKIE_HASH = 'rack.request.cookie_hash'
|
59
60
|
RACK_REQUEST_COOKIE_STRING = 'rack.request.cookie_string'
|
60
61
|
RACK_REQUEST_QUERY_HASH = 'rack.request.query_hash'
|
data/lib/rack/lint.rb
CHANGED
@@ -303,7 +303,7 @@ module Rack
|
|
303
303
|
## (use the versions without <tt>HTTP_</tt>).
|
304
304
|
%w[HTTP_CONTENT_TYPE HTTP_CONTENT_LENGTH].each { |header|
|
305
305
|
if env.include? header
|
306
|
-
raise LintError, "env contains #{header}, must use #{header[5
|
306
|
+
raise LintError, "env contains #{header}, must use #{header[5..-1]}"
|
307
307
|
end
|
308
308
|
}
|
309
309
|
|
data/lib/rack/method_override.rb
CHANGED
@@ -47,7 +47,7 @@ module Rack
|
|
47
47
|
|
48
48
|
def method_override_param(req)
|
49
49
|
req.POST[METHOD_OVERRIDE_PARAM_KEY] if req.form_data? || req.parseable_data?
|
50
|
-
rescue Utils::InvalidParameterError, Utils::ParameterTypeError
|
50
|
+
rescue Utils::InvalidParameterError, Utils::ParameterTypeError, QueryParser::ParamsTooDeepError
|
51
51
|
req.get_header(RACK_ERRORS).puts "Invalid or incomplete POST params"
|
52
52
|
rescue EOFError
|
53
53
|
req.get_header(RACK_ERRORS).puts "Bad request content body"
|
@@ -23,10 +23,10 @@ module Rack
|
|
23
23
|
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
|
24
24
|
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
|
25
25
|
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
|
26
|
-
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition
|
26
|
+
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
|
27
27
|
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
|
28
28
|
# Updated definitions from RFC 2231
|
29
|
-
ATTRIBUTE_CHAR = %r{[^ \
|
29
|
+
ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
|
30
30
|
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
|
31
31
|
SECTION = /\*[0-9]+/
|
32
32
|
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
|
data/lib/rack/request.rb
CHANGED
@@ -496,26 +496,35 @@ module Rack
|
|
496
496
|
# This method support both application/x-www-form-urlencoded and
|
497
497
|
# multipart/form-data.
|
498
498
|
def POST
|
499
|
-
if get_header(
|
500
|
-
raise
|
501
|
-
|
502
|
-
|
503
|
-
|
504
|
-
|
505
|
-
|
506
|
-
|
507
|
-
|
508
|
-
|
509
|
-
|
510
|
-
|
511
|
-
|
512
|
-
|
499
|
+
if error = get_header(RACK_REQUEST_FORM_ERROR)
|
500
|
+
raise error.class, error.message, cause: error.cause
|
501
|
+
end
|
502
|
+
|
503
|
+
begin
|
504
|
+
if get_header(RACK_INPUT).nil?
|
505
|
+
raise "Missing rack.input"
|
506
|
+
elsif get_header(RACK_REQUEST_FORM_INPUT) == get_header(RACK_INPUT)
|
507
|
+
get_header(RACK_REQUEST_FORM_HASH)
|
508
|
+
elsif form_data? || parseable_data?
|
509
|
+
unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart)
|
510
|
+
form_vars = get_header(RACK_INPUT).read
|
511
|
+
|
512
|
+
# Fix for Safari Ajax postings that always append \0
|
513
|
+
# form_vars.sub!(/\0\z/, '') # performance replacement:
|
514
|
+
form_vars.slice!(-1) if form_vars.end_with?("\0")
|
515
|
+
|
516
|
+
set_header RACK_REQUEST_FORM_VARS, form_vars
|
517
|
+
set_header RACK_REQUEST_FORM_HASH, parse_query(form_vars, '&')
|
518
|
+
end
|
519
|
+
set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
|
520
|
+
get_header RACK_REQUEST_FORM_HASH
|
521
|
+
else
|
522
|
+
set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
|
523
|
+
set_header(RACK_REQUEST_FORM_HASH, {})
|
513
524
|
end
|
514
|
-
|
515
|
-
|
516
|
-
|
517
|
-
set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
|
518
|
-
set_header(RACK_REQUEST_FORM_HASH, {})
|
525
|
+
rescue => error
|
526
|
+
set_header(RACK_REQUEST_FORM_ERROR, error)
|
527
|
+
raise
|
519
528
|
end
|
520
529
|
end
|
521
530
|
|
data/lib/rack/utils.rb
CHANGED
@@ -426,17 +426,18 @@ module Rack
|
|
426
426
|
return nil unless http_range && http_range =~ /bytes=([^;]+)/
|
427
427
|
ranges = []
|
428
428
|
$1.split(/,\s*/).each do |range_spec|
|
429
|
-
return nil
|
430
|
-
|
431
|
-
|
432
|
-
|
429
|
+
return nil unless range_spec.include?('-')
|
430
|
+
range = range_spec.split('-')
|
431
|
+
r0, r1 = range[0], range[1]
|
432
|
+
if r0.nil? || r0.empty?
|
433
|
+
return nil if r1.nil?
|
433
434
|
# suffix-byte-range-spec, represents trailing suffix of file
|
434
435
|
r0 = size - r1.to_i
|
435
436
|
r0 = 0 if r0 < 0
|
436
437
|
r1 = size - 1
|
437
438
|
else
|
438
439
|
r0 = r0.to_i
|
439
|
-
if r1.
|
440
|
+
if r1.nil?
|
440
441
|
r1 = size - 1
|
441
442
|
else
|
442
443
|
r1 = r1.to_i
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.
|
4
|
+
version: 3.0.4.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Leah Neukirchen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -164,7 +164,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
164
|
- !ruby/object:Gem::Version
|
165
165
|
version: '0'
|
166
166
|
requirements: []
|
167
|
-
rubygems_version: 3.
|
167
|
+
rubygems_version: 3.1.6
|
168
168
|
signing_key:
|
169
169
|
specification_version: 4
|
170
170
|
summary: A modular Ruby webserver interface.
|