rack 3.0.4.1 → 3.0.4.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/README.md +21 -5
  4. data/lib/rack/multipart/parser.rb +16 -4
  5. data/lib/rack/utils.rb +15 -4
  6. data/lib/rack/version.rb +1 -1
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 966e37b13d3b25138d48a0a120a35b23f8821c95e55ae1132208dbf6e4d01f3e
4
- data.tar.gz: 849cf474ff1e7d79f4d1bc6a7b6396c174c21f6f2c5100d7b63030e9cc3fd808
3
+ metadata.gz: 36b4b5641dd1307c3ce6c486779ed3ff238dd2e102e65dc2eb07a83467cd0acd
4
+ data.tar.gz: 59205f18ca54c8c03018ccc532a05af39b52cb63bf50f8be6138301620e3b4b5
5
5
  SHA512:
6
- metadata.gz: 781ff34ba58e47c262f239af6d76b697a2d6df26329b21e5d055609c95b2855f13a9355d470c85f0055b6ff135edebdf83dba845452645a7a2965443b49bca8f
7
- data.tar.gz: 8a56368346afee246702533dfed7b444d2fab999bcc4d405484cb3af0b8e674ffa35509ddd402ed73b7a36bc9f9bb99dd09e2c31dafcb170c4cdbc63a095bd21
6
+ metadata.gz: ad6b22a618316744e50fc27a90348d7208b764ef7734555dd32d51b88b13e75023e367926bb18a898d742f0e2c97c188949be1c47678a442f804d04bff4a2326
7
+ data.tar.gz: b05200d6b7d5c6a0d2035577ffb5c5098d2d78dee3a5f7de5754c65950d53c7dbe7438e1f1a8f6d13d2122e1e6f721541f12ec77886cc32f5c99dd5c0606f5f8
data/CHANGELOG.md CHANGED
@@ -2,6 +2,10 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [3.0.4.1] - 2023-03-02
6
+
7
+ - [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
8
+
5
9
  ## [3.0.4.1] - 2023-01-17
6
10
 
7
11
  - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
data/README.md CHANGED
@@ -186,19 +186,35 @@ but this query string would not be allowed:
186
186
 
187
187
  Limiting the depth prevents a possible stack overflow when parsing parameters.
188
188
 
189
- ### `multipart_part_limit`
189
+ ### `multipart_file_limit`
190
190
 
191
191
  ```ruby
192
- Rack::Utils.multipart_part_limit = 128 # default
192
+ Rack::Utils.multipart_file_limit = 128 # default
193
193
  ```
194
194
 
195
- The maximum number of parts a request can contain. Accepting too many parts can
196
- lead to the server running out of file handles.
195
+ The maximum number of parts with a filename a request can contain. Accepting
196
+ too many parts can lead to the server running out of file handles.
197
197
 
198
198
  The default is 128, which means that a single request can't upload more than 128
199
199
  files at once. Set to 0 for no limit.
200
200
 
201
- Can also be set via the `RACK_MULTIPART_PART_LIMIT` environment variable.
201
+ Can also be set via the `RACK_MULTIPART_FILE_LIMIT` environment variable.
202
+
203
+ (This is also aliased as `multipart_part_limit` and `RACK_MULTIPART_PART_LIMIT` for compatibility)
204
+
205
+
206
+ ### `multipart_total_part_limit`
207
+
208
+ The maximum total number of parts a request can contain of any type, including
209
+ both file and non-file form fields.
210
+
211
+ The default is 4096, which means that a single request can't contain more than
212
+ 4096 parts.
213
+
214
+ Set to 0 for no limit.
215
+
216
+ Can also be set via the `RACK_MULTIPART_TOTAL_PART_LIMIT` environment variable.
217
+
202
218
 
203
219
  ## Changelog
204
220
 
data/lib/rack/multipart/parser.rb CHANGED
@@ -8,6 +8,8 @@ module Rack
8
8
  module Multipart
9
9
  class MultipartPartLimitError < Errno::EMFILE; end
10
10
 
11
+ class MultipartTotalPartLimitError < StandardError; end
12
+
11
13
  # Use specific error class when parsing multipart request
12
14
  # that ends early.
13
15
  class EmptyContentError < ::EOFError; end
@@ -166,7 +168,7 @@ module Rack
166
168
 
167
169
  @mime_parts[mime_index] = klass.new(body, head, filename, content_type, name)
168
170
 
169
- check_open_files
171
+ check_part_limits
170
172
  end
171
173
 
172
174
  def on_mime_body(mime_index, content)
@@ -178,13 +180,23 @@ module Rack
178
180
 
179
181
  private
180
182
 
181
- def check_open_files
182
- if Utils.multipart_part_limit > 0
183
- if @open_files >= Utils.multipart_part_limit
183
+ def check_part_limits
184
+ file_limit = Utils.multipart_file_limit
185
+ part_limit = Utils.multipart_total_part_limit
186
+
187
+ if file_limit && file_limit > 0
188
+ if @open_files >= file_limit
184
189
  @mime_parts.each(&:close)
185
190
  raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
186
191
  end
187
192
  end
193
+
194
+ if part_limit && part_limit > 0
195
+ if @mime_parts.size >= part_limit
196
+ @mime_parts.each(&:close)
197
+ raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached'
198
+ end
199
+ end
188
200
  end
189
201
  end
190
202
 
data/lib/rack/utils.rb CHANGED
@@ -58,13 +58,24 @@ module Rack
58
58
  end
59
59
 
60
60
  class << self
61
- attr_accessor :multipart_part_limit
61
+ attr_accessor :multipart_total_part_limit
62
+
63
+ attr_accessor :multipart_file_limit
64
+
65
+ # multipart_part_limit is the original name of multipart_file_limit, but
66
+ # the limit only counts parts with filenames.
67
+ alias multipart_part_limit multipart_file_limit
68
+ alias multipart_part_limit= multipart_file_limit=
62
69
  end
63
70
 
64
- # The maximum number of parts a request can contain. Accepting too many part
65
- # can lead to the server running out of file handles.
71
+ # The maximum number of file parts a request can contain. Accepting too
72
+ # many parts can lead to the server running out of file handles.
66
73
  # Set to `0` for no limit.
67
- self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i
74
+ self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
75
+
76
+ # The maximum total number of parts a request can contain. Accepting too
77
+ # many can lead to excessive memory use and parsing time.
78
+ self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
68
79
 
69
80
  def self.param_depth_limit
70
81
  default_query_parser.param_depth_limit
data/lib/rack/version.rb CHANGED
@@ -25,7 +25,7 @@ module Rack
25
25
  VERSION
26
26
  end
27
27
 
28
- RELEASE = "3.0.4.1"
28
+ RELEASE = "3.0.4.2"
29
29
 
30
30
  # Return the Rack release as a dotted string.
31
31
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.4.1
4
+ version: 3.0.4.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-01-17 00:00:00.000000000 Z
11
+ date: 2023-03-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -164,7 +164,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
164
164
  - !ruby/object:Gem::Version
165
165
  version: '0'
166
166
  requirements: []
167
- rubygems_version: 3.1.6
167
+ rubygems_version: 3.4.1
168
168
  signing_key:
169
169
  specification_version: 4
170
170
  summary: A modular Ruby webserver interface.