rack 3.0.4.1 → 3.0.4.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +21 -5
- data/lib/rack/multipart/parser.rb +16 -4
- data/lib/rack/utils.rb +15 -4
- data/lib/rack/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 36b4b5641dd1307c3ce6c486779ed3ff238dd2e102e65dc2eb07a83467cd0acd
|
4
|
+
data.tar.gz: 59205f18ca54c8c03018ccc532a05af39b52cb63bf50f8be6138301620e3b4b5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ad6b22a618316744e50fc27a90348d7208b764ef7734555dd32d51b88b13e75023e367926bb18a898d742f0e2c97c188949be1c47678a442f804d04bff4a2326
|
7
|
+
data.tar.gz: b05200d6b7d5c6a0d2035577ffb5c5098d2d78dee3a5f7de5754c65950d53c7dbe7438e1f1a8f6d13d2122e1e6f721541f12ec77886cc32f5c99dd5c0606f5f8
|
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,10 @@
|
|
2
2
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
4
4
|
|
5
|
+
## [3.0.4.1] - 2023-03-02
|
6
|
+
|
7
|
+
- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
|
8
|
+
|
5
9
|
## [3.0.4.1] - 2023-01-17
|
6
10
|
|
7
11
|
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
|
data/README.md
CHANGED
@@ -186,19 +186,35 @@ but this query string would not be allowed:
|
|
186
186
|
|
187
187
|
Limiting the depth prevents a possible stack overflow when parsing parameters.
|
188
188
|
|
189
|
-
### `
|
189
|
+
### `multipart_file_limit`
|
190
190
|
|
191
191
|
```ruby
|
192
|
-
Rack::Utils.
|
192
|
+
Rack::Utils.multipart_file_limit = 128 # default
|
193
193
|
```
|
194
194
|
|
195
|
-
The maximum number of parts a request can contain. Accepting
|
196
|
-
lead to the server running out of file handles.
|
195
|
+
The maximum number of parts with a filename a request can contain. Accepting
|
196
|
+
too many parts can lead to the server running out of file handles.
|
197
197
|
|
198
198
|
The default is 128, which means that a single request can't upload more than 128
|
199
199
|
files at once. Set to 0 for no limit.
|
200
200
|
|
201
|
-
Can also be set via the `
|
201
|
+
Can also be set via the `RACK_MULTIPART_FILE_LIMIT` environment variable.
|
202
|
+
|
203
|
+
(This is also aliased as `multipart_part_limit` and `RACK_MULTIPART_PART_LIMIT` for compatibility)
|
204
|
+
|
205
|
+
|
206
|
+
### `multipart_total_part_limit`
|
207
|
+
|
208
|
+
The maximum total number of parts a request can contain of any type, including
|
209
|
+
both file and non-file form fields.
|
210
|
+
|
211
|
+
The default is 4096, which means that a single request can't contain more than
|
212
|
+
4096 parts.
|
213
|
+
|
214
|
+
Set to 0 for no limit.
|
215
|
+
|
216
|
+
Can also be set via the `RACK_MULTIPART_TOTAL_PART_LIMIT` environment variable.
|
217
|
+
|
202
218
|
|
203
219
|
## Changelog
|
204
220
|
|
@@ -8,6 +8,8 @@ module Rack
|
|
8
8
|
module Multipart
|
9
9
|
class MultipartPartLimitError < Errno::EMFILE; end
|
10
10
|
|
11
|
+
class MultipartTotalPartLimitError < StandardError; end
|
12
|
+
|
11
13
|
# Use specific error class when parsing multipart request
|
12
14
|
# that ends early.
|
13
15
|
class EmptyContentError < ::EOFError; end
|
@@ -166,7 +168,7 @@ module Rack
|
|
166
168
|
|
167
169
|
@mime_parts[mime_index] = klass.new(body, head, filename, content_type, name)
|
168
170
|
|
169
|
-
|
171
|
+
check_part_limits
|
170
172
|
end
|
171
173
|
|
172
174
|
def on_mime_body(mime_index, content)
|
@@ -178,13 +180,23 @@ module Rack
|
|
178
180
|
|
179
181
|
private
|
180
182
|
|
181
|
-
def
|
182
|
-
|
183
|
-
|
183
|
+
def check_part_limits
|
184
|
+
file_limit = Utils.multipart_file_limit
|
185
|
+
part_limit = Utils.multipart_total_part_limit
|
186
|
+
|
187
|
+
if file_limit && file_limit > 0
|
188
|
+
if @open_files >= file_limit
|
184
189
|
@mime_parts.each(&:close)
|
185
190
|
raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
|
186
191
|
end
|
187
192
|
end
|
193
|
+
|
194
|
+
if part_limit && part_limit > 0
|
195
|
+
if @mime_parts.size >= part_limit
|
196
|
+
@mime_parts.each(&:close)
|
197
|
+
raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached'
|
198
|
+
end
|
199
|
+
end
|
188
200
|
end
|
189
201
|
end
|
190
202
|
|
data/lib/rack/utils.rb
CHANGED
@@ -58,13 +58,24 @@ module Rack
|
|
58
58
|
end
|
59
59
|
|
60
60
|
class << self
|
61
|
-
attr_accessor :
|
61
|
+
attr_accessor :multipart_total_part_limit
|
62
|
+
|
63
|
+
attr_accessor :multipart_file_limit
|
64
|
+
|
65
|
+
# multipart_part_limit is the original name of multipart_file_limit, but
|
66
|
+
# the limit only counts parts with filenames.
|
67
|
+
alias multipart_part_limit multipart_file_limit
|
68
|
+
alias multipart_part_limit= multipart_file_limit=
|
62
69
|
end
|
63
70
|
|
64
|
-
# The maximum number of parts a request can contain. Accepting too
|
65
|
-
# can lead to the server running out of file handles.
|
71
|
+
# The maximum number of file parts a request can contain. Accepting too
|
72
|
+
# many parts can lead to the server running out of file handles.
|
66
73
|
# Set to `0` for no limit.
|
67
|
-
self.
|
74
|
+
self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
|
75
|
+
|
76
|
+
# The maximum total number of parts a request can contain. Accepting too
|
77
|
+
# many can lead to excessive memory use and parsing time.
|
78
|
+
self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
|
68
79
|
|
69
80
|
def self.param_depth_limit
|
70
81
|
default_query_parser.param_depth_limit
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.4.
|
4
|
+
version: 3.0.4.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Leah Neukirchen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-03-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -164,7 +164,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
164
|
- !ruby/object:Gem::Version
|
165
165
|
version: '0'
|
166
166
|
requirements: []
|
167
|
-
rubygems_version: 3.1
|
167
|
+
rubygems_version: 3.4.1
|
168
168
|
signing_key:
|
169
169
|
specification_version: 4
|
170
170
|
summary: A modular Ruby webserver interface.
|