rack 3.0.4 → 3.0.4.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/lib/rack/multipart/parser.rb +2 -2
  4. data/lib/rack/utils.rb +6 -5
  5. data/lib/rack/version.rb +1 -1
  6. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ad8328dbde3d3a4f12b99302c6503774dc4fd1df98fe89b0bc37bebaad59d38f
4
- data.tar.gz: a48325905bb478c76b43bfa27f5d08c6ba964d0b08f63e286058bb5c565c8517
3
+ metadata.gz: 966e37b13d3b25138d48a0a120a35b23f8821c95e55ae1132208dbf6e4d01f3e
4
+ data.tar.gz: 849cf474ff1e7d79f4d1bc6a7b6396c174c21f6f2c5100d7b63030e9cc3fd808
5
5
  SHA512:
6
- metadata.gz: 2a7d662d3ccac62525bd0c2c1be74512a35044f46f085f98bb2a561f459fcff009f10966d97f3842e71d60b3d75c82a7757830ff1eebff8da96ca14ee52e8d91
7
- data.tar.gz: 2e6228809047c2876fc8d306b55bc42ca8e8fdfb6419b30e3e5a869cab393279c30bf73be93337323ccf9338e421596c943c04f0ea9b08fbb3a19a94fd50fa56
6
+ metadata.gz: 781ff34ba58e47c262f239af6d76b697a2d6df26329b21e5d055609c95b2855f13a9355d470c85f0055b6ff135edebdf83dba845452645a7a2965443b49bca8f
7
+ data.tar.gz: 8a56368346afee246702533dfed7b444d2fab999bcc4d405484cb3af0b8e674ffa35509ddd402ed73b7a36bc9f9bb99dd09e2c31dafcb170c4cdbc63a095bd21
data/CHANGELOG.md CHANGED
@@ -2,6 +2,12 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [3.0.4.1] - 2023-01-17
6
+
7
+ - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
8
+ - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
9
+ - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
10
+
5
11
  ## [3.0.4] - 2022-01-17
6
12
 
7
13
  - `Rack::Request#POST` should consistently raise errors. Cache errors that occur when invoking `Rack::Request#POST` so they can be raised again later. ([#2010](https://github.com/rack/rack/pull/2010), [@ioquatix])
data/lib/rack/multipart/parser.rb CHANGED
@@ -23,10 +23,10 @@ module Rack
23
23
  VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
24
24
  BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
25
25
  MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
26
- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
26
+ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
27
27
  MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
28
28
  # Updated definitions from RFC 2231
29
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
29
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
30
30
  ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
31
31
  SECTION = /\*[0-9]+/
32
32
  REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
data/lib/rack/utils.rb CHANGED
@@ -426,17 +426,18 @@ module Rack
426
426
  return nil unless http_range && http_range =~ /bytes=([^;]+)/
427
427
  ranges = []
428
428
  $1.split(/,\s*/).each do |range_spec|
429
- return nil unless range_spec =~ /(\d*)-(\d*)/
430
- r0, r1 = $1, $2
431
- if r0.empty?
432
- return nil if r1.empty?
429
+ return nil unless range_spec.include?('-')
430
+ range = range_spec.split('-')
431
+ r0, r1 = range[0], range[1]
432
+ if r0.nil? || r0.empty?
433
+ return nil if r1.nil?
433
434
  # suffix-byte-range-spec, represents trailing suffix of file
434
435
  r0 = size - r1.to_i
435
436
  r0 = 0 if r0 < 0
436
437
  r1 = size - 1
437
438
  else
438
439
  r0 = r0.to_i
439
- if r1.empty?
440
+ if r1.nil?
440
441
  r1 = size - 1
441
442
  else
442
443
  r1 = r1.to_i
data/lib/rack/version.rb CHANGED
@@ -25,7 +25,7 @@ module Rack
25
25
  VERSION
26
26
  end
27
27
 
28
- RELEASE = "3.0.4"
28
+ RELEASE = "3.0.4.1"
29
29
 
30
30
  # Return the Rack release as a dotted string.
31
31
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.4
4
+ version: 3.0.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-01-16 00:00:00.000000000 Z
11
+ date: 2023-01-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -164,7 +164,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
164
164
  - !ruby/object:Gem::Version
165
165
  version: '0'
166
166
  requirements: []
167
- rubygems_version: 3.4.1
167
+ rubygems_version: 3.1.6
168
168
  signing_key:
169
169
  specification_version: 4
170
170
  summary: A modular Ruby webserver interface.