rack 3.0.4 → 3.0.4.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/rack/multipart/parser.rb +2 -2
- data/lib/rack/utils.rb +6 -5
- data/lib/rack/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 966e37b13d3b25138d48a0a120a35b23f8821c95e55ae1132208dbf6e4d01f3e
|
4
|
+
data.tar.gz: 849cf474ff1e7d79f4d1bc6a7b6396c174c21f6f2c5100d7b63030e9cc3fd808
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 781ff34ba58e47c262f239af6d76b697a2d6df26329b21e5d055609c95b2855f13a9355d470c85f0055b6ff135edebdf83dba845452645a7a2965443b49bca8f
|
7
|
+
data.tar.gz: 8a56368346afee246702533dfed7b444d2fab999bcc4d405484cb3af0b8e674ffa35509ddd402ed73b7a36bc9f9bb99dd09e2c31dafcb170c4cdbc63a095bd21
|
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,12 @@
|
|
2
2
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
4
4
|
|
5
|
+
## [3.0.4.1] - 2023-01-17
|
6
|
+
|
7
|
+
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
|
8
|
+
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
|
9
|
+
- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
|
10
|
+
|
5
11
|
## [3.0.4] - 2022-01-17
|
6
12
|
|
7
13
|
- `Rack::Request#POST` should consistently raise errors. Cache errors that occur when invoking `Rack::Request#POST` so they can be raised again later. ([#2010](https://github.com/rack/rack/pull/2010), [@ioquatix])
|
@@ -23,10 +23,10 @@ module Rack
|
|
23
23
|
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
|
24
24
|
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
|
25
25
|
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
|
26
|
-
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition
|
26
|
+
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
|
27
27
|
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
|
28
28
|
# Updated definitions from RFC 2231
|
29
|
-
ATTRIBUTE_CHAR = %r{[^ \
|
29
|
+
ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
|
30
30
|
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
|
31
31
|
SECTION = /\*[0-9]+/
|
32
32
|
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
|
data/lib/rack/utils.rb
CHANGED
@@ -426,17 +426,18 @@ module Rack
|
|
426
426
|
return nil unless http_range && http_range =~ /bytes=([^;]+)/
|
427
427
|
ranges = []
|
428
428
|
$1.split(/,\s*/).each do |range_spec|
|
429
|
-
return nil
|
430
|
-
|
431
|
-
|
432
|
-
|
429
|
+
return nil unless range_spec.include?('-')
|
430
|
+
range = range_spec.split('-')
|
431
|
+
r0, r1 = range[0], range[1]
|
432
|
+
if r0.nil? || r0.empty?
|
433
|
+
return nil if r1.nil?
|
433
434
|
# suffix-byte-range-spec, represents trailing suffix of file
|
434
435
|
r0 = size - r1.to_i
|
435
436
|
r0 = 0 if r0 < 0
|
436
437
|
r1 = size - 1
|
437
438
|
else
|
438
439
|
r0 = r0.to_i
|
439
|
-
if r1.
|
440
|
+
if r1.nil?
|
440
441
|
r1 = size - 1
|
441
442
|
else
|
442
443
|
r1 = r1.to_i
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.4
|
4
|
+
version: 3.0.4.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Leah Neukirchen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-01-
|
11
|
+
date: 2023-01-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -164,7 +164,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
164
|
- !ruby/object:Gem::Version
|
165
165
|
version: '0'
|
166
166
|
requirements: []
|
167
|
-
rubygems_version: 3.
|
167
|
+
rubygems_version: 3.1.6
|
168
168
|
signing_key:
|
169
169
|
specification_version: 4
|
170
170
|
summary: A modular Ruby webserver interface.
|