rack 3.0.4 → 3.0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/lib/rack/multipart/parser.rb +2 -2
  4. data/lib/rack/utils.rb +6 -5
  5. data/lib/rack/version.rb +1 -1
  6. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ad8328dbde3d3a4f12b99302c6503774dc4fd1df98fe89b0bc37bebaad59d38f
4
- data.tar.gz: a48325905bb478c76b43bfa27f5d08c6ba964d0b08f63e286058bb5c565c8517
3
+ metadata.gz: 966e37b13d3b25138d48a0a120a35b23f8821c95e55ae1132208dbf6e4d01f3e
4
+ data.tar.gz: 849cf474ff1e7d79f4d1bc6a7b6396c174c21f6f2c5100d7b63030e9cc3fd808
5
5
  SHA512:
6
- metadata.gz: 2a7d662d3ccac62525bd0c2c1be74512a35044f46f085f98bb2a561f459fcff009f10966d97f3842e71d60b3d75c82a7757830ff1eebff8da96ca14ee52e8d91
7
- data.tar.gz: 2e6228809047c2876fc8d306b55bc42ca8e8fdfb6419b30e3e5a869cab393279c30bf73be93337323ccf9338e421596c943c04f0ea9b08fbb3a19a94fd50fa56
6
+ metadata.gz: 781ff34ba58e47c262f239af6d76b697a2d6df26329b21e5d055609c95b2855f13a9355d470c85f0055b6ff135edebdf83dba845452645a7a2965443b49bca8f
7
+ data.tar.gz: 8a56368346afee246702533dfed7b444d2fab999bcc4d405484cb3af0b8e674ffa35509ddd402ed73b7a36bc9f9bb99dd09e2c31dafcb170c4cdbc63a095bd21
data/CHANGELOG.md CHANGED
@@ -2,6 +2,12 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [3.0.4.1] - 2023-01-17
6
+
7
+ - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
8
+ - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
9
+ - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
10
+
5
11
  ## [3.0.4] - 2022-01-17
6
12
 
7
13
  - `Rack::Request#POST` should consistently raise errors. Cache errors that occur when invoking `Rack::Request#POST` so they can be raised again later. ([#2010](https://github.com/rack/rack/pull/2010), [@ioquatix])
data/lib/rack/multipart/parser.rb CHANGED
@@ -23,10 +23,10 @@ module Rack
23
23
  VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
24
24
  BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
25
25
  MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
26
- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
26
+ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
27
27
  MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
28
28
  # Updated definitions from RFC 2231
29
- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
29
+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
30
30
  ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
31
31
  SECTION = /\*[0-9]+/
32
32
  REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
data/lib/rack/utils.rb CHANGED
@@ -426,17 +426,18 @@ module Rack
426
426
  return nil unless http_range && http_range =~ /bytes=([^;]+)/
427
427
  ranges = []
428
428
  $1.split(/,\s*/).each do |range_spec|
429
- return nil unless range_spec =~ /(\d*)-(\d*)/
430
- r0, r1 = $1, $2
431
- if r0.empty?
432
- return nil if r1.empty?
429
+ return nil unless range_spec.include?('-')
430
+ range = range_spec.split('-')
431
+ r0, r1 = range[0], range[1]
432
+ if r0.nil? || r0.empty?
433
+ return nil if r1.nil?
433
434
  # suffix-byte-range-spec, represents trailing suffix of file
434
435
  r0 = size - r1.to_i
435
436
  r0 = 0 if r0 < 0
436
437
  r1 = size - 1
437
438
  else
438
439
  r0 = r0.to_i
439
- if r1.empty?
440
+ if r1.nil?
440
441
  r1 = size - 1
441
442
  else
442
443
  r1 = r1.to_i
data/lib/rack/version.rb CHANGED
@@ -25,7 +25,7 @@ module Rack
25
25
  VERSION
26
26
  end
27
27
 
28
- RELEASE = "3.0.4"
28
+ RELEASE = "3.0.4.1"
29
29
 
30
30
  # Return the Rack release as a dotted string.
31
31
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.4
4
+ version: 3.0.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-01-16 00:00:00.000000000 Z
11
+ date: 2023-01-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -164,7 +164,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
164
164
  - !ruby/object:Gem::Version
165
165
  version: '0'
166
166
  requirements: []
167
- rubygems_version: 3.4.1
167
+ rubygems_version: 3.1.6
168
168
  signing_key:
169
169
  specification_version: 4
170
170
  summary: A modular Ruby webserver interface.