rack 3.0.4 → 3.0.4.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/rack/multipart/parser.rb +2 -2
- data/lib/rack/utils.rb +6 -5
- data/lib/rack/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 966e37b13d3b25138d48a0a120a35b23f8821c95e55ae1132208dbf6e4d01f3e
|
4
|
+
data.tar.gz: 849cf474ff1e7d79f4d1bc6a7b6396c174c21f6f2c5100d7b63030e9cc3fd808
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 781ff34ba58e47c262f239af6d76b697a2d6df26329b21e5d055609c95b2855f13a9355d470c85f0055b6ff135edebdf83dba845452645a7a2965443b49bca8f
|
7
|
+
data.tar.gz: 8a56368346afee246702533dfed7b444d2fab999bcc4d405484cb3af0b8e674ffa35509ddd402ed73b7a36bc9f9bb99dd09e2c31dafcb170c4cdbc63a095bd21
|
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,12 @@
|
|
2
2
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
4
4
|
|
5
|
+
## [3.0.4.1] - 2023-01-17
|
6
|
+
|
7
|
+
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
|
8
|
+
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
|
9
|
+
- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
|
10
|
+
|
5
11
|
## [3.0.4] - 2022-01-17
|
6
12
|
|
7
13
|
- `Rack::Request#POST` should consistently raise errors. Cache errors that occur when invoking `Rack::Request#POST` so they can be raised again later. ([#2010](https://github.com/rack/rack/pull/2010), [@ioquatix])
|
@@ -23,10 +23,10 @@ module Rack
|
|
23
23
|
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
|
24
24
|
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
|
25
25
|
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
|
26
|
-
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition
|
26
|
+
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
|
27
27
|
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
|
28
28
|
# Updated definitions from RFC 2231
|
29
|
-
ATTRIBUTE_CHAR = %r{[^ \
|
29
|
+
ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
|
30
30
|
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
|
31
31
|
SECTION = /\*[0-9]+/
|
32
32
|
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
|
data/lib/rack/utils.rb
CHANGED
@@ -426,17 +426,18 @@ module Rack
|
|
426
426
|
return nil unless http_range && http_range =~ /bytes=([^;]+)/
|
427
427
|
ranges = []
|
428
428
|
$1.split(/,\s*/).each do |range_spec|
|
429
|
-
return nil
|
430
|
-
|
431
|
-
|
432
|
-
|
429
|
+
return nil unless range_spec.include?('-')
|
430
|
+
range = range_spec.split('-')
|
431
|
+
r0, r1 = range[0], range[1]
|
432
|
+
if r0.nil? || r0.empty?
|
433
|
+
return nil if r1.nil?
|
433
434
|
# suffix-byte-range-spec, represents trailing suffix of file
|
434
435
|
r0 = size - r1.to_i
|
435
436
|
r0 = 0 if r0 < 0
|
436
437
|
r1 = size - 1
|
437
438
|
else
|
438
439
|
r0 = r0.to_i
|
439
|
-
if r1.
|
440
|
+
if r1.nil?
|
440
441
|
r1 = size - 1
|
441
442
|
else
|
442
443
|
r1 = r1.to_i
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.4
|
4
|
+
version: 3.0.4.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Leah Neukirchen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-01-
|
11
|
+
date: 2023-01-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -164,7 +164,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
164
|
- !ruby/object:Gem::Version
|
165
165
|
version: '0'
|
166
166
|
requirements: []
|
167
|
-
rubygems_version: 3.
|
167
|
+
rubygems_version: 3.1.6
|
168
168
|
signing_key:
|
169
169
|
specification_version: 4
|
170
170
|
summary: A modular Ruby webserver interface.
|