rack 3.0.9 → 3.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4063f145d38b9ec7101601a160926920bfef59a2b242d0430c41b5162e9fc48b
-  data.tar.gz: 8c6e85626ebab7745717aa5062e74a96f23a7cadcbcfa4a7585073c1ac61ca93
+  metadata.gz: '02708966a52d0c3f5837969a1be34245fe608b2b195e05a5f6d01a192c54a104'
+  data.tar.gz: ce9f131cb863d4c4fd215cfc612cad5f90368187d20eaabd70db6f5cc8fd14ea
 SHA512:
-  metadata.gz: b4f8bf6c7cf2bbd9f5dde2006dc0c3f36b2b5ad26324b464f0045c5fa48328e1dee092f203fc0108a53ef3c89e671172341e85063ce0717ead283fbffb26cd78
-  data.tar.gz: 9a643663e97f987420d081f3becc998e29fa19592325605d83bd83bffff3c302699e8bb4617336c6efc8e45bdaad170b57ba835fe79dfc5e250b7769adc51a54
+  metadata.gz: 5d7a4f539b7abd7e28908da9c34d29ef6df3a1bb80e52ec656dc9324bdf5573b2213e82bb01175327f701c9275f404a790ddb3ee42ceeba7dac0d579f68f6cd6
+  data.tar.gz: 125fb761b1d4e979936a4587146c41623d03c26561c8e36501efb25735cb8ff122bcf2fe77382850ea3c28559ef2aa3f5dba64dba86530c02359a6be6ac0a3bf

data/CHANGELOG.md

@@ -4,9 +4,13 @@ All notable changes to this project will be documented in this file. For info on
 
 ## Unreleased
 
+## [3.0.10] - 2024-03-21
+
+- Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. ([#2164](https://github.com/rack/rack/pull/2164), [@JoeDupuis](https://github.com/JoeDupuis))
+
 ## [3.0.9] - 2024-01-31
 
-- Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson])
+- Fix incorrect content-length header that was emitted when `Rack::Response#write` was used in some situations. ([#2150](https://github.com/rack/rack/pull/2150), [@mattbrictson](https://github.com/mattbrictson))
 
 ## [3.0.8] - 2023-06-14
 

data/lib/rack/media_type.rb

@@ -4,7 +4,7 @@ module Rack
   # Rack::MediaType parse media type and parameters out of content_type string
 
   class MediaType
-    SPLIT_PATTERN = %r{\s*[;,]\s*}
+    SPLIT_PATTERN = /[;,]/
 
     class << self
       # The media type (type/subtype) portion of the CONTENT_TYPE header
@@ -15,7 +15,11 @@ module Rack
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
       def type(content_type)
         return nil unless content_type
-        content_type.split(SPLIT_PATTERN, 2).first.tap(&:downcase!)
+        if type = content_type.split(SPLIT_PATTERN, 2).first
+          type.rstrip!
+          type.downcase!
+          type
+        end
       end
 
       # The media type parameters provided in CONTENT_TYPE as a Hash, or
@@ -27,9 +31,10 @@ module Rack
         return {} if content_type.nil?
 
         content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
+          s.strip!
           k, v = s.split('=', 2)
-
-          hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
+          k.downcase!
+          hsh[k] = strip_doublequotes(v)
         end
       end
 

data/lib/rack/multipart/parser.rb

@@ -213,6 +213,7 @@ module Rack
 
         @sbuf = StringScanner.new("".dup)
         @body_regex = /(?:#{EOL}|\A)--#{Regexp.quote(boundary)}(?:#{EOL}|--)/m
+        @end_boundary_size = boundary.bytesize + 4 # (-- at start, -- at finish)
         @rx_max_size = boundary.bytesize + 6 # (\r\n-- at start, either \r\n or -- at finish)
         @head_regex = /(.*?#{EOL})#{EOL}/m
       end
@@ -279,7 +280,14 @@ module Rack
             @state = :MIME_HEAD
             return
           when :END_BOUNDARY
-            # invalid multipart upload, but retry for opening boundary
+            # invalid multipart upload
+            if @sbuf.pos == @end_boundary_size && @sbuf.rest == EOL
+              # stop parsing a buffer if a buffer is only an end boundary.
+              @state = :DONE
+              return
+            end
+
+            # retry for opening boundary
           else
             # no boundary found, keep reading data
             return :want_read

data/lib/rack/utils.rb

@@ -143,8 +143,8 @@ module Rack
     end
 
     def q_values(q_value_header)
-      q_value_header.to_s.split(/\s*,\s*/).map do |part|
-        value, parameters = part.split(/\s*;\s*/, 2)
+      q_value_header.to_s.split(',').map do |part|
+        value, parameters = part.split(';', 2).map(&:strip)
         quality = 1.0
         if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
           quality = md[1].to_f
@@ -157,9 +157,10 @@ module Rack
       return nil unless forwarded_header
       forwarded_header = forwarded_header.to_s.gsub("\n", ";")
 
-      forwarded_header.split(/\s*;\s*/).each_with_object({}) do |field, values|
-        field.split(/\s*,\s*/).each do |pair|
-          return nil unless pair =~ /\A\s*(by|for|host|proto)\s*=\s*"?([^"]+)"?\s*\Z/i
+      forwarded_header.split(';').each_with_object({}) do |field, values|
+        field.split(',').each do |pair|
+          pair = pair.split('=').map(&:strip).join('=')
+          return nil unless pair =~ /\A(by|for|host|proto)="?([^"]+)"?\Z/i
           (values[$1.downcase.to_sym] ||= []) << $2
         end
       end
@@ -458,6 +459,9 @@ module Rack
         end
         ranges << (r0..r1)  if r0 <= r1
       end
+
+      return [] if ranges.map(&:size).sum > size
+
       ranges
     end
 

data/lib/rack/version.rb

@@ -25,7 +25,7 @@ module Rack
     VERSION
   end
 
-  RELEASE = "3.0.9"
+  RELEASE = "3.0.10"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.0.9
+  version: 3.0.10
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-31 00:00:00.000000000 Z
+date: 2024-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -164,7 +164,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.5
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: A modular Ruby webserver interface.