rack 3.1.11 → 3.1.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +26 -0
  3. data/lib/rack/etag.rb +3 -0
  4. data/lib/rack/static.rb +2 -1
  5. data/lib/rack/version.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 90c0540cb367990c1d880a1645e175ec6b69f3fe8463f415a3f6e85771169914
4
- data.tar.gz: b18a53def64cd7b67d70afa9e2748a5ceb49827c44c4481da19749b101574d32
3
+ metadata.gz: c37d6fcc7c80a646ee683678ba8c3d17646af8d98f31902b8e6ee3449f914821
4
+ data.tar.gz: a28c9a12f6a1ee7ba418c5e997c93793332e84baa9974df03fae28f04e0f1c9f
5
5
  SHA512:
6
- metadata.gz: bf8fa1f298a40a4754768911053dd57c5fc269f81134faaac3cd49375d86e06bcf26999a35c897ee1a24de18d4246320cbf523b0f3666a0586166fbad9790c68
7
- data.tar.gz: 8da18291a78c744f9a63a5afaaf24f97c96dddaf34a8b65e1e364cc5ff8dcb0d55007b07b963e9954c0a283bdd1899c5067501c3d465355ccde6829028640fc7
6
+ metadata.gz: 23bedeb70ddc2c16a70bee1112dd5b9fe2ae6f25bc4151e927073ade7e604349150855e37c26277ab06b9830b4373306c72ca3806bdd140bbf24881a7153b4d7
7
+ data.tar.gz: f7ab42b0cadfa26487f04dfc1cb55d19fe18c662f51a800fa271c95ea29724834a0f773f480a891d04af68b3182065e5f6e14af64f86ffd55977a1cc26bef1cf
data/CHANGELOG.md CHANGED
@@ -2,6 +2,16 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [3.1.13] - 2025-04-13
6
+
7
+ - Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
8
+
9
+ ## [3.1.12] - 2025-03-11
10
+
11
+ ### Security
12
+
13
+ - [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
14
+
5
15
  ## [3.1.11] - 2025-03-04
6
16
 
7
17
  ### Security
@@ -123,6 +133,16 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
123
133
 
124
134
  - In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
125
135
 
136
+ ## [3.0.15] - 2025-04-13
137
+
138
+ - Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
139
+
140
+ ## [3.0.14] - 2025-03-11
141
+
142
+ ### Security
143
+
144
+ - [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
145
+
126
146
  ## [3.0.13] - 2025-03-04
127
147
 
128
148
  ### Security
@@ -311,6 +331,12 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
311
331
  - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
312
332
  - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
313
333
 
334
+ ## [2.2.13] - 2025-03-11
335
+
336
+ ### Security
337
+
338
+ - [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
339
+
314
340
  ## [2.2.12] - 2025-03-04
315
341
 
316
342
  ### Security
data/lib/rack/etag.rb CHANGED
@@ -32,6 +32,9 @@ module Rack
32
32
  body = body.to_ary
33
33
  digest = digest_body(body)
34
34
  headers[ETAG_STRING] = %(W/"#{digest}") if digest
35
+
36
+ # Body was modified, so we need to re-assign it:
37
+ response[2] = body
35
38
  end
36
39
 
37
40
  unless headers[CACHE_CONTROL]
data/lib/rack/static.rb CHANGED
@@ -124,8 +124,9 @@ module Rack
124
124
 
125
125
  def call(env)
126
126
  path = env[PATH_INFO]
127
+ actual_path = Utils.clean_path_info(Utils.unescape_path(path))
127
128
 
128
- if can_serve(path)
129
+ if can_serve(actual_path)
129
130
  if overwrite_file_path(path)
130
131
  env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
131
132
  elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
data/lib/rack/version.rb CHANGED
@@ -12,7 +12,7 @@
12
12
  # so it should be enough just to <tt>require 'rack'</tt> in your code.
13
13
 
14
14
  module Rack
15
- RELEASE = "3.1.11"
15
+ RELEASE = "3.1.13"
16
16
 
17
17
  # Return the Rack release as a dotted string.
18
18
  def self.release
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.11
4
+ version: 3.1.13
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
8
  bindir: bin
9
9
  cert_chain: []
10
- date: 2025-03-04 00:00:00.000000000 Z
10
+ date: 2025-04-13 00:00:00.000000000 Z
11
11
  dependencies:
12
12
  - !ruby/object:Gem::Dependency
13
13
  name: minitest