rack 3.1.12 → 3.1.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +52 -1
- data/README.md +27 -0
- data/lib/rack/etag.rb +3 -0
- data/lib/rack/mock_response.rb +32 -3
- data/lib/rack/multipart/parser.rb +5 -3
- data/lib/rack/query_parser.rb +50 -8
- data/lib/rack/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9cfb0a3abaaa98c515919466c018ed20c30b3f4d025d0ec68cfc61614735270f
|
|
4
|
+
data.tar.gz: 4fd015b49d2c70a01d6518ea38b593d14b6d93de09132c3142390ab5fd719ff2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: db64e3a6431f22b41af6ec7a31d38465d4db45612843f402692893665d88c904d4058469137372b208dbc6d79d7dcde12460e4fb7707681d81de8d3a6dc8e45f
|
|
7
|
+
data.tar.gz: 695b14f7308dfb1a6be5304fb9bcf460ee855e296308ad114d8b9f12b9dcb420a17d4af3883f3a47f3fc66df2e28793fe4871965dec51b557840d136de14c22c
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,20 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [3.1.15] - 2025-05-18
|
|
6
|
+
|
|
7
|
+
- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
|
|
8
|
+
|
|
9
|
+
## [3.1.14] - 2025-05-06
|
|
10
|
+
|
|
11
|
+
### Security
|
|
12
|
+
|
|
13
|
+
- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
14
|
+
|
|
15
|
+
## [3.1.13] - 2025-04-13
|
|
16
|
+
|
|
17
|
+
- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
|
|
18
|
+
|
|
5
19
|
## [3.1.12] - 2025-03-11
|
|
6
20
|
|
|
7
21
|
### Security
|
|
@@ -129,6 +143,24 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
129
143
|
|
|
130
144
|
- In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
|
|
131
145
|
|
|
146
|
+
## [3.0.18] - 2025-05-22
|
|
147
|
+
|
|
148
|
+
- Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
|
|
149
|
+
|
|
150
|
+
## [3.0.17] - 2025-05-18
|
|
151
|
+
|
|
152
|
+
- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
|
|
153
|
+
|
|
154
|
+
## [3.0.16] - 2025-05-06
|
|
155
|
+
|
|
156
|
+
### Security
|
|
157
|
+
|
|
158
|
+
- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
159
|
+
|
|
160
|
+
## [3.0.15] - 2025-04-13
|
|
161
|
+
|
|
162
|
+
- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
|
|
163
|
+
|
|
132
164
|
## [3.0.14] - 2025-03-11
|
|
133
165
|
|
|
134
166
|
### Security
|
|
@@ -141,6 +173,10 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
141
173
|
|
|
142
174
|
- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
143
175
|
|
|
176
|
+
### Fixed
|
|
177
|
+
|
|
178
|
+
- Remove autoloads for constants no longer shipped with Rack. ([#2269](https://github.com/rack/rack/pull/2269), [@ccutrer](https://github.com/ccutrer))
|
|
179
|
+
|
|
144
180
|
## [3.0.12] - 2025-02-12
|
|
145
181
|
|
|
146
182
|
### Security
|
|
@@ -275,7 +311,7 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
275
311
|
- Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
|
|
276
312
|
- Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. ([#1844](https://github.com/rack/rack/pull/1844), [@ioquatix])
|
|
277
313
|
- Remove `rack.version` as it comes too late to be useful. ([#1938](https://github.com/rack/rack/pull/1938), [@ioquatix])
|
|
278
|
-
- Extract `rackup` command, `Rack::Server`, `Rack::Handler
|
|
314
|
+
- Extract `rackup` command, `Rack::Server`, `Rack::Handler` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
|
|
279
315
|
|
|
280
316
|
### Added
|
|
281
317
|
|
|
@@ -323,6 +359,20 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
323
359
|
- Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
|
|
324
360
|
- `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
|
|
325
361
|
|
|
362
|
+
## [2.2.16] - 2025-05-22
|
|
363
|
+
|
|
364
|
+
- Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
|
|
365
|
+
|
|
366
|
+
## [2.2.15] - 2025-05-18
|
|
367
|
+
|
|
368
|
+
- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
|
|
369
|
+
|
|
370
|
+
## [2.2.14] - 2025-05-06
|
|
371
|
+
|
|
372
|
+
### Security
|
|
373
|
+
|
|
374
|
+
- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
375
|
+
|
|
326
376
|
## [2.2.13] - 2025-03-11
|
|
327
377
|
|
|
328
378
|
### Security
|
|
@@ -1104,3 +1154,4 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
|
|
|
1104
1154
|
[@wjordan]: https://github.com/wjordan "Will Jordan"
|
|
1105
1155
|
[@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
|
|
1106
1156
|
[@davidstosik]: https://github.com/davidstosik "David Stosik"
|
|
1157
|
+
[@earlopain]: https://github.com/earlopain "Earlopain"
|
data/README.md
CHANGED
|
@@ -183,6 +183,33 @@ quickly and without doing the same web stuff all over:
|
|
|
183
183
|
Rack exposes several configuration parameters to control various features of the
|
|
184
184
|
implementation.
|
|
185
185
|
|
|
186
|
+
### `RACK_QUERY_PARSER_BYTESIZE_LIMIT`
|
|
187
|
+
|
|
188
|
+
This environment variable sets the default for the maximum query string bytesize
|
|
189
|
+
that `Rack::QueryParser` will attempt to parse. Attempts to use a query string
|
|
190
|
+
that exceeds this number of bytes will result in a
|
|
191
|
+
`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
|
|
192
|
+
provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
|
|
193
|
+
|
|
194
|
+
The default limit can be overridden on a per-`Rack::QueryParser` basis using
|
|
195
|
+
the `bytesize_limit` keyword argument when creating the `Rack::QueryParser`.
|
|
196
|
+
|
|
197
|
+
### `RACK_QUERY_PARSER_PARAMS_LIMIT`
|
|
198
|
+
|
|
199
|
+
This environment variable sets the default for the maximum number of query
|
|
200
|
+
parameters that `Rack::QueryParser` will attempt to parse. Attempts to use a
|
|
201
|
+
query string with more than this many query parameters will result in a
|
|
202
|
+
`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
|
|
203
|
+
provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
|
|
204
|
+
|
|
205
|
+
The default limit can be overridden on a per-`Rack::QueryParser` basis using
|
|
206
|
+
the `params_limit` keyword argument when creating the `Rack::QueryParser`.
|
|
207
|
+
|
|
208
|
+
This is implemented by counting the number of parameter separators in the
|
|
209
|
+
query string, before attempting parsing, so if the same parameter key is
|
|
210
|
+
used multiple times in the query, each counts as a separate parameter for
|
|
211
|
+
this check.
|
|
212
|
+
|
|
186
213
|
### `param_depth_limit`
|
|
187
214
|
|
|
188
215
|
```ruby
|
data/lib/rack/etag.rb
CHANGED
data/lib/rack/mock_response.rb
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
-
require 'cgi/cookie'
|
|
4
3
|
require 'time'
|
|
5
4
|
|
|
6
5
|
require_relative 'response'
|
|
@@ -11,6 +10,36 @@ module Rack
|
|
|
11
10
|
# MockRequest.
|
|
12
11
|
|
|
13
12
|
class MockResponse < Rack::Response
|
|
13
|
+
begin
|
|
14
|
+
# Recent versions of the CGI gem may not provide `CGI::Cookie`.
|
|
15
|
+
require 'cgi/cookie'
|
|
16
|
+
Cookie = CGI::Cookie
|
|
17
|
+
rescue LoadError
|
|
18
|
+
class Cookie
|
|
19
|
+
attr_reader :name, :value, :path, :domain, :expires, :secure
|
|
20
|
+
|
|
21
|
+
def initialize(args)
|
|
22
|
+
@name = args["name"]
|
|
23
|
+
@value = args["value"]
|
|
24
|
+
@path = args["path"]
|
|
25
|
+
@domain = args["domain"]
|
|
26
|
+
@expires = args["expires"]
|
|
27
|
+
@secure = args["secure"]
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def method_missing(method_name, *args, &block)
|
|
31
|
+
@value.send(method_name, *args, &block)
|
|
32
|
+
end
|
|
33
|
+
# :nocov:
|
|
34
|
+
ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
|
|
35
|
+
# :nocov:
|
|
36
|
+
|
|
37
|
+
def respond_to_missing?(method_name, include_all = false)
|
|
38
|
+
@value.respond_to?(method_name, include_all) || super
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
|
|
14
43
|
class << self
|
|
15
44
|
alias [] new
|
|
16
45
|
end
|
|
@@ -83,7 +112,7 @@ module Rack
|
|
|
83
112
|
Array(set_cookie_header).each do |cookie|
|
|
84
113
|
cookie_name, cookie_filling = cookie.split('=', 2)
|
|
85
114
|
cookie_attributes = identify_cookie_attributes cookie_filling
|
|
86
|
-
parsed_cookie =
|
|
115
|
+
parsed_cookie = Cookie.new(
|
|
87
116
|
'name' => cookie_name.strip,
|
|
88
117
|
'value' => cookie_attributes.fetch('value'),
|
|
89
118
|
'path' => cookie_attributes.fetch('path', nil),
|
|
@@ -100,7 +129,7 @@ module Rack
|
|
|
100
129
|
def identify_cookie_attributes(cookie_filling)
|
|
101
130
|
cookie_bits = cookie_filling.split(';')
|
|
102
131
|
cookie_attributes = Hash.new
|
|
103
|
-
cookie_attributes.store('value', cookie_bits[0].strip)
|
|
132
|
+
cookie_attributes.store('value', Array(cookie_bits[0].strip))
|
|
104
133
|
cookie_bits.drop(1).each do |bit|
|
|
105
134
|
if bit.include? '='
|
|
106
135
|
cookie_attribute, attribute_value = bit.split('=', 2)
|
|
@@ -31,10 +31,12 @@ module Rack
|
|
|
31
31
|
Error = BoundaryTooLongError
|
|
32
32
|
|
|
33
33
|
EOL = "\r\n"
|
|
34
|
+
FWS = /[ \t]+(?:\r\n[ \t]+)?/ # whitespace with optional folding
|
|
35
|
+
HEADER_VALUE = "(?:[^\r\n]|\r\n[ \t])*" # anything but a non-folding CRLF
|
|
34
36
|
MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|ni
|
|
35
|
-
MULTIPART_CONTENT_TYPE =
|
|
36
|
-
MULTIPART_CONTENT_DISPOSITION =
|
|
37
|
-
MULTIPART_CONTENT_ID =
|
|
37
|
+
MULTIPART_CONTENT_TYPE = /^Content-Type:#{FWS}?(#{HEADER_VALUE})/ni
|
|
38
|
+
MULTIPART_CONTENT_DISPOSITION = /^Content-Disposition:#{FWS}?(#{HEADER_VALUE})/ni
|
|
39
|
+
MULTIPART_CONTENT_ID = /^Content-ID:#{FWS}?(#{HEADER_VALUE})/ni
|
|
38
40
|
|
|
39
41
|
class Parser
|
|
40
42
|
BUFSIZE = 1_048_576
|
data/lib/rack/query_parser.rb
CHANGED
|
@@ -21,21 +21,47 @@ module Rack
|
|
|
21
21
|
include BadRequest
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
#
|
|
25
|
-
#
|
|
26
|
-
class
|
|
24
|
+
# QueryLimitError is for errors raised when the query provided exceeds one
|
|
25
|
+
# of the query parser limits.
|
|
26
|
+
class QueryLimitError < RangeError
|
|
27
27
|
include BadRequest
|
|
28
28
|
end
|
|
29
29
|
|
|
30
|
-
|
|
31
|
-
|
|
30
|
+
# ParamsTooDeepError is the old name for the error that is raised when params
|
|
31
|
+
# are recursively nested over the specified limit. Make it the same as
|
|
32
|
+
# as QueryLimitError, so that code that rescues ParamsTooDeepError error
|
|
33
|
+
# to handle bad query strings also now handles other limits.
|
|
34
|
+
ParamsTooDeepError = QueryLimitError
|
|
35
|
+
|
|
36
|
+
def self.make_default(param_depth_limit, **options)
|
|
37
|
+
new(Params, param_depth_limit, **options)
|
|
32
38
|
end
|
|
33
39
|
|
|
34
40
|
attr_reader :param_depth_limit
|
|
35
41
|
|
|
36
|
-
|
|
42
|
+
env_int = lambda do |key, val|
|
|
43
|
+
if str_val = ENV[key]
|
|
44
|
+
begin
|
|
45
|
+
val = Integer(str_val, 10)
|
|
46
|
+
rescue ArgumentError
|
|
47
|
+
raise ArgumentError, "non-integer value provided for environment variable #{key}"
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
val
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
BYTESIZE_LIMIT = env_int.call("RACK_QUERY_PARSER_BYTESIZE_LIMIT", 4194304)
|
|
55
|
+
private_constant :BYTESIZE_LIMIT
|
|
56
|
+
|
|
57
|
+
PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
|
|
58
|
+
private_constant :PARAMS_LIMIT
|
|
59
|
+
|
|
60
|
+
def initialize(params_class, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
|
|
37
61
|
@params_class = params_class
|
|
38
62
|
@param_depth_limit = param_depth_limit
|
|
63
|
+
@bytesize_limit = bytesize_limit
|
|
64
|
+
@params_limit = params_limit
|
|
39
65
|
end
|
|
40
66
|
|
|
41
67
|
# Stolen from Mongrel, with some small modifications:
|
|
@@ -47,7 +73,7 @@ module Rack
|
|
|
47
73
|
|
|
48
74
|
params = make_params
|
|
49
75
|
|
|
50
|
-
(qs
|
|
76
|
+
check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
|
|
51
77
|
next if p.empty?
|
|
52
78
|
k, v = p.split('=', 2).map!(&unescaper)
|
|
53
79
|
|
|
@@ -74,7 +100,7 @@ module Rack
|
|
|
74
100
|
params = make_params
|
|
75
101
|
|
|
76
102
|
unless qs.nil? || qs.empty?
|
|
77
|
-
(qs
|
|
103
|
+
check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
|
|
78
104
|
k, v = p.split('=', 2).map! { |s| unescape(s) }
|
|
79
105
|
|
|
80
106
|
_normalize_params(params, k, v, 0)
|
|
@@ -189,6 +215,22 @@ module Rack
|
|
|
189
215
|
true
|
|
190
216
|
end
|
|
191
217
|
|
|
218
|
+
def check_query_string(qs, sep)
|
|
219
|
+
if qs
|
|
220
|
+
if qs.bytesize > @bytesize_limit
|
|
221
|
+
raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})"
|
|
222
|
+
end
|
|
223
|
+
|
|
224
|
+
if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit
|
|
225
|
+
raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})"
|
|
226
|
+
end
|
|
227
|
+
|
|
228
|
+
qs
|
|
229
|
+
else
|
|
230
|
+
''
|
|
231
|
+
end
|
|
232
|
+
end
|
|
233
|
+
|
|
192
234
|
def unescape(string, encoding = Encoding::UTF_8)
|
|
193
235
|
URI.decode_www_form_component(string, encoding)
|
|
194
236
|
end
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.1.
|
|
4
|
+
version: 3.1.16
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-
|
|
10
|
+
date: 2025-06-04 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: minitest
|