rack 3.1.13 → 3.1.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +44 -1
- data/README.md +27 -0
- data/lib/rack/mock_response.rb +32 -3
- data/lib/rack/multipart/parser.rb +5 -3
- data/lib/rack/query_parser.rb +50 -8
- data/lib/rack/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9cfb0a3abaaa98c515919466c018ed20c30b3f4d025d0ec68cfc61614735270f
|
|
4
|
+
data.tar.gz: 4fd015b49d2c70a01d6518ea38b593d14b6d93de09132c3142390ab5fd719ff2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: db64e3a6431f22b41af6ec7a31d38465d4db45612843f402692893665d88c904d4058469137372b208dbc6d79d7dcde12460e4fb7707681d81de8d3a6dc8e45f
|
|
7
|
+
data.tar.gz: 695b14f7308dfb1a6be5304fb9bcf460ee855e296308ad114d8b9f12b9dcb420a17d4af3883f3a47f3fc66df2e28793fe4871965dec51b557840d136de14c22c
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,16 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [3.1.15] - 2025-05-18
|
|
6
|
+
|
|
7
|
+
- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
|
|
8
|
+
|
|
9
|
+
## [3.1.14] - 2025-05-06
|
|
10
|
+
|
|
11
|
+
### Security
|
|
12
|
+
|
|
13
|
+
- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
14
|
+
|
|
5
15
|
## [3.1.13] - 2025-04-13
|
|
6
16
|
|
|
7
17
|
- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
|
|
@@ -133,6 +143,20 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
133
143
|
|
|
134
144
|
- In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
|
|
135
145
|
|
|
146
|
+
## [3.0.18] - 2025-05-22
|
|
147
|
+
|
|
148
|
+
- Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
|
|
149
|
+
|
|
150
|
+
## [3.0.17] - 2025-05-18
|
|
151
|
+
|
|
152
|
+
- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
|
|
153
|
+
|
|
154
|
+
## [3.0.16] - 2025-05-06
|
|
155
|
+
|
|
156
|
+
### Security
|
|
157
|
+
|
|
158
|
+
- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
159
|
+
|
|
136
160
|
## [3.0.15] - 2025-04-13
|
|
137
161
|
|
|
138
162
|
- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
|
|
@@ -149,6 +173,10 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
149
173
|
|
|
150
174
|
- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
151
175
|
|
|
176
|
+
### Fixed
|
|
177
|
+
|
|
178
|
+
- Remove autoloads for constants no longer shipped with Rack. ([#2269](https://github.com/rack/rack/pull/2269), [@ccutrer](https://github.com/ccutrer))
|
|
179
|
+
|
|
152
180
|
## [3.0.12] - 2025-02-12
|
|
153
181
|
|
|
154
182
|
### Security
|
|
@@ -283,7 +311,7 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
283
311
|
- Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
|
|
284
312
|
- Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. ([#1844](https://github.com/rack/rack/pull/1844), [@ioquatix])
|
|
285
313
|
- Remove `rack.version` as it comes too late to be useful. ([#1938](https://github.com/rack/rack/pull/1938), [@ioquatix])
|
|
286
|
-
- Extract `rackup` command, `Rack::Server`, `Rack::Handler
|
|
314
|
+
- Extract `rackup` command, `Rack::Server`, `Rack::Handler` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
|
|
287
315
|
|
|
288
316
|
### Added
|
|
289
317
|
|
|
@@ -331,6 +359,20 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
331
359
|
- Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
|
|
332
360
|
- `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
|
|
333
361
|
|
|
362
|
+
## [2.2.16] - 2025-05-22
|
|
363
|
+
|
|
364
|
+
- Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
|
|
365
|
+
|
|
366
|
+
## [2.2.15] - 2025-05-18
|
|
367
|
+
|
|
368
|
+
- Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
|
|
369
|
+
|
|
370
|
+
## [2.2.14] - 2025-05-06
|
|
371
|
+
|
|
372
|
+
### Security
|
|
373
|
+
|
|
374
|
+
- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
375
|
+
|
|
334
376
|
## [2.2.13] - 2025-03-11
|
|
335
377
|
|
|
336
378
|
### Security
|
|
@@ -1112,3 +1154,4 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
|
|
|
1112
1154
|
[@wjordan]: https://github.com/wjordan "Will Jordan"
|
|
1113
1155
|
[@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
|
|
1114
1156
|
[@davidstosik]: https://github.com/davidstosik "David Stosik"
|
|
1157
|
+
[@earlopain]: https://github.com/earlopain "Earlopain"
|
data/README.md
CHANGED
|
@@ -183,6 +183,33 @@ quickly and without doing the same web stuff all over:
|
|
|
183
183
|
Rack exposes several configuration parameters to control various features of the
|
|
184
184
|
implementation.
|
|
185
185
|
|
|
186
|
+
### `RACK_QUERY_PARSER_BYTESIZE_LIMIT`
|
|
187
|
+
|
|
188
|
+
This environment variable sets the default for the maximum query string bytesize
|
|
189
|
+
that `Rack::QueryParser` will attempt to parse. Attempts to use a query string
|
|
190
|
+
that exceeds this number of bytes will result in a
|
|
191
|
+
`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
|
|
192
|
+
provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
|
|
193
|
+
|
|
194
|
+
The default limit can be overridden on a per-`Rack::QueryParser` basis using
|
|
195
|
+
the `bytesize_limit` keyword argument when creating the `Rack::QueryParser`.
|
|
196
|
+
|
|
197
|
+
### `RACK_QUERY_PARSER_PARAMS_LIMIT`
|
|
198
|
+
|
|
199
|
+
This environment variable sets the default for the maximum number of query
|
|
200
|
+
parameters that `Rack::QueryParser` will attempt to parse. Attempts to use a
|
|
201
|
+
query string with more than this many query parameters will result in a
|
|
202
|
+
`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
|
|
203
|
+
provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
|
|
204
|
+
|
|
205
|
+
The default limit can be overridden on a per-`Rack::QueryParser` basis using
|
|
206
|
+
the `params_limit` keyword argument when creating the `Rack::QueryParser`.
|
|
207
|
+
|
|
208
|
+
This is implemented by counting the number of parameter separators in the
|
|
209
|
+
query string, before attempting parsing, so if the same parameter key is
|
|
210
|
+
used multiple times in the query, each counts as a separate parameter for
|
|
211
|
+
this check.
|
|
212
|
+
|
|
186
213
|
### `param_depth_limit`
|
|
187
214
|
|
|
188
215
|
```ruby
|
data/lib/rack/mock_response.rb
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
-
require 'cgi/cookie'
|
|
4
3
|
require 'time'
|
|
5
4
|
|
|
6
5
|
require_relative 'response'
|
|
@@ -11,6 +10,36 @@ module Rack
|
|
|
11
10
|
# MockRequest.
|
|
12
11
|
|
|
13
12
|
class MockResponse < Rack::Response
|
|
13
|
+
begin
|
|
14
|
+
# Recent versions of the CGI gem may not provide `CGI::Cookie`.
|
|
15
|
+
require 'cgi/cookie'
|
|
16
|
+
Cookie = CGI::Cookie
|
|
17
|
+
rescue LoadError
|
|
18
|
+
class Cookie
|
|
19
|
+
attr_reader :name, :value, :path, :domain, :expires, :secure
|
|
20
|
+
|
|
21
|
+
def initialize(args)
|
|
22
|
+
@name = args["name"]
|
|
23
|
+
@value = args["value"]
|
|
24
|
+
@path = args["path"]
|
|
25
|
+
@domain = args["domain"]
|
|
26
|
+
@expires = args["expires"]
|
|
27
|
+
@secure = args["secure"]
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def method_missing(method_name, *args, &block)
|
|
31
|
+
@value.send(method_name, *args, &block)
|
|
32
|
+
end
|
|
33
|
+
# :nocov:
|
|
34
|
+
ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
|
|
35
|
+
# :nocov:
|
|
36
|
+
|
|
37
|
+
def respond_to_missing?(method_name, include_all = false)
|
|
38
|
+
@value.respond_to?(method_name, include_all) || super
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
|
|
14
43
|
class << self
|
|
15
44
|
alias [] new
|
|
16
45
|
end
|
|
@@ -83,7 +112,7 @@ module Rack
|
|
|
83
112
|
Array(set_cookie_header).each do |cookie|
|
|
84
113
|
cookie_name, cookie_filling = cookie.split('=', 2)
|
|
85
114
|
cookie_attributes = identify_cookie_attributes cookie_filling
|
|
86
|
-
parsed_cookie =
|
|
115
|
+
parsed_cookie = Cookie.new(
|
|
87
116
|
'name' => cookie_name.strip,
|
|
88
117
|
'value' => cookie_attributes.fetch('value'),
|
|
89
118
|
'path' => cookie_attributes.fetch('path', nil),
|
|
@@ -100,7 +129,7 @@ module Rack
|
|
|
100
129
|
def identify_cookie_attributes(cookie_filling)
|
|
101
130
|
cookie_bits = cookie_filling.split(';')
|
|
102
131
|
cookie_attributes = Hash.new
|
|
103
|
-
cookie_attributes.store('value', cookie_bits[0].strip)
|
|
132
|
+
cookie_attributes.store('value', Array(cookie_bits[0].strip))
|
|
104
133
|
cookie_bits.drop(1).each do |bit|
|
|
105
134
|
if bit.include? '='
|
|
106
135
|
cookie_attribute, attribute_value = bit.split('=', 2)
|
|
@@ -31,10 +31,12 @@ module Rack
|
|
|
31
31
|
Error = BoundaryTooLongError
|
|
32
32
|
|
|
33
33
|
EOL = "\r\n"
|
|
34
|
+
FWS = /[ \t]+(?:\r\n[ \t]+)?/ # whitespace with optional folding
|
|
35
|
+
HEADER_VALUE = "(?:[^\r\n]|\r\n[ \t])*" # anything but a non-folding CRLF
|
|
34
36
|
MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|ni
|
|
35
|
-
MULTIPART_CONTENT_TYPE =
|
|
36
|
-
MULTIPART_CONTENT_DISPOSITION =
|
|
37
|
-
MULTIPART_CONTENT_ID =
|
|
37
|
+
MULTIPART_CONTENT_TYPE = /^Content-Type:#{FWS}?(#{HEADER_VALUE})/ni
|
|
38
|
+
MULTIPART_CONTENT_DISPOSITION = /^Content-Disposition:#{FWS}?(#{HEADER_VALUE})/ni
|
|
39
|
+
MULTIPART_CONTENT_ID = /^Content-ID:#{FWS}?(#{HEADER_VALUE})/ni
|
|
38
40
|
|
|
39
41
|
class Parser
|
|
40
42
|
BUFSIZE = 1_048_576
|
data/lib/rack/query_parser.rb
CHANGED
|
@@ -21,21 +21,47 @@ module Rack
|
|
|
21
21
|
include BadRequest
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
#
|
|
25
|
-
#
|
|
26
|
-
class
|
|
24
|
+
# QueryLimitError is for errors raised when the query provided exceeds one
|
|
25
|
+
# of the query parser limits.
|
|
26
|
+
class QueryLimitError < RangeError
|
|
27
27
|
include BadRequest
|
|
28
28
|
end
|
|
29
29
|
|
|
30
|
-
|
|
31
|
-
|
|
30
|
+
# ParamsTooDeepError is the old name for the error that is raised when params
|
|
31
|
+
# are recursively nested over the specified limit. Make it the same as
|
|
32
|
+
# as QueryLimitError, so that code that rescues ParamsTooDeepError error
|
|
33
|
+
# to handle bad query strings also now handles other limits.
|
|
34
|
+
ParamsTooDeepError = QueryLimitError
|
|
35
|
+
|
|
36
|
+
def self.make_default(param_depth_limit, **options)
|
|
37
|
+
new(Params, param_depth_limit, **options)
|
|
32
38
|
end
|
|
33
39
|
|
|
34
40
|
attr_reader :param_depth_limit
|
|
35
41
|
|
|
36
|
-
|
|
42
|
+
env_int = lambda do |key, val|
|
|
43
|
+
if str_val = ENV[key]
|
|
44
|
+
begin
|
|
45
|
+
val = Integer(str_val, 10)
|
|
46
|
+
rescue ArgumentError
|
|
47
|
+
raise ArgumentError, "non-integer value provided for environment variable #{key}"
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
val
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
BYTESIZE_LIMIT = env_int.call("RACK_QUERY_PARSER_BYTESIZE_LIMIT", 4194304)
|
|
55
|
+
private_constant :BYTESIZE_LIMIT
|
|
56
|
+
|
|
57
|
+
PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
|
|
58
|
+
private_constant :PARAMS_LIMIT
|
|
59
|
+
|
|
60
|
+
def initialize(params_class, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
|
|
37
61
|
@params_class = params_class
|
|
38
62
|
@param_depth_limit = param_depth_limit
|
|
63
|
+
@bytesize_limit = bytesize_limit
|
|
64
|
+
@params_limit = params_limit
|
|
39
65
|
end
|
|
40
66
|
|
|
41
67
|
# Stolen from Mongrel, with some small modifications:
|
|
@@ -47,7 +73,7 @@ module Rack
|
|
|
47
73
|
|
|
48
74
|
params = make_params
|
|
49
75
|
|
|
50
|
-
(qs
|
|
76
|
+
check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
|
|
51
77
|
next if p.empty?
|
|
52
78
|
k, v = p.split('=', 2).map!(&unescaper)
|
|
53
79
|
|
|
@@ -74,7 +100,7 @@ module Rack
|
|
|
74
100
|
params = make_params
|
|
75
101
|
|
|
76
102
|
unless qs.nil? || qs.empty?
|
|
77
|
-
(qs
|
|
103
|
+
check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
|
|
78
104
|
k, v = p.split('=', 2).map! { |s| unescape(s) }
|
|
79
105
|
|
|
80
106
|
_normalize_params(params, k, v, 0)
|
|
@@ -189,6 +215,22 @@ module Rack
|
|
|
189
215
|
true
|
|
190
216
|
end
|
|
191
217
|
|
|
218
|
+
def check_query_string(qs, sep)
|
|
219
|
+
if qs
|
|
220
|
+
if qs.bytesize > @bytesize_limit
|
|
221
|
+
raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})"
|
|
222
|
+
end
|
|
223
|
+
|
|
224
|
+
if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit
|
|
225
|
+
raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})"
|
|
226
|
+
end
|
|
227
|
+
|
|
228
|
+
qs
|
|
229
|
+
else
|
|
230
|
+
''
|
|
231
|
+
end
|
|
232
|
+
end
|
|
233
|
+
|
|
192
234
|
def unescape(string, encoding = Encoding::UTF_8)
|
|
193
235
|
URI.decode_www_form_component(string, encoding)
|
|
194
236
|
end
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.1.
|
|
4
|
+
version: 3.1.16
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-04
|
|
10
|
+
date: 2025-06-04 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: minitest
|