rack 3.1.16 → 3.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9cfb0a3abaaa98c515919466c018ed20c30b3f4d025d0ec68cfc61614735270f
-  data.tar.gz: 4fd015b49d2c70a01d6518ea38b593d14b6d93de09132c3142390ab5fd719ff2
+  metadata.gz: '080d2911dca86ef9f377de17b22e51f04472e25d2af32cc9effd975097785f1a'
+  data.tar.gz: c3ee87b2b5bc8e676986c4b9d48ebfc97420a69a02fb0a945f340f34b4578349
 SHA512:
-  metadata.gz: db64e3a6431f22b41af6ec7a31d38465d4db45612843f402692893665d88c904d4058469137372b208dbc6d79d7dcde12460e4fb7707681d81de8d3a6dc8e45f
-  data.tar.gz: 695b14f7308dfb1a6be5304fb9bcf460ee855e296308ad114d8b9f12b9dcb420a17d4af3883f3a47f3fc66df2e28793fe4871965dec51b557840d136de14c22c
+  metadata.gz: bd897ed5e78fb8ce1ba9c542f5233d8c49e309004f826d4e112127a23ff55fd5758ae90b6856b209c156cbc5695eb28c1c27a5d0fb036cdffd94c91a9096fb4e
+  data.tar.gz: 053d5a2eaa6cdaed9404b2da2c7a7e730c73dea77ebdd75a4628b150b1e59bbc5fa2e81ea56edb0a6df6da122f94d621292f74d0263ffe0721d7e07c81e4e897

data/CHANGELOG.md

@@ -2,12 +2,93 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.2.2] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [3.2.1] -- 2025-09-02
+
+### Added
+
+- Add support for streaming bodies when using `Rack::Events`. ([#2375](github.com/rack/rack/pull/2375), [@unflxw](https://github.com/unflxw))
+
+### Fixed
+
+- Fix an issue where a `NoMethodError` would be raised when using `Rack::Events` with streaming bodies. ([#2375](github.com/rack/rack/pull/2375), [@unflxw](https://github.com/unflxw))
+
+## [3.2.0] - 2025-07-31
+
+This release continues Rack's evolution toward a cleaner, more efficient foundation while maintaining backward compatibility for most applications. The breaking changes primarily affect deprecated functionality, so most users should experience a smooth upgrade with improved performance and standards compliance.
+
+### SPEC Changes
+
+- Request environment keys must now be strings. ([#2310](https://github.com/rack/rack/issues/2310), [@jeremyevans])
+- Add `nil` as a valid return from a Response `body.to_path` ([#2318](https://github.com/rack/rack/pull/2318), [@MSP-Greg])
+- `Rack::Lint#check_header_value` is relaxed, only disallowing CR/LF/NUL characters. ([#2354](https://github.com/rack/rack/pull/2354), [@ioquatix])
+
+### Added
+
+- Introduce `Rack::VERSION` constant. ([#2199](https://github.com/rack/rack/pull/2199), [@ioquatix])
+- `ISO-2022-JP` encoded parts within MIME Multipart sections of an HTTP request body will now be converted to `UTF-8`. ([#2245](https://github.com/rack/rack/pull/2245), [@nappa](https://github.com/nappa))
+- Add `Rack::Request#query_parser=` to allow setting the query parser to use. ([#2349](https://github.com/rack/rack/pull/2349), [@jeremyevans])
+- Add `Rack::Request#form_pairs` to access form data as raw key-value pairs, preserving duplicate keys. ([#2351](https://github.com/rack/rack/pull/2351), [@matthewd])
+
+### Changed
+
+- Invalid cookie keys will now raise an error. ([#2193](https://github.com/rack/rack/pull/2193), [@ioquatix])
+- `Rack::MediaType#params` now handles empty strings. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
+- Avoid unnecessary calls to the `ip_filter` lambda to evaluate `Request#ip` ([#2287](https://github.com/rack/rack/pull/2287), [@willbryant])
+- Only calculate `Request#ip` once per request ([#2292](https://github.com/rack/rack/pull/2292), [@willbryant])
+- `Rack::Builder` `#use`, `#map`, and `#run` methods now return `nil`. ([#2355](https://github.com/rack/rack/pull/2355), [@ioquatix])
+- Directly close the body in `Rack::ConditionalGet` when the response is `304 Not Modified`. ([#2353](https://github.com/rack/rack/pull/2353), [@ioquatix])
+- Directly close the body in `Rack::Head` when the request method is `HEAD`([#2360](https://github.com/rack/rack/pull/2360), [@skipkayhil](https://github.com/skipkayhil))
+
+### Deprecated
+
+- `Rack::Auth::AbstractRequest#request` is deprecated without replacement. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
+- `Rack::Request#parse_multipart` (private method designed to be overridden in subclasses) is deprecated without replacement. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
+
+### Removed
+
+- `Rack::Request#values_at` is removed. ([#2200](https://github.com/rack/rack/pull/2200), [@ioquatix])
+- `Rack::Logger` is removed with no replacement. ([#2196](https://github.com/rack/rack/pull/2196), [@ioquatix])
+- Automatic cache invalidation in `Rack::Request#{GET,POST}` has been removed. ([#2230](https://github.com/rack/rack/pull/2230), [@jeremyevans])
+- Support for `CGI::Cookie` has been removed. ([#2332](https://github.com/rack/rack/pull/2332), [@ioquatix])
+
+### Fixed
+
+- `Rack::RewindableInput::Middleware` no longer wraps a nil input. ([#2259](https://github.com/rack/rack/pull/2259), [@tt](https://github.com/tt))
+- Fix `NoMethodError` in `Rack::Request#wrap_ipv6` when `x-forwarded-host` is empty. ([#2270](https://github.com/rack/rack/pull/2270), [@oieioi](https://github.com/oieioi))
+- Fix the specification for `SERVER_PORT` which was incorrectly documented as required to be an `Integer` if present - it must be a `String` containing digits only. ([#2296](https://github.com/rack/rack/pull/2296), [@ioquatix])
+- `SERVER_NAME` and `HTTP_HOST` are now more strictly validated according to the relevant specifications. ([#2298](https://github.com/rack/rack/pull/2298), [@ioquatix])
+- `Rack::Lint` now disallows `PATH_INFO="" SCRIPT_NAME=""`. ([#2298](https://github.com/rack/rack/issues/2307), [@jeremyevans])
+
+## [3.1.17] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [3.1.16] - 2025-06-04
+
+### Security
+
+- [CVE-2025-49007](https://github.com/advisories/GHSA-47m2-26rw-j2jw) Fix ReDoS in multipart request.
+
 ## [3.1.15] - 2025-05-18
 
 - Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
 
 ## [3.1.14] - 2025-05-06
 
+:warning: **This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See <https://github.com/rack/rack/discussions/2356> for more details.**
+
 ### Security
 
 - [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
@@ -92,7 +173,7 @@ All notable changes to this project will be documented in this file. For info on
 
 :warning: **This release includes several breaking changes.** Refer to the **Removed** section below for the list of deprecated methods that have been removed in this release.
 
-Rack v3.1 is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.
+This release is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.
 
 ### SPEC Changes
 
@@ -153,6 +234,8 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 
 ## [3.0.16] - 2025-05-06
 
+:warning: **This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See <https://github.com/rack/rack/discussions/2356> for more details.**
+
 ### Security
 
 - [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
@@ -271,6 +354,8 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 
 ## [3.0.0] - 2022-09-06
 
+This release introduces major improvements to Rack, including enhanced support for streaming responses, expanded protocol handling, and stricter compliance with HTTP standards. It refines middleware interfaces, improves multipart and hijack handling, and strengthens security and error reporting. The update also brings performance optimizations, better compatibility with modern Ruby versions, and numerous bug fixes, making Rack more robust and flexible for web application development.
+
 - No changes
 
 ## [3.0.0.rc1] - 2022-09-04
@@ -359,6 +444,24 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.19] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [2.2.18] - 2025-09-25
+
+### Security
+
+- [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
+
+## [2.2.17] - 2025-06-03
+
+- Backport `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
+
 ## [2.2.16] - 2025-05-22
 
 - Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
@@ -369,6 +472,8 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 
 ## [2.2.14] - 2025-05-06
 
+:warning: **This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See <https://github.com/rack/rack/discussions/2356> for more details.**
+
 ### Security
 
 - [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
@@ -1155,3 +1260,5 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
 [@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
 [@davidstosik]: https://github.com/davidstosik "David Stosik"
 [@earlopain]: https://github.com/earlopain "Earlopain"
+[@wynksaiddestroy]: https://github.com/wynksaiddestroy "Fabian Winkler"
+[@matthewd]: https://github.com/matthewd "Matthew Draper"

data/README.md

@@ -6,26 +6,43 @@ way possible, it unifies and distills the bridge between web servers, web
 frameworks, and web application into a single method call.
 
 The exact details of this are described in the [Rack Specification], which all
-Rack applications should conform to.
+Rack applications should conform to. Browse the [Documentation] for more
+information.
 
 ## Version support
 
 | Version  | Support                            |
 |----------|------------------------------------|
-|    3.0.x | Bug fixes and security patches.    |
+|    3.2.x | Bug fixes and security patches.    |
+|    3.1.x | Security patches only.             |
+|    3.0.x | End of support.                    |
 |    2.2.x | Security patches only.             |
 | <= 2.1.x | End of support.                    |
 
+**Rack 2.2.x is in security maintenance mode**. Please upgrade to Rack 3.1+ as soon
+as possible to ensure you are receiving the latest features and security patches.
+
 Please see the [Security Policy] for more information.
 
-## Rack 3.0
+## Change log
+
+See the [Changelog](CHANGELOG.md) for a detailed list of changes in each version of Rack.
+
+### Rack 3.2 (latest release)
+
+This version of rack contains bug fixes and security patches.
+
+### Rack 3.1
 
-This is the latest version of Rack. It contains API improvements but also some
-breaking changes. Please check the [Upgrade Guide](UPGRADE-GUIDE.md) for more
-details about migrating servers, middlewares and applications designed for Rack 2
-to Rack 3. For detailed information on specific changes, check the [Change Log](CHANGELOG.md).
+This version of rack contains bug fixes and security patches.
 
-## Rack 2.2
+### Rack 3.0
+
+This version of rack contains significant changes which are detailed in the
+[Upgrade Guide](UPGRADE-GUIDE.md). It is recommended to upgrade to Rack 3 as soon
+as possible to receive the latest features and security patches.
+
+### Rack 2.2
 
 This version of Rack is receiving security patches only, and effort should be
 made to move to Rack 3.
@@ -69,6 +86,8 @@ server](#supported-web-servers).
 ```bash
 $ gem install rackup
 $ rackup
+
+# In another shell:
 $ curl http://localhost:9292
 Hello World
 ```
@@ -83,6 +102,7 @@ Rack is supported by a wide range of servers, including:
 * [NGINX Unit](https://unit.nginx.org/)
 * [Phusion Passenger](https://www.phusionpassenger.com/) (which is mod_rack for
   Apache and for nginx)
+* [Pitchfork](https://github.com/Shopify/pitchfork)
 * [Puma](https://puma.io/)
 * [Thin](https://github.com/macournoyer/thin)
 * [Unicorn](https://yhbt.net/unicorn/)
@@ -132,11 +152,9 @@ middleware:
 * `Rack::ETag` for setting `etag` header on bodies that can be buffered.
 * `Rack::Events` for providing easy hooks when a request is received and when
   the response is sent.
-* `Rack::Files` for serving static files.
 * `Rack::Head` for returning an empty body for HEAD requests.
 * `Rack::Lint` for checking conformance to the [Rack Specification].
 * `Rack::Lock` for serializing requests using a mutex.
-* `Rack::Logger` for setting a logger to handle logging errors.
 * `Rack::MethodOverride` for modifying the request method based on a submitted
   parameter.
 * `Rack::Recursive` for including data from other paths in the application, and
@@ -150,7 +168,7 @@ middleware:
   a nice and helpful way with clickable backtrace.
 * `Rack::ShowStatus` for using nice error pages for empty client error
   responses.
-* `Rack::Static` for more configurable serving of static files.
+* `Rack::Static` for configurable serving of static files.
 * `Rack::TempfileReaper` for removing temporary files creating during a request.
 
 All these components use the same interface, which is described in detail in the
@@ -172,6 +190,8 @@ quickly and without doing the same web stuff all over:
   returns a not found or method not supported response.
 * `Rack::Directory` for serving files under a given directory, with directory
   indexes.
+* `Rack::Files` for serving files under a given directory, without directory
+  indexes.
 * `Rack::MediaType` for parsing content-type headers.
 * `Rack::Mime` for determining content-type based on file extension.
 * `Rack::RewindableInput` for making any IO object rewindable, using a temporary
@@ -210,6 +230,14 @@ query string, before attempting parsing, so if the same parameter key is
 used multiple times in the query, each counts as a separate parameter for
 this check.
 
+### `RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT`
+
+This environment variable sets the maximum amount of memory Rack will use
+to buffer multipart parameters when parsing a request body. This considers
+the size of the multipart mime headers and the body part for multipart
+parameters that are buffered in memory and do not use tempfiles. This
+defaults to 16MB if not provided.
+
 ### `param_depth_limit`
 
 ```ruby
@@ -247,7 +275,6 @@ Can also be set via the `RACK_MULTIPART_FILE_LIMIT` environment variable.
 
 (This is also aliased as `multipart_part_limit` and `RACK_MULTIPART_PART_LIMIT` for compatibility)
 
-
 ### `multipart_total_part_limit`
 
 The maximum total number of parts a request can contain of any type, including
@@ -260,18 +287,12 @@ Set to 0 for no limit.
 
 Can also be set via the `RACK_MULTIPART_TOTAL_PART_LIMIT` environment variable.
 
-
-## Changelog
-
-See [CHANGELOG.md](CHANGELOG.md).
-
 ## Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for specific details about how to make a
 contribution to Rack.
 
-Please post bugs, suggestions and patches to [GitHub
-Issues](https://github.com/rack/rack/issues).
+Please post bugs, suggestions and patches to [GitHub Issues](https://github.com/rack/rack/issues).
 
 Please check our [Security Policy](https://github.com/rack/rack/security/policy)
 for responsible disclosure and security bug reporting process. Due to wide usage
@@ -281,6 +302,13 @@ is greatly appreciated.
 
 ## See Also
 
+### `rackup`
+
+A useful tool for running Rack applications from the command line, including
+`Rackup::Server` (previously `Rack::Server`) for scripting servers.
+
+* https://github.com/rack/rackup
+
 ### `rack-contrib`
 
 The plethora of useful middleware created the need for a project that collects
@@ -351,5 +379,6 @@ would like to thank:
 
 Rack is released under the [MIT License](MIT-LICENSE).
 
-[Rack Specification]: SPEC.rdoc
+[Rack Specification]: https://rack.github.io/rack/main/SPEC_rdoc.html
+[Documentation]: https://rack.github.io/rack/
 [Security Policy]: SECURITY.md