rack 3.1.17 → 3.1.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +40 -14
- data/lib/rack/multipart/parser.rb +1 -1
- data/lib/rack/query_parser.rb +3 -1
- data/lib/rack/request.rb +4 -1
- data/lib/rack/sendfile.rb +50 -20
- data/lib/rack/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b240dc5ca41313115b62737a54719f60c77729d1e569e086c8808a1e50c24c86
|
|
4
|
+
data.tar.gz: da8d7e1e6f3d7c920f7c74907f17fa1ea5bcbaa9366b2ee3bdac49f0430ae909
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f0ecef2c27279d4a031e05666a43a5748fd3f40a1bbce45bfc2605e548790140849d35b57aa59ea130b256f85813ac0f256c11e36e971447ab423f614f5e228d
|
|
7
|
+
data.tar.gz: 86d41b59621d3e831dede55043bf84d457024a68c67da1f7e9410aed2f1abb55b6e4a8ca3cb2e1517fee71270dec851d67014d0111522d434ca20bcf7f528dc6
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,19 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [3.1.19] - 2025-11-03
|
|
6
|
+
|
|
7
|
+
### Fixed
|
|
8
|
+
|
|
9
|
+
- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
|
|
10
|
+
|
|
11
|
+
## [3.1.18] - 2025-10-10
|
|
12
|
+
|
|
13
|
+
### Security
|
|
14
|
+
|
|
15
|
+
- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
|
|
16
|
+
- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
|
|
17
|
+
|
|
5
18
|
## [3.1.17] - 2025-10-07
|
|
6
19
|
|
|
7
20
|
### Security
|
|
@@ -24,7 +37,7 @@ All notable changes to this project will be documented in this file. For info on
|
|
|
24
37
|
|
|
25
38
|
### Security
|
|
26
39
|
|
|
27
|
-
- [CVE-2025-46727](https://github.com/
|
|
40
|
+
- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
28
41
|
|
|
29
42
|
## [3.1.13] - 2025-04-13
|
|
30
43
|
|
|
@@ -34,19 +47,19 @@ All notable changes to this project will be documented in this file. For info on
|
|
|
34
47
|
|
|
35
48
|
### Security
|
|
36
49
|
|
|
37
|
-
- [CVE-2025-27610](https://github.com/
|
|
50
|
+
- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
38
51
|
|
|
39
52
|
## [3.1.11] - 2025-03-04
|
|
40
53
|
|
|
41
54
|
### Security
|
|
42
55
|
|
|
43
|
-
- [CVE-2025-27111](https://github.com/
|
|
56
|
+
- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
44
57
|
|
|
45
58
|
## [3.1.10] - 2025-02-12
|
|
46
59
|
|
|
47
60
|
### Security
|
|
48
61
|
|
|
49
|
-
- [CVE-2025-25184](https://github.com/
|
|
62
|
+
- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
50
63
|
|
|
51
64
|
## [3.1.9] - 2025-01-31
|
|
52
65
|
|
|
@@ -79,7 +92,7 @@ All notable changes to this project will be documented in this file. For info on
|
|
|
79
92
|
|
|
80
93
|
### Security
|
|
81
94
|
|
|
82
|
-
- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/
|
|
95
|
+
- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
|
|
83
96
|
|
|
84
97
|
## [3.1.4] - 2024-06-22
|
|
85
98
|
|
|
@@ -169,7 +182,7 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
169
182
|
|
|
170
183
|
### Security
|
|
171
184
|
|
|
172
|
-
- [CVE-2025-46727](https://github.com/
|
|
185
|
+
- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
173
186
|
|
|
174
187
|
## [3.0.15] - 2025-04-13
|
|
175
188
|
|
|
@@ -179,13 +192,13 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
179
192
|
|
|
180
193
|
### Security
|
|
181
194
|
|
|
182
|
-
- [CVE-2025-27610](https://github.com/
|
|
195
|
+
- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
183
196
|
|
|
184
197
|
## [3.0.13] - 2025-03-04
|
|
185
198
|
|
|
186
199
|
### Security
|
|
187
200
|
|
|
188
|
-
- [CVE-2025-27111](https://github.com/
|
|
201
|
+
- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
189
202
|
|
|
190
203
|
### Fixed
|
|
191
204
|
|
|
@@ -195,7 +208,7 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
195
208
|
|
|
196
209
|
### Security
|
|
197
210
|
|
|
198
|
-
- [CVE-2025-25184](https://github.com/
|
|
211
|
+
- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
199
212
|
|
|
200
213
|
## [3.0.11] - 2024-05-10
|
|
201
214
|
|
|
@@ -373,6 +386,19 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
373
386
|
- Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
|
|
374
387
|
- `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
|
|
375
388
|
|
|
389
|
+
## [2.2.21] - 2025-11-03
|
|
390
|
+
|
|
391
|
+
### Fixed
|
|
392
|
+
|
|
393
|
+
- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
|
|
394
|
+
|
|
395
|
+
## [2.2.20] - 2025-10-10
|
|
396
|
+
|
|
397
|
+
### Security
|
|
398
|
+
|
|
399
|
+
- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
|
|
400
|
+
- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
|
|
401
|
+
|
|
376
402
|
## [2.2.19] - 2025-10-07
|
|
377
403
|
|
|
378
404
|
### Security
|
|
@@ -385,7 +411,7 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
385
411
|
|
|
386
412
|
### Security
|
|
387
413
|
|
|
388
|
-
- [CVE-2025-59830](https://github.com/
|
|
414
|
+
- [CVE-2025-59830](https://github.com/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
|
|
389
415
|
|
|
390
416
|
## [2.2.17] - 2025-06-03
|
|
391
417
|
|
|
@@ -403,25 +429,25 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
403
429
|
|
|
404
430
|
### Security
|
|
405
431
|
|
|
406
|
-
- [CVE-2025-46727](https://github.com/
|
|
432
|
+
- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
407
433
|
|
|
408
434
|
## [2.2.13] - 2025-03-11
|
|
409
435
|
|
|
410
436
|
### Security
|
|
411
437
|
|
|
412
|
-
- [CVE-2025-27610](https://github.com/
|
|
438
|
+
- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
413
439
|
|
|
414
440
|
## [2.2.12] - 2025-03-04
|
|
415
441
|
|
|
416
442
|
### Security
|
|
417
443
|
|
|
418
|
-
- [CVE-2025-27111](https://github.com/
|
|
444
|
+
- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
419
445
|
|
|
420
446
|
## [2.2.11] - 2025-02-12
|
|
421
447
|
|
|
422
448
|
### Security
|
|
423
449
|
|
|
424
|
-
- [CVE-2025-25184](https://github.com/
|
|
450
|
+
- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
425
451
|
|
|
426
452
|
## [2.2.10] - 2024-10-14
|
|
427
453
|
|
|
@@ -444,7 +444,7 @@ module Rack
|
|
|
444
444
|
else
|
|
445
445
|
# We raise if the mime part header is too large, to avoid unbounded memory
|
|
446
446
|
# buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default)
|
|
447
|
-
raise Error, "multipart mime part header too large" if @sbuf.
|
|
447
|
+
raise Error, "multipart mime part header too large" if @sbuf.rest.bytesize > MIME_HEADER_BYTESIZE_LIMIT
|
|
448
448
|
|
|
449
449
|
return :want_read
|
|
450
450
|
end
|
data/lib/rack/query_parser.rb
CHANGED
|
@@ -57,6 +57,8 @@ module Rack
|
|
|
57
57
|
PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
|
|
58
58
|
private_constant :PARAMS_LIMIT
|
|
59
59
|
|
|
60
|
+
attr_reader :bytesize_limit
|
|
61
|
+
|
|
60
62
|
def initialize(params_class, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
|
|
61
63
|
@params_class = params_class
|
|
62
64
|
@param_depth_limit = param_depth_limit
|
|
@@ -218,7 +220,7 @@ module Rack
|
|
|
218
220
|
def check_query_string(qs, sep)
|
|
219
221
|
if qs
|
|
220
222
|
if qs.bytesize > @bytesize_limit
|
|
221
|
-
raise QueryLimitError, "total query size
|
|
223
|
+
raise QueryLimitError, "total query size exceeds limit (#{@bytesize_limit})"
|
|
222
224
|
end
|
|
223
225
|
|
|
224
226
|
if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit
|
data/lib/rack/request.rb
CHANGED
|
@@ -528,7 +528,10 @@ module Rack
|
|
|
528
528
|
set_header RACK_REQUEST_FORM_PAIRS, pairs
|
|
529
529
|
set_header RACK_REQUEST_FORM_HASH, expand_param_pairs(pairs)
|
|
530
530
|
else
|
|
531
|
-
|
|
531
|
+
# Add 2 bytes. One to check whether it is over the limit, and a second
|
|
532
|
+
# in case the slice! call below removes the last byte
|
|
533
|
+
# If read returns nil, use the empty string
|
|
534
|
+
form_vars = get_header(RACK_INPUT).read(query_parser.bytesize_limit + 2) || ''
|
|
532
535
|
|
|
533
536
|
# Fix for Safari Ajax postings that always append \0
|
|
534
537
|
# form_vars.sub!(/\0\z/, '') # performance replacement:
|
data/lib/rack/sendfile.rb
CHANGED
|
@@ -16,21 +16,21 @@ module Rack
|
|
|
16
16
|
# delivery code.
|
|
17
17
|
#
|
|
18
18
|
# In order to take advantage of this middleware, the response body must
|
|
19
|
-
# respond to +to_path+ and the request must include an x-sendfile-type
|
|
19
|
+
# respond to +to_path+ and the request must include an `x-sendfile-type`
|
|
20
20
|
# header. Rack::Files and other components implement +to_path+ so there's
|
|
21
|
-
# rarely anything you need to do in your application. The x-sendfile-type
|
|
21
|
+
# rarely anything you need to do in your application. The `x-sendfile-type`
|
|
22
22
|
# header is typically set in your web servers configuration. The following
|
|
23
23
|
# sections attempt to document
|
|
24
24
|
#
|
|
25
25
|
# === Nginx
|
|
26
26
|
#
|
|
27
|
-
# Nginx supports the x-accel-redirect header. This is similar to x-sendfile
|
|
27
|
+
# Nginx supports the `x-accel-redirect` header. This is similar to `x-sendfile`
|
|
28
28
|
# but requires parts of the filesystem to be mapped into a private URL
|
|
29
29
|
# hierarchy.
|
|
30
30
|
#
|
|
31
31
|
# The following example shows the Nginx configuration required to create
|
|
32
|
-
# a private "/files/" area, enable x-accel-redirect
|
|
33
|
-
# x-
|
|
32
|
+
# a private "/files/" area, enable `x-accel-redirect`, and pass the special
|
|
33
|
+
# `x-accel-mapping` header to the backend:
|
|
34
34
|
#
|
|
35
35
|
# location ~ /files/(.*) {
|
|
36
36
|
# internal;
|
|
@@ -44,24 +44,29 @@ module Rack
|
|
|
44
44
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
45
45
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
46
46
|
#
|
|
47
|
-
# proxy_set_header x-sendfile-type x-accel-redirect;
|
|
48
47
|
# proxy_set_header x-accel-mapping /var/www/=/files/;
|
|
49
48
|
#
|
|
50
49
|
# proxy_pass http://127.0.0.1:8080/;
|
|
51
50
|
# }
|
|
52
51
|
#
|
|
53
|
-
#
|
|
54
|
-
# The x-accel-mapping header should specify the location on the file system,
|
|
52
|
+
# The `x-accel-mapping` header should specify the location on the file system,
|
|
55
53
|
# followed by an equals sign (=), followed name of the private URL pattern
|
|
56
54
|
# that it maps to. The middleware performs a simple substitution on the
|
|
57
55
|
# resulting path.
|
|
58
56
|
#
|
|
57
|
+
# To enable `x-accel-redirect`, you must configure the middleware explicitly:
|
|
58
|
+
#
|
|
59
|
+
# use Rack::Sendfile, "x-accel-redirect"
|
|
60
|
+
#
|
|
61
|
+
# For security reasons, the `x-sendfile-type` header from requests is ignored.
|
|
62
|
+
# The sendfile variation must be set via the middleware constructor.
|
|
63
|
+
#
|
|
59
64
|
# See Also: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile
|
|
60
65
|
#
|
|
61
66
|
# === lighttpd
|
|
62
67
|
#
|
|
63
|
-
# Lighttpd has supported some variation of the x-sendfile header for some
|
|
64
|
-
# time, although only recent version support x-sendfile in a reverse proxy
|
|
68
|
+
# Lighttpd has supported some variation of the `x-sendfile` header for some
|
|
69
|
+
# time, although only recent version support `x-sendfile` in a reverse proxy
|
|
65
70
|
# configuration.
|
|
66
71
|
#
|
|
67
72
|
# $HTTP["host"] == "example.com" {
|
|
@@ -83,7 +88,7 @@ module Rack
|
|
|
83
88
|
#
|
|
84
89
|
# === Apache
|
|
85
90
|
#
|
|
86
|
-
# x-sendfile is supported under Apache 2.x using a separate module:
|
|
91
|
+
# `x-sendfile` is supported under Apache 2.x using a separate module:
|
|
87
92
|
#
|
|
88
93
|
# https://tn123.org/mod_xsendfile/
|
|
89
94
|
#
|
|
@@ -97,16 +102,28 @@ module Rack
|
|
|
97
102
|
# === Mapping parameter
|
|
98
103
|
#
|
|
99
104
|
# The third parameter allows for an overriding extension of the
|
|
100
|
-
# x-accel-mapping header. Mappings should be provided in tuples of internal to
|
|
105
|
+
# `x-accel-mapping` header. Mappings should be provided in tuples of internal to
|
|
101
106
|
# external. The internal values may contain regular expression syntax, they
|
|
102
107
|
# will be matched with case indifference.
|
|
108
|
+
#
|
|
109
|
+
# When `x-accel-redirect` is explicitly enabled via the variation parameter,
|
|
110
|
+
# and no application-level mappings are provided, the middleware will read
|
|
111
|
+
# the `x-accel-mapping` header from the proxy. This allows nginx to control
|
|
112
|
+
# the path mapping without requiring application-level configuration.
|
|
113
|
+
#
|
|
114
|
+
# === Security
|
|
115
|
+
#
|
|
116
|
+
# For security reasons, the `x-sendfile-type` header from HTTP requests is
|
|
117
|
+
# ignored. The sendfile variation must be explicitly configured via the
|
|
118
|
+
# middleware constructor to prevent information disclosure vulnerabilities
|
|
119
|
+
# where attackers could bypass proxy restrictions.
|
|
103
120
|
|
|
104
121
|
class Sendfile
|
|
105
122
|
def initialize(app, variation = nil, mappings = [])
|
|
106
123
|
@app = app
|
|
107
124
|
@variation = variation
|
|
108
125
|
@mappings = mappings.map do |internal, external|
|
|
109
|
-
[
|
|
126
|
+
[/\A#{internal}/i, external]
|
|
110
127
|
end
|
|
111
128
|
end
|
|
112
129
|
|
|
@@ -145,22 +162,35 @@ module Rack
|
|
|
145
162
|
end
|
|
146
163
|
|
|
147
164
|
private
|
|
165
|
+
|
|
148
166
|
def variation(env)
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
167
|
+
# Note: HTTP_X_SENDFILE_TYPE is intentionally NOT read for security reasons.
|
|
168
|
+
# Attackers could use this header to enable x-accel-redirect and bypass proxy restrictions.
|
|
169
|
+
@variation || env['sendfile.type']
|
|
170
|
+
end
|
|
171
|
+
|
|
172
|
+
def x_accel_mapping(env)
|
|
173
|
+
# Only allow header when:
|
|
174
|
+
# 1. `x-accel-redirect` is explicitly enabled via constructor.
|
|
175
|
+
# 2. No application-level mappings are configured.
|
|
176
|
+
return nil unless @variation =~ /x-accel-redirect/i
|
|
177
|
+
return nil if @mappings.any?
|
|
178
|
+
|
|
179
|
+
env['HTTP_X_ACCEL_MAPPING']
|
|
152
180
|
end
|
|
153
181
|
|
|
154
182
|
def map_accel_path(env, path)
|
|
155
183
|
if mapping = @mappings.find { |internal, _| internal =~ path }
|
|
156
|
-
path.sub(*mapping)
|
|
157
|
-
elsif mapping = env
|
|
184
|
+
return path.sub(*mapping)
|
|
185
|
+
elsif mapping = x_accel_mapping(env)
|
|
186
|
+
# Safe to use header: explicit config + no app mappings:
|
|
158
187
|
mapping.split(',').map(&:strip).each do |m|
|
|
159
188
|
internal, external = m.split('=', 2).map(&:strip)
|
|
160
|
-
new_path = path.sub(
|
|
189
|
+
new_path = path.sub(/\A#{internal}/i, external)
|
|
161
190
|
return new_path unless path == new_path
|
|
162
191
|
end
|
|
163
|
-
|
|
192
|
+
|
|
193
|
+
return path
|
|
164
194
|
end
|
|
165
195
|
end
|
|
166
196
|
end
|
data/lib/rack/version.rb
CHANGED