rack 3.1.18 → 3.1.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 627b4fe8d3af482f544229eaa2a32868adf887decbc3616669646c0ecdb514e5
-  data.tar.gz: f5c0b0b49232d4dd4630e4ccf71f30a322bf7cf91f8e38711e9a203b2e2c03c7
+  metadata.gz: a488ddfe5c740f9e46a70c38210547991b02820facbdcc083dcfc8819c356a13
+  data.tar.gz: b8725e15bfe9c87116be051393bfb50347be679eabd108ee8cfefc8a0fa31925
 SHA512:
-  metadata.gz: 5f61477c3fc2f135ee874290de05f1c18c015fe9285348e5d673a41d86782bd00f61f83d8fea2a81af15158e3d87acea8c2edcf5600c7e292df79c2e40480f98
-  data.tar.gz: 6e22900f3d703d4db6d14e4a7960a52f835df19df2796cf1669e1c4415b4243a5e9097cf87ab1b37102090a98109408524ca6c2762a77f69eeda9755ed47aef1
+  metadata.gz: 0af4c23fa7431ad434e0ea9dad90ced022c47bff29bf8a161b3f7feb107ae7ee0ff69c487548d0da29c80cee24848c2922b6d78e3da14687212a57fa61a16f84
+  data.tar.gz: 1ef0da78779595bc3f56d80b9959feb0a725b2190d717a2c4df9ef5c04bb76bbf1888297383a9cb058974e3107d693e8779b2410b55869da4916367bce091b0f

data/CHANGELOG.md

@@ -2,6 +2,19 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## Unreleased
+
+### Security
+
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
+
+## [3.1.19] - 2025-11-03
+
+### Fixed
+
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
+
 ## [3.1.18] - 2025-10-10
 
 ### Security
@@ -380,6 +393,12 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.21] - 2025-11-03
+
+### Fixed
+
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
+
 ## [2.2.20] - 2025-10-10
 
 ### Security

data/lib/rack/directory.rb

@@ -17,7 +17,7 @@ module Rack
   # If +app+ is not specified, a Rack::Files of the same +root+ will be used.
 
   class Directory
-    DIR_FILE = "<tr><td class='name'><a href='%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
+    DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
     DIR_PAGE_HEADER = <<-PAGE
 <html><head>
   <title>%s</title>
@@ -82,6 +82,7 @@ table { width:100%%; }
     # Set the root directory and application for serving files.
     def initialize(root, app = nil)
       @root = ::File.expand_path(root)
+      @root_with_separator = @root.end_with?(::File::SEPARATOR) ? @root : "#{@root}#{::File::SEPARATOR}"
       @app = app || Files.new(@root)
       @head = Head.new(method(:get))
     end
@@ -118,7 +119,9 @@ table { width:100%%; }
     # Rack response to use for requests with paths outside the root, or nil if path is inside the root.
     def check_forbidden(path_info)
       return unless path_info.include? ".."
-      return if ::File.expand_path(::File.join(@root, path_info)).start_with?(@root)
+
+      expanded_path = ::File.expand_path(::File.join(@root, path_info))
+      return if expanded_path == @root || expanded_path.start_with?(@root_with_separator)
 
       body = "Forbidden\n"
       [403, { CONTENT_TYPE => "text/plain",

data/lib/rack/multipart/parser.rb

@@ -444,7 +444,7 @@ module Rack
         else
           # We raise if the mime part header is too large, to avoid unbounded memory
           # buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default)
-          raise Error, "multipart mime part header too large" if @sbuf.string.bytesize > MIME_HEADER_BYTESIZE_LIMIT
+          raise Error, "multipart mime part header too large" if @sbuf.rest.bytesize > MIME_HEADER_BYTESIZE_LIMIT
 
           return :want_read
         end

data/lib/rack/version.rb

@@ -12,7 +12,7 @@
 # so it should be enough just to <tt>require 'rack'</tt> in your code.
 
 module Rack
-  RELEASE = "3.1.18"
+  RELEASE = "3.1.20"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.18
+  version: 3.1.20
 platform: ruby
 authors:
 - Leah Neukirchen
@@ -156,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.3
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []