rack 3.1.20 → 3.1.21

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a488ddfe5c740f9e46a70c38210547991b02820facbdcc083dcfc8819c356a13
-  data.tar.gz: b8725e15bfe9c87116be051393bfb50347be679eabd108ee8cfefc8a0fa31925
+  metadata.gz: 7aaf1007eae50de14eec6eaa6a4d586f1fe15b614bfe77bf68bea65c6ad59423
+  data.tar.gz: 56ce4db8b9c1aeffaf750836ea16bf264841909aeb4befb81719e45189742ac3
 SHA512:
-  metadata.gz: 0af4c23fa7431ad434e0ea9dad90ced022c47bff29bf8a161b3f7feb107ae7ee0ff69c487548d0da29c80cee24848c2922b6d78e3da14687212a57fa61a16f84
-  data.tar.gz: 1ef0da78779595bc3f56d80b9959feb0a725b2190d717a2c4df9ef5c04bb76bbf1888297383a9cb058974e3107d693e8779b2410b55869da4916367bce091b0f
+  metadata.gz: 3917f67c856cf670e2f3eaf4432b74366f8b5ee09a78ae2acad9075b10cca355fc718b5025fed92091b56187e4e614fc5ab24066c26298a3af4352ec064fe490
+  data.tar.gz: 6a741930a02797a64a50bf7fb8e11957e4bf0c5771a26e0491c131c3ad71d0e120f5a70ceec80fe12c0d866daaa822eb0cdcb9f55a9a2d509ef01659fde08231

data/CHANGELOG.md

@@ -2,7 +2,24 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [3.1.21] - 2026-04-01
+
+### Security
+
+- [CVE-2026-34763](https://github.com/advisories/GHSA-7mqq-6cf9-v2qp) Root directory disclosure via unescaped regex interpolation in `Rack::Directory`.
+- [CVE-2026-34230](https://github.com/advisories/GHSA-v569-hp3g-36wr) Avoid O(n^2) algorithm in `Rack::Utils.select_best_encoding` which could lead to denial of service.
+- [CVE-2026-32762](https://github.com/advisories/GHSA-qfgr-crr9-7r49) Forwarded header semicolon injection enables Host and Scheme spoofing.
+- [CVE-2026-26961](https://github.com/advisories/GHSA-vgpv-f759-9wx3) Raise error for multipart requests with multiple boundary parameters.
+- [CVE-2026-34786](https://github.com/advisories/GHSA-q4qf-9j86-f5mh) `Rack::Static` `header_rules` bypass via URL-encoded path mismatch.
+- [CVE-2026-34831](https://github.com/advisories/GHSA-q2ww-5357-x388) `Content-Length` mismatch in `Rack::Files` error responses.
+- [CVE-2026-34826](https://github.com/advisories/GHSA-x8cg-fq8g-mxfx) Multipart byte range processing allows denial of service via excessive overlapping ranges.
+- [CVE-2026-34835](https://github.com/advisories/GHSA-g2pf-xv49-m2h5) `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
+- [CVE-2026-34830](https://github.com/advisories/GHSA-qv7j-4883-hwh7) `Rack::Sendfile` header-based `X-Accel-Mapping` regex injection enables unauthorized `X-Accel-Redirect`.
+- [CVE-2026-34785](https://github.com/advisories/GHSA-h2jq-g4cq-5ppq) `Rack::Static` prefix matching can expose unintended files under the static root.
+- [CVE-2026-34829](https://github.com/advisories/GHSA-8vqr-qjwx-82mw) Multipart parsing without `Content-Length` header allows unbounded chunked file uploads.
+- [CVE-2026-34827](https://github.com/advisories/GHSA-v6x5-cg8r-vv6x) Quadratic-time multipart header parsing allows denial of service via escape-heavy quoted parameters.
+
+## [3.1.20] - 2026-02-16
 
 ### Security
 
@@ -393,6 +410,13 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.22] - 2026-02-16
+
+### Security
+
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
+
 ## [2.2.21] - 2025-11-03
 
 ### Fixed

data/lib/rack/directory.rb

@@ -51,7 +51,7 @@ table { width:100%%; }
     class DirectoryBody < Struct.new(:root, :path, :files)
       # Yield strings for each part of the directory entry
       def each
-        show_path = Utils.escape_html(path.sub(/^#{root}/, ''))
+        show_path = Utils.escape_html(path.sub(/\A#{Regexp.escape(root)}/, ''))
         yield(DIR_PAGE_HEADER % [ show_path, show_path ])
 
         unless path.chomp('/') == root

data/lib/rack/files.rb

@@ -194,7 +194,7 @@ EOF
         status,
         {
           CONTENT_TYPE   => "text/plain",
-          CONTENT_LENGTH => body.size.to_s,
+          CONTENT_LENGTH => body.bytesize.to_s,
           "x-cascade" => "pass"
         }.merge!(headers),
         [body]

data/lib/rack/multipart/parser.rb

@@ -33,7 +33,7 @@ module Rack
     EOL = "\r\n"
     FWS = /[ \t]+(?:\r\n[ \t]+)?/ # whitespace with optional folding
     HEADER_VALUE = "(?:[^\r\n]|\r\n[ \t])*" # anything but a non-folding CRLF
-    MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|ni
+    MULTIPART = %r|\Amultipart/.*?boundary(\s*)=\"?([^\";,]+)\"?|ni
     MULTIPART_CONTENT_TYPE = /^Content-Type:#{FWS}?(#{HEADER_VALUE})/ni
     MULTIPART_CONTENT_DISPOSITION = /^Content-Disposition:#{FWS}?(#{HEADER_VALUE})/ni
     MULTIPART_CONTENT_ID = /^Content-ID:#{FWS}?(#{HEADER_VALUE})/ni
@@ -68,6 +68,13 @@ module Rack
       BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
       private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
 
+      bytesize_limit = env_int.call("RACK_MULTIPART_PARSER_BYTESIZE_LIMIT", 10 * 1024 * 1024 * 1024)
+      PARSER_BYTESIZE_LIMIT = bytesize_limit > 0 ? bytesize_limit : nil
+      private_constant :PARSER_BYTESIZE_LIMIT
+
+      CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT = env_int.call("RACK_MULTIPART_CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT", 8 * 1024)
+      private_constant :CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT
+
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -104,7 +111,15 @@ module Rack
         return unless content_type
         data = content_type.match(MULTIPART)
         return unless data
-        data[1]
+
+        unless data[1].empty?
+          raise Error, "whitespace between boundary parameter name and equal sign"
+        end
+        if data.post_match.match?(/boundary\s*=/i)
+          raise BoundaryTooLongError, "multiple boundary parameters found in multipart content type"
+        end
+
+        data[2]
       end
 
       def self.parse(io, content_length, content_type, tmpfile, bufsize, qp)
@@ -113,6 +128,10 @@ module Rack
         boundary = parse_boundary content_type
         return EMPTY unless boundary
 
+        if PARSER_BYTESIZE_LIMIT && content_length && content_length > PARSER_BYTESIZE_LIMIT
+          raise Error, "multipart Content-Length #{content_length} exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+        end
+
         if boundary.length > 70
           # RFC 1521 Section 7.2.1 imposes a 70 character maximum for the boundary.
           # Most clients use no more than 55 characters.
@@ -229,6 +248,8 @@ module Rack
         @mime_index = 0
         @body_retained = nil
         @retained_size = 0
+        @total_bytes_read = (0 if PARSER_BYTESIZE_LIMIT)
+        @content_disposition_quoted_escapes = 0
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".dup)
@@ -240,6 +261,7 @@ module Rack
       end
 
       def parse(io)
+        @total_bytes_read &&= nil if io.is_a?(BoundedIO)
         outbuf = String.new
         read_data(io, outbuf)
 
@@ -283,6 +305,12 @@ module Rack
       def read_data(io, outbuf)
         content = io.read(@bufsize, outbuf)
         handle_empty_content!(content)
+        if @total_bytes_read
+          @total_bytes_read += content.bytesize
+          if @total_bytes_read > PARSER_BYTESIZE_LIMIT
+            raise Error, "multipart upload exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+          end
+        end
         @sbuf.concat(content)
       end
 
@@ -376,6 +404,11 @@ module Rack
                   # stop parsing parameter value if found ending quote
                   break if c == '"'
 
+                  @content_disposition_quoted_escapes += 1
+                  if @content_disposition_quoted_escapes > CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT
+                    raise Error, "number of quoted escapes during content disposition parsing exceeds limit"
+                  end
+
                   escaped_char = disposition.slice!(0, 1)
                   if param == 'filename' && escaped_char != '"'
                     # Possible IE uploaded filename, append both escape backslash and value

data/lib/rack/request.rb

@@ -728,8 +728,8 @@ module Rack
           # Match IPv6 as a string of hex digits and colons in square brackets
           \[(?<address>#{ipv6})\]
           |
-          # Match any other printable string (except square brackets) as a hostname
-          (?<address>[[[:graph:]&&[^\[\]]]]*?)
+          # Match characters allowed by RFC 3986 Section 3.2.2
+          (?<address>[-a-zA-Z0-9._~%!$&'()*+,;=]*?)
         )
         (:(?<port>\d+))?
         \z

data/lib/rack/sendfile.rb

@@ -51,7 +51,7 @@ module Rack
   #
   # The `x-accel-mapping` header should specify the location on the file system,
   # followed by an equals sign (=), followed name of the private URL pattern
-  # that it maps to. The middleware performs a simple substitution on the
+  # that it maps to. The middleware performs a case-insensitive substitution on the
   # resulting path.
   #
   # To enable `x-accel-redirect`, you must configure the middleware explicitly:
@@ -186,7 +186,7 @@ module Rack
         # Safe to use header: explicit config + no app mappings:
         mapping.split(',').map(&:strip).each do |m|
           internal, external = m.split('=', 2).map(&:strip)
-          new_path = path.sub(/\A#{internal}/i, external)
+          new_path = path.sub(/\A#{Regexp.escape(internal)}/i, external)
           return new_path unless path == new_path
         end
 

data/lib/rack/static.rb

@@ -93,6 +93,9 @@ module Rack
     def initialize(app, options = {})
       @app = app
       @urls = options[:urls] || ["/favicon.ico"]
+      if @urls.kind_of?(Array)
+        @urls = @urls.map { |url| [url, url.end_with?('/') ? url : "#{url}/".freeze].freeze }.freeze
+      end
       @index = options[:index]
       @gzip = options[:gzip]
       @cascade = options[:cascade]
@@ -115,7 +118,7 @@ module Rack
     end
 
     def route_file(path)
-      @urls.kind_of?(Array) && @urls.any? { |url| path.index(url) == 0 }
+      @urls.kind_of?(Array) && @urls.any? { |url, url_slash| path == url || path.start_with?(url_slash) }
     end
 
     def can_serve(path)
@@ -165,6 +168,8 @@ module Rack
 
     # Convert HTTP header rules to HTTP headers
     def applicable_rules(path)
+      path = ::Rack::Utils.unescape_path(path)
+
       @header_rules.find_all do |rule, new_headers|
         case rule
         when :all
@@ -172,10 +177,9 @@ module Rack
         when :fonts
           /\.(?:ttf|otf|eot|woff2|woff|svg)\z/.match?(path)
         when String
-          path = ::Rack::Utils.unescape(path)
           path.start_with?(rule) || path.start_with?('/' + rule)
         when Array
-          /\.(#{rule.join('|')})\z/.match?(path)
+          /\.#{Regexp.union(rule)}\z/.match?(path)
         when Regexp
           rule.match?(path)
         else

data/lib/rack/utils.rb

@@ -146,17 +146,77 @@ module Rack
       end
     end
 
+    ALLOWED_FORWARED_PARAMS = %w[by for host proto].to_h { |name| [name, name.to_sym] }.freeze
+    private_constant :ALLOWED_FORWARED_PARAMS
+
     def forwarded_values(forwarded_header)
-      return nil unless forwarded_header
-      forwarded_header = forwarded_header.to_s.gsub("\n", ";")
-
-      forwarded_header.split(';').each_with_object({}) do |field, values|
-        field.split(',').each do |pair|
-          pair = pair.split('=').map(&:strip).join('=')
-          return nil unless pair =~ /\A(by|for|host|proto)="?([^"]+)"?\Z/i
-          (values[$1.downcase.to_sym] ||= []) << $2
+      return unless forwarded_header
+      header = forwarded_header.to_s.tr("\n", ";")
+      header.sub!(/\A[\s;,]+/, '')
+      num_params = num_escapes = 0
+      max_params = max_escapes = 1024
+      params = {}
+
+      # Parse parameter list
+      while i = header.index('=')
+        # Only parse up to max parameters, to avoid potential denial of service
+        num_params += 1
+        return if num_params > max_params
+
+        # Found end of parameter name, ensure forward progress in loop
+        param = header.slice!(0, i+1)
+
+        # Remove ending equals and preceding whitespace from parameter name
+        param.chomp!('=')
+        param.strip!
+        param.downcase!
+        return unless param = ALLOWED_FORWARED_PARAMS[param]
+
+        if header[0] == '"'
+          # Parameter value is quoted, parse it, handling backslash escapes
+          header.slice!(0, 1)
+          value = String.new
+
+          while i = header.index(/(["\\])/)
+            c = $1
+
+            # Append all content until ending quote or escape
+            value << header.slice!(0, i)
+
+            # Remove either backslash or ending quote,
+            # ensures forward progress in loop
+            header.slice!(0, 1)
+
+            # stop parsing parameter value if found ending quote
+            break if c == '"'
+
+            # Only allow up to max escapes, to avoid potential denial of service
+            num_escapes += 1
+            return if num_escapes > max_escapes
+            escaped_char = header.slice!(0, 1)
+            value << escaped_char
+          end
+        else
+          if i = header.index(/[;,]/)
+            # Parameter value unquoted (which may be invalid), value ends at comma or semicolon
+            value = header.slice!(0, i)
+            value.sub!(/[\s;,]+\z/, '')
+          else
+            # If no ending semicolon, assume remainder of line is value and stop parsing
+            header.strip!
+            value = header
+            header = ''
+          end
+          value.lstrip!
         end
+
+        (params[param] ||= []) << value
+
+        # skip trailing semicolons/commas/whitespace, to proceed to next parameter
+        header.sub!(/\A[\s;,]+/, '') unless header.empty?
       end
+
+      params
     end
     module_function :forwarded_values
 
@@ -189,17 +249,41 @@ module Rack
       end
     end
 
+    # Given an array of available encoding strings, and an array of
+    # acceptable encodings for a request, where each element of the
+    # acceptable encodings array is an array where the first element
+    # is an encoding name and the second element is the numeric
+    # priority for the encoding, return the available encoding with
+    # the highest priority.
+    #
+    # The accept_encoding argument is typically generated by calling
+    # Request#accept_encoding.
+    #
+    # Example:
+    #
+    #   select_best_encoding(%w(compress gzip identity),
+    #                        [["compress", 0.5], ["gzip", 1.0]])
+    #   # => "gzip"
+    #
+    # To reduce denial of service potential, only the first 16
+    # acceptable encodings are considered.
     def select_best_encoding(available_encodings, accept_encoding)
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
 
+      # Only process the first 16 encodings
+      accept_encoding = accept_encoding[0...16]
       expanded_accept_encoding = []
+      wildcard_seen = false
 
       accept_encoding.each do |m, q|
         preference = available_encodings.index(m) || available_encodings.size
 
         if m == "*"
-          (available_encodings - accept_encoding.map(&:first)).each do |m2|
-            expanded_accept_encoding << [m2, q, preference]
+          unless wildcard_seen
+            (available_encodings - accept_encoding.map(&:first)).each do |m2|
+              expanded_accept_encoding << [m2, q, preference]
+            end
+            wildcard_seen = true
           end
         else
           expanded_accept_encoding << [m, q, preference]
@@ -207,7 +291,13 @@ module Rack
       end
 
       encoding_candidates = expanded_accept_encoding
-        .sort_by { |_, q, p| [-q, p] }
+        .sort do |(_, q1, p1), (_, q2, p2)|
+          if r = (q1 <=> q2).nonzero?
+            -r
+          else
+            (p1 <=> p2).nonzero? || 0
+          end
+        end
         .map!(&:first)
 
       unless encoding_candidates.include?("identity")
@@ -406,17 +496,19 @@ module Rack
     # Parses the "Range:" header, if present, into an array of Range objects.
     # Returns nil if the header is missing or syntactically invalid.
     # Returns an empty array if none of the ranges are satisfiable.
-    def byte_ranges(env, size)
-      get_byte_ranges env['HTTP_RANGE'], size
+    def byte_ranges(env, size, max_ranges: 100)
+      get_byte_ranges env['HTTP_RANGE'], size, max_ranges: max_ranges
     end
 
-    def get_byte_ranges(http_range, size)
+    def get_byte_ranges(http_range, size, max_ranges: 100)
       # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
       # Ignore Range when file size is 0 to avoid a 416 error.
       return nil if size.zero?
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
+      byte_range = $1
+      return nil if byte_range.count(',') >= max_ranges
       ranges = []
-      $1.split(/,\s*/).each do |range_spec|
+      byte_range.split(/,[ \t]*/).each do |range_spec|
         return nil unless range_spec.include?('-')
         range = range_spec.split('-')
         r0, r1 = range[0], range[1]

data/lib/rack/version.rb

@@ -12,7 +12,7 @@
 # so it should be enough just to <tt>require 'rack'</tt> in your code.
 
 module Rack
-  RELEASE = "3.1.20"
+  RELEASE = "3.1.21"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.20
+  version: 3.1.21
 platform: ruby
 authors:
 - Leah Neukirchen
@@ -156,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.6
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []