rack 3.1.21 → 3.2.0

data/lib/rack/media_type.rb

@@ -14,12 +14,11 @@ module Rack
       # For more information on the use of media types in HTTP, see:
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
       def type(content_type)
-        return nil unless content_type
-        if type = content_type.split(SPLIT_PATTERN, 2).first
-          type.rstrip!
-          type.downcase!
-          type
-        end
+        return nil unless content_type && !content_type.empty?
+        type = content_type.split(SPLIT_PATTERN, 2).first
+        type.rstrip!
+        type.downcase!
+        type
       end
 
       # The media type parameters provided in CONTENT_TYPE as a Hash, or
@@ -33,7 +32,7 @@ module Rack
       # and "text/plain;charset" will return { 'charset' => '' }, similarly to 
       # the query params parser (barring the latter case, which returns nil instead)).
       def params(content_type)
-        return {} if content_type.nil?
+        return {} if content_type.nil? || content_type.empty?
 
         content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
           s.strip!

data/lib/rack/mock_response.rb

@@ -10,33 +10,27 @@ module Rack
   # MockRequest.
 
   class MockResponse < Rack::Response
-    begin
-      # Recent versions of the CGI gem may not provide `CGI::Cookie`.
-      require 'cgi/cookie'
-      Cookie = CGI::Cookie
-    rescue LoadError
-      class Cookie
-        attr_reader :name, :value, :path, :domain, :expires, :secure
-
-        def initialize(args)
-          @name = args["name"]
-          @value = args["value"]
-          @path = args["path"]
-          @domain = args["domain"]
-          @expires = args["expires"]
-          @secure = args["secure"]
-        end
+    class Cookie
+      attr_reader :name, :value, :path, :domain, :expires, :secure
+
+      def initialize(args)
+        @name = args["name"]
+        @value = args["value"]
+        @path = args["path"]
+        @domain = args["domain"]
+        @expires = args["expires"]
+        @secure = args["secure"]
+      end
 
-        def method_missing(method_name, *args, &block)
-          @value.send(method_name, *args, &block)
-        end
-        # :nocov:
-        ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
-        # :nocov:
+      def method_missing(method_name, *args, &block)
+        @value.send(method_name, *args, &block)
+      end
+      # :nocov:
+      ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
+      # :nocov:
 
-        def respond_to_missing?(method_name, include_all = false)
-          @value.respond_to?(method_name, include_all) || super
-        end
+      def respond_to_missing?(method_name, include_all = false)
+        @value.respond_to?(method_name, include_all) || super
       end
     end
 

data/lib/rack/multipart/parser.rb

@@ -33,11 +33,23 @@ module Rack
     EOL = "\r\n"
     FWS = /[ \t]+(?:\r\n[ \t]+)?/ # whitespace with optional folding
     HEADER_VALUE = "(?:[^\r\n]|\r\n[ \t])*" # anything but a non-folding CRLF
-    MULTIPART = %r|\Amultipart/.*?boundary(\s*)=\"?([^\";,]+)\"?|ni
+    MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|ni
     MULTIPART_CONTENT_TYPE = /^Content-Type:#{FWS}?(#{HEADER_VALUE})/ni
     MULTIPART_CONTENT_DISPOSITION = /^Content-Disposition:#{FWS}?(#{HEADER_VALUE})/ni
     MULTIPART_CONTENT_ID = /^Content-ID:#{FWS}?(#{HEADER_VALUE})/ni
 
+    # Rack::Multipart::Parser handles parsing of multipart/form-data requests.
+    #
+    # File Parameter Contents
+    #
+    # When processing file uploads, the parser returns a hash containing
+    # information about uploaded files. For +file+ parameters, the hash includes:
+    #
+    # * +:filename+ - The original filename, already URL decoded by the parser
+    # * +:type+ - The content type of the uploaded file  
+    # * +:name+ - The parameter name from the form
+    # * +:tempfile+ - A Tempfile object containing the uploaded data
+    # * +:head+ - The raw header content for this part
     class Parser
       BUFSIZE = 1_048_576
       TEXT_PLAIN = "text/plain"
@@ -47,34 +59,6 @@ module Rack
         Tempfile.new(["RackMultipart", extension])
       }
 
-      BOUNDARY_START_LIMIT = 16 * 1024
-      private_constant :BOUNDARY_START_LIMIT
-
-      MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024
-      private_constant :MIME_HEADER_BYTESIZE_LIMIT
-
-      env_int = lambda do |key, val|
-        if str_val = ENV[key]
-          begin
-            val = Integer(str_val, 10)
-          rescue ArgumentError
-            raise ArgumentError, "non-integer value provided for environment variable #{key}"
-          end
-        end
-
-        val
-      end
-
-      BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
-      private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
-
-      bytesize_limit = env_int.call("RACK_MULTIPART_PARSER_BYTESIZE_LIMIT", 10 * 1024 * 1024 * 1024)
-      PARSER_BYTESIZE_LIMIT = bytesize_limit > 0 ? bytesize_limit : nil
-      private_constant :PARSER_BYTESIZE_LIMIT
-
-      CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT = env_int.call("RACK_MULTIPART_CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT", 8 * 1024)
-      private_constant :CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT
-
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -111,15 +95,7 @@ module Rack
         return unless content_type
         data = content_type.match(MULTIPART)
         return unless data
-
-        unless data[1].empty?
-          raise Error, "whitespace between boundary parameter name and equal sign"
-        end
-        if data.post_match.match?(/boundary\s*=/i)
-          raise BoundaryTooLongError, "multiple boundary parameters found in multipart content type"
-        end
-
-        data[2]
+        data[1]
       end
 
       def self.parse(io, content_length, content_type, tmpfile, bufsize, qp)
@@ -128,10 +104,6 @@ module Rack
         boundary = parse_boundary content_type
         return EMPTY unless boundary
 
-        if PARSER_BYTESIZE_LIMIT && content_length && content_length > PARSER_BYTESIZE_LIMIT
-          raise Error, "multipart Content-Length #{content_length} exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
-        end
-
         if boundary.length > 70
           # RFC 1521 Section 7.2.1 imposes a 70 character maximum for the boundary.
           # Most clients use no more than 55 characters.
@@ -246,10 +218,6 @@ module Rack
 
         @state = :FAST_FORWARD
         @mime_index = 0
-        @body_retained = nil
-        @retained_size = 0
-        @total_bytes_read = (0 if PARSER_BYTESIZE_LIMIT)
-        @content_disposition_quoted_escapes = 0
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".dup)
@@ -261,7 +229,6 @@ module Rack
       end
 
       def parse(io)
-        @total_bytes_read &&= nil if io.is_a?(BoundedIO)
         outbuf = String.new
         read_data(io, outbuf)
 
@@ -288,7 +255,8 @@ module Rack
         @collector.each do |part|
           part.get_data do |data|
             tag_multipart_encoding(part.filename, part.content_type, part.name, data)
-            @query_parser.normalize_params(@params, part.name, data)
+            name, data = handle_dummy_encoding(part.name, data)
+            @query_parser.normalize_params(@params, name, data)
           end
         end
         MultipartInfo.new @params.to_params_hash, @collector.find_all(&:file?).map(&:body)
@@ -296,21 +264,9 @@ module Rack
 
       private
 
-      def dequote(str) # From WEBrick::HTTPUtils
-        ret = (/\A"(.*)"\Z/ =~ str) ? $1 : str.dup
-        ret.gsub!(/\\(.)/, "\\1")
-        ret
-      end
-
       def read_data(io, outbuf)
         content = io.read(@bufsize, outbuf)
         handle_empty_content!(content)
-        if @total_bytes_read
-          @total_bytes_read += content.bytesize
-          if @total_bytes_read > PARSER_BYTESIZE_LIMIT
-            raise Error, "multipart upload exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
-          end
-        end
         @sbuf.concat(content)
       end
 
@@ -338,10 +294,6 @@ module Rack
 
             # retry for opening boundary
           else
-            # We raise if we don't find the multipart boundary, to avoid unbounded memory
-            # buffering. Note that the actual limit is the higher of 16KB and the buffer size (1MB by default)
-            raise Error, "multipart boundary not found within limit" if @sbuf.string.bytesize > BOUNDARY_START_LIMIT
-
             # no boundary found, keep reading data
             return :want_read
           end
@@ -404,11 +356,6 @@ module Rack
                   # stop parsing parameter value if found ending quote
                   break if c == '"'
 
-                  @content_disposition_quoted_escapes += 1
-                  if @content_disposition_quoted_escapes > CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT
-                    raise Error, "number of quoted escapes during content disposition parsing exceeds limit"
-                  end
-
                   escaped_char = disposition.slice!(0, 1)
                   if param == 'filename' && escaped_char != '"'
                     # Possible IE uploaded filename, append both escape backslash and value
@@ -463,30 +410,16 @@ module Rack
             name = filename || "#{content_type || TEXT_PLAIN}[]".dup
           end
 
-          # Mime part head data is retained for both TempfilePart and BufferPart
-          # for the entireity of the parse, even though it isn't used for BufferPart.
-          update_retained_size(head.bytesize)
-
-          # If a filename is given, a TempfilePart will be used, so the body will
-          # not be buffered in memory. However, if a filename is not given, a BufferPart
-          # will be used, and the body will be buffered in memory.
-          @body_retained = !filename
-
           @collector.on_mime_head @mime_index, head, filename, content_type, name
           @state = :MIME_BODY
         else
-          # We raise if the mime part header is too large, to avoid unbounded memory
-          # buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default)
-          raise Error, "multipart mime part header too large" if @sbuf.rest.bytesize > MIME_HEADER_BYTESIZE_LIMIT
-
-          return :want_read
+          :want_read
         end
       end
 
       def handle_mime_body
         if (body_with_boundary = @sbuf.check_until(@body_regex)) # check but do not advance the pointer yet
           body = body_with_boundary.sub(@body_regex_at_end, '') # remove the boundary from the string
-          update_retained_size(body.bytesize) if @body_retained
           @collector.on_mime_body @mime_index, body
           @sbuf.pos += body.length + 2 # skip \r\n after the content
           @state = :CONSUME_TOKEN
@@ -495,9 +428,7 @@ module Rack
           # Save what we have so far
           if @rx_max_size < @sbuf.rest_size
             delta = @sbuf.rest_size - @rx_max_size
-            body = @sbuf.peek(delta)
-            update_retained_size(body.bytesize) if @body_retained
-            @collector.on_mime_body @mime_index, body
+            @collector.on_mime_body @mime_index, @sbuf.peek(delta)
             @sbuf.pos += delta
             @sbuf.string = @sbuf.rest
           end
@@ -505,13 +436,6 @@ module Rack
         end
       end
 
-      def update_retained_size(size)
-        @retained_size += size
-        if @retained_size > BUFFERED_UPLOAD_BYTESIZE_LIMIT
-          raise Error, "multipart data over retained size limit"
-        end
-      end
-
       # Scan until the we find the start or end of the boundary.
       # If we find it, return the appropriate symbol for the start or
       # end of the boundary.  If we don't find the start or end of the
@@ -577,6 +501,25 @@ module Rack
         Encoding::BINARY
       end
 
+      REENCODE_DUMMY_ENCODINGS = {
+        # ISO-2022-JP is a legacy but still widely used encoding in Japan
+        # Here we convert ISO-2022-JP to UTF-8 so that it can be handled.
+        Encoding::ISO_2022_JP => true
+
+        # Other dummy encodings are rarely used and have not been supported yet.
+        # Adding support for them will require careful considerations.
+      }
+
+      def handle_dummy_encoding(name, body)
+        # A string object with a 'dummy' encoding does not have full functionality and can cause errors.
+        # So here we covert it to UTF-8 so that it can be handled properly.
+        if name.encoding.dummy? && REENCODE_DUMMY_ENCODINGS[name.encoding]
+          name = name.encode(Encoding::UTF_8)
+          body = body.encode(Encoding::UTF_8)
+        end
+        return name, body
+      end
+
       def handle_empty_content!(content)
         if content.nil? || content.empty?
           raise EmptyContentError

data/lib/rack/multipart/uploaded_file.rb

@@ -5,14 +5,47 @@ require 'fileutils'
 
 module Rack
   module Multipart
+    # Despite the misleading name, UploadedFile is designed for use for
+    # preparing multipart file upload bodies, generally for use in tests.
+    # It is not designed for and should not be used for handling uploaded
+    # files (there is no need for that, since Rack's multipart parser
+    # already creates Tempfiles for that). Using this with non-trusted
+    # filenames can create a security vulnerability.
+    #
+    # You should only use this class if you plan on passing the instances
+    # to Rack::MockRequest for use in creating multipart request bodies.
+    #
+    # UploadedFile delegates most methods to the tempfile it contains.
     class UploadedFile
-
-      # The filename, *not* including the path, of the "uploaded" file
+      # The provided name of the file. This generally is the basename of
+      # path provided during initialization, but it can contain slashes if they
+      # were present in the filename argument when the instance was created.
       attr_reader :original_filename
 
-      # The content type of the "uploaded" file
+      # The content type of the instance.
       attr_accessor :content_type
 
+      # Create a new UploadedFile.  For backwards compatibility, this accepts
+      # both positional and keyword versions of the same arguments:
+      #
+      # filepath/path :: The path to the file
+      # ct/content_type :: The content_type of the file
+      # bin/binary :: Whether to set binmode on the file before copying data into it.
+      #
+      # If both positional and keyword arguments are present, the keyword arguments
+      # take precedence.
+      #
+      # The following keyword-only arguments are also accepted:
+      #
+      # filename :: Override the filename to use for the file.  This is so the
+      #             filename for the upload does not need to match the basename of
+      #             the file path.  This should not contain slashes, unless you are
+      #             trying to test how an application handles invalid filenames in
+      #             multipart upload bodies.
+      # io :: Use the given IO-like instance as the tempfile, instead of creating
+      #       a Tempfile instance.  This is useful for building multipart file
+      #       upload bodies without a file being present on the filesystem. If you are
+      #       providing this, you should also provide the filename argument.
       def initialize(filepath = nil, ct = "text/plain", bin = false,
                      path: filepath, content_type: ct, binary: bin, filename: nil, io: nil)
         if io
@@ -28,15 +61,19 @@ module Rack
         @content_type = content_type
       end
 
+      # The path of the tempfile for the instance, if the tempfile has a path.
+      # nil if the tempfile does not have a path.
       def path
         @tempfile.path if @tempfile.respond_to?(:path)
       end
       alias_method :local_path, :path
 
-      def respond_to?(*args)
-        super or @tempfile.respond_to?(*args)
+      # Return true if the tempfile responds to the method.
+      def respond_to_missing?(*args)
+        @tempfile.respond_to?(*args)
       end
 
+      # Delegate method missing calls to the tempfile.
       def method_missing(method_name, *args, &block) #:nodoc:
         @tempfile.__send__(method_name, *args, &block)
       end

data/lib/rack/query_parser.rb

@@ -57,8 +57,6 @@ module Rack
     PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
     private_constant :PARAMS_LIMIT
 
-    attr_reader :bytesize_limit
-
     def initialize(params_class, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
       @params_class = params_class
       @param_depth_limit = param_depth_limit
@@ -71,14 +69,9 @@ module Rack
     # to parse cookies by changing the characters used in the second parameter
     # (which defaults to '&').
     def parse_query(qs, separator = nil, &unescaper)
-      unescaper ||= method(:unescape)
-
       params = make_params
 
-      check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
-        next if p.empty?
-        k, v = p.split('=', 2).map!(&unescaper)
-
+      each_query_pair(qs, separator, unescaper) do |k, v|
         if cur = params[k]
           if cur.class == Array
             params[k] << v
@@ -93,6 +86,19 @@ module Rack
       return params.to_h
     end
 
+    # Parses a query string by breaking it up at the '&', returning all key-value
+    # pairs as an array of [key, value] arrays. Unlike parse_query, this preserves
+    # all duplicate keys rather than collapsing them.
+    def parse_query_pairs(qs, separator = nil)
+      pairs = []
+
+      each_query_pair(qs, separator) do |k, v|
+        pairs << [k, v]
+      end
+
+      pairs
+    end
+
     # parse_nested_query expands a query string into structural types. Supported
     # types are Arrays, Hashes and basic value types. It is possible to supply
     # query strings with parameters of conflicting types, in this case a
@@ -101,17 +107,11 @@ module Rack
     def parse_nested_query(qs, separator = nil)
       params = make_params
 
-      unless qs.nil? || qs.empty?
-        check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
-          k, v = p.split('=', 2).map! { |s| unescape(s) }
-
-          _normalize_params(params, k, v, 0)
-        end
+      each_query_pair(qs, separator) do |k, v|
+        _normalize_params(params, k, v, 0)
       end
 
       return params.to_h
-    rescue ArgumentError => e
-      raise InvalidParameterError, e.message, e.backtrace
     end
 
     # normalize_params recursively expands parameters into structural types. If
@@ -217,20 +217,35 @@ module Rack
       true
     end
 
-    def check_query_string(qs, sep)
-      if qs
-        if qs.bytesize > @bytesize_limit
-          raise QueryLimitError, "total query size exceeds limit (#{@bytesize_limit})"
-        end
+    def each_query_pair(qs, separator, unescaper = nil)
+      return if !qs || qs.empty?
 
-        if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit
-          raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})"
-        end
+      if qs.bytesize > @bytesize_limit
+        raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})"
+      end
+
+      pairs = qs.split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP, @params_limit + 1)
+
+      if pairs.size > @params_limit
+        param_count = pairs.size + pairs.last.count(separator || "&")
+        raise QueryLimitError, "total number of query parameters (#{param_count}) exceeds limit (#{@params_limit})"
+      end
 
-        qs
+      if unescaper
+        pairs.each do |p|
+          next if p.empty?
+          k, v = p.split('=', 2).map!(&unescaper)
+          yield k, v
+        end
       else
-        ''
+        pairs.each do |p|
+          next if p.empty?
+          k, v = p.split('=', 2).map! { |s| unescape(s) }
+          yield k, v
+        end
       end
+    rescue ArgumentError => e
+      raise InvalidParameterError, e.message, e.backtrace
     end
 
     def unescape(string, encoding = Encoding::UTF_8)