rack 3.1.3 → 3.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1cb578b6c5608012f69e9e89637fe2b53f31d5aa15f9d546e1c756384119c762
4
- data.tar.gz: 4201b8eb5e202b3832cf1e576bfa13106866da483d9e0395a58bb482a04da30a
3
+ metadata.gz: 3c10c6fa362f15e1169822a88e4fe9edfa36b01e48ba5d338bf55e94889a097f
4
+ data.tar.gz: c205f62d2490fda13b70cc5d0b3be62af5cad3efa950d5ceabc0e1980d3fef83
5
5
  SHA512:
6
- metadata.gz: 71f559cc4ffb927a6297ad5d1e9794d740270c670148f100feb40b0a465303e20aeea7d82c953cf3e2af9b9651facb9dbd814bb152f83c6e4042e4a89ac67b7b
7
- data.tar.gz: 7ae4c87c4b74f111f0bae47d6ba80aacbbd3d5d6424f0231922676e3e0898ad895a3816098622b83cb73e2668cf4bd991ae5d8d4669b177557dab155b0fb80df
6
+ metadata.gz: 466e3dd3536d81196d86f1cc0a3fa8e833cfe96b523843160aef33267aab0e0e46501d5f163f2a72d4e3401385c43312237f67da26932b2d192c9d1bfb3dcfdc
7
+ data.tar.gz: 3bcf798901aeaa5a94524864925160077f07ac26ebaa9e3ad6b080afbe45fb0a7f1f9ee89d990720aeae7d5b8dd73e2e1bf82a264323649219b59682b56cc09a
data/CHANGELOG.md CHANGED
@@ -2,6 +2,18 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
4
4
 
5
+ ## [3.1.5] - 2024-07-02
6
+
7
+ ### Security
8
+
9
+ - Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
10
+
11
+ ## [3.1.4] - 2024-06-22
12
+
13
+ ### Fixed
14
+
15
+ - Fix `Rack::Lint` matching some paths incorrectly as authority form. ([#2220](https://github.com/rack/rack/pull/2220), [@ioquatix])
16
+
5
17
  ## [3.1.3] - 2024-06-12
6
18
 
7
19
  ### Fixed
@@ -125,7 +137,7 @@ All notable changes to this project will be documented in this file. For info on
125
137
 
126
138
  - `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
127
139
 
128
- ## [3.0.2] -2022-12-05
140
+ ## [3.0.2] - 2022-12-05
129
141
 
130
142
  ### Fixed
131
143
 
data/lib/rack/lint.rb CHANGED
@@ -13,7 +13,7 @@ module Rack
13
13
  class Lint
14
14
  REQUEST_PATH_ORIGIN_FORM = /\A\/[^#]*\z/
15
15
  REQUEST_PATH_ABSOLUTE_FORM = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
16
- REQUEST_PATH_AUTHORITY_FORM = /\A(.*?)(:\d*)\z/
16
+ REQUEST_PATH_AUTHORITY_FORM = /\A[^\/:]+:\d+\z/
17
17
  REQUEST_PATH_ASTERISK_FORM = '*'
18
18
 
19
19
  def initialize(app)
data/lib/rack/request.rb CHANGED
@@ -642,8 +642,10 @@ module Rack
642
642
  end
643
643
 
644
644
  def parse_http_accept_header(header)
645
- header.to_s.split(/\s*,\s*/).map do |part|
646
- attribute, parameters = part.split(/\s*;\s*/, 2)
645
+ header.to_s.split(',').map do |part|
646
+ attribute, parameters = part.split(';', 2)
647
+ attribute.strip!
648
+ parameters&.strip!
647
649
  quality = 1.0
648
650
  if parameters and /\Aq=([\d.]+)/ =~ parameters
649
651
  quality = $1.to_f
data/lib/rack/version.rb CHANGED
@@ -12,7 +12,7 @@
12
12
  # so it should be enough just to <tt>require 'rack'</tt> in your code.
13
13
 
14
14
  module Rack
15
- RELEASE = "3.1.3"
15
+ RELEASE = "3.1.5"
16
16
 
17
17
  # Return the Rack release as a dotted string.
18
18
  def self.release
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.3
4
+ version: 3.1.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-06-12 00:00:00.000000000 Z
11
+ date: 2024-07-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -158,7 +158,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
158
158
  - !ruby/object:Gem::Version
159
159
  version: '0'
160
160
  requirements: []
161
- rubygems_version: 3.5.9
161
+ rubygems_version: 3.5.11
162
162
  signing_key:
163
163
  specification_version: 4
164
164
  summary: A modular Ruby webserver interface.