rack 3.1.3 → 3.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1cb578b6c5608012f69e9e89637fe2b53f31d5aa15f9d546e1c756384119c762
-  data.tar.gz: 4201b8eb5e202b3832cf1e576bfa13106866da483d9e0395a58bb482a04da30a
+  metadata.gz: 3c10c6fa362f15e1169822a88e4fe9edfa36b01e48ba5d338bf55e94889a097f
+  data.tar.gz: c205f62d2490fda13b70cc5d0b3be62af5cad3efa950d5ceabc0e1980d3fef83
 SHA512:
-  metadata.gz: 71f559cc4ffb927a6297ad5d1e9794d740270c670148f100feb40b0a465303e20aeea7d82c953cf3e2af9b9651facb9dbd814bb152f83c6e4042e4a89ac67b7b
-  data.tar.gz: 7ae4c87c4b74f111f0bae47d6ba80aacbbd3d5d6424f0231922676e3e0898ad895a3816098622b83cb73e2668cf4bd991ae5d8d4669b177557dab155b0fb80df
+  metadata.gz: 466e3dd3536d81196d86f1cc0a3fa8e833cfe96b523843160aef33267aab0e0e46501d5f163f2a72d4e3401385c43312237f67da26932b2d192c9d1bfb3dcfdc
+  data.tar.gz: 3bcf798901aeaa5a94524864925160077f07ac26ebaa9e3ad6b080afbe45fb0a7f1f9ee89d990720aeae7d5b8dd73e2e1bf82a264323649219b59682b56cc09a

data/CHANGELOG.md

@@ -2,6 +2,18 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.1.5] - 2024-07-02
+
+### Security
+
+- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
+
+## [3.1.4] - 2024-06-22
+
+### Fixed
+
+- Fix `Rack::Lint` matching some paths incorrectly as authority form. ([#2220](https://github.com/rack/rack/pull/2220), [@ioquatix])
+
 ## [3.1.3] - 2024-06-12
 
 ### Fixed
@@ -125,7 +137,7 @@ All notable changes to this project will be documented in this file. For info on
 
 - `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
 
-## [3.0.2] -2022-12-05
+## [3.0.2] - 2022-12-05
 
 ### Fixed
 

data/lib/rack/lint.rb

@@ -13,7 +13,7 @@ module Rack
   class Lint
     REQUEST_PATH_ORIGIN_FORM = /\A\/[^#]*\z/
     REQUEST_PATH_ABSOLUTE_FORM = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
-    REQUEST_PATH_AUTHORITY_FORM = /\A(.*?)(:\d*)\z/
+    REQUEST_PATH_AUTHORITY_FORM = /\A[^\/:]+:\d+\z/
     REQUEST_PATH_ASTERISK_FORM = '*'
 
     def initialize(app)

data/lib/rack/request.rb

@@ -642,8 +642,10 @@ module Rack
       end
 
       def parse_http_accept_header(header)
-        header.to_s.split(/\s*,\s*/).map do |part|
-          attribute, parameters = part.split(/\s*;\s*/, 2)
+        header.to_s.split(',').map do |part|
+          attribute, parameters = part.split(';', 2)
+          attribute.strip!
+          parameters&.strip!
           quality = 1.0
           if parameters and /\Aq=([\d.]+)/ =~ parameters
             quality = $1.to_f

data/lib/rack/version.rb

@@ -12,7 +12,7 @@
 # so it should be enough just to <tt>require 'rack'</tt> in your code.
 
 module Rack
-  RELEASE = "3.1.3"
+  RELEASE = "3.1.5"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.3
+  version: 3.1.5
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-12 00:00:00.000000000 Z
+date: 2024-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -158,7 +158,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: A modular Ruby webserver interface.