rack 3.1.8 → 3.1.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +108 -0
- data/lib/rack/common_logger.rb +3 -2
- data/lib/rack/media_type.rb +8 -3
- data/lib/rack/sendfile.rb +1 -1
- data/lib/rack/static.rb +2 -1
- data/lib/rack/version.rb +1 -1
- metadata +3 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 868ab89ed93ddb4a862a175637629e4f53dedd0c63a2160b55f03da2e62e2b8d
|
|
4
|
+
data.tar.gz: 4c798a217e78aaf9a718cefe2947504ff17d5e27f16b9cd7f7dc5fda19187d6d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 471ecfd4bfa31542580ff34e77550b82808a47571aeec6336090c361c6c900f708916f917299876b2302bea9973c05f2e09e7cf8dc348304b3f8e21c4482eea0
|
|
7
|
+
data.tar.gz: 0a6141590966ec43e464382593bd27ddc6f62f4baee94fc46848a457a82e3844b63b9753fff4d1941e90004fbc0bdcafe69577fb81749c6d491c8941a0075abd
|
data/CHANGELOG.md
CHANGED
|
@@ -2,8 +2,34 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [3.1.12] - 2025-03-11
|
|
6
|
+
|
|
7
|
+
### Security
|
|
8
|
+
|
|
9
|
+
- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
10
|
+
|
|
11
|
+
## [3.1.11] - 2025-03-04
|
|
12
|
+
|
|
13
|
+
### Security
|
|
14
|
+
|
|
15
|
+
- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
16
|
+
|
|
17
|
+
## [3.1.10] - 2025-02-12
|
|
18
|
+
|
|
19
|
+
### Security
|
|
20
|
+
|
|
21
|
+
- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
22
|
+
|
|
23
|
+
## [3.1.9] - 2025-01-31
|
|
24
|
+
|
|
25
|
+
### Fixed
|
|
26
|
+
|
|
27
|
+
- `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
|
|
28
|
+
|
|
5
29
|
## [3.1.8] - 2024-10-14
|
|
6
30
|
|
|
31
|
+
### Fixed
|
|
32
|
+
|
|
7
33
|
- Resolve deprecation warnings about uri `DEFAULT_PARSER`. ([#2249](https://github.com/rack/rack/pull/2249), [@earlopain])
|
|
8
34
|
|
|
9
35
|
## [3.1.7] - 2024-07-11
|
|
@@ -103,6 +129,24 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
103
129
|
|
|
104
130
|
- In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
|
|
105
131
|
|
|
132
|
+
## [3.0.14] - 2025-03-11
|
|
133
|
+
|
|
134
|
+
### Security
|
|
135
|
+
|
|
136
|
+
- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
137
|
+
|
|
138
|
+
## [3.0.13] - 2025-03-04
|
|
139
|
+
|
|
140
|
+
### Security
|
|
141
|
+
|
|
142
|
+
- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
143
|
+
|
|
144
|
+
## [3.0.12] - 2025-02-12
|
|
145
|
+
|
|
146
|
+
### Security
|
|
147
|
+
|
|
148
|
+
- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
149
|
+
|
|
106
150
|
## [3.0.11] - 2024-05-10
|
|
107
151
|
|
|
108
152
|
- Backport #2062 to 3-0-stable: Do not allow `BodyProxy` to respond to `to_str`, make `to_ary` call close . ([#2062](https://github.com/rack/rack/pull/2062), [@jeremyevans](https://github.com/jeremyevans))
|
|
@@ -279,6 +323,70 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
|
|
|
279
323
|
- Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
|
|
280
324
|
- `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
|
|
281
325
|
|
|
326
|
+
## [2.2.13] - 2025-03-11
|
|
327
|
+
|
|
328
|
+
### Security
|
|
329
|
+
|
|
330
|
+
- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
331
|
+
|
|
332
|
+
## [2.2.12] - 2025-03-04
|
|
333
|
+
|
|
334
|
+
### Security
|
|
335
|
+
|
|
336
|
+
- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
337
|
+
|
|
338
|
+
## [2.2.11] - 2025-02-12
|
|
339
|
+
|
|
340
|
+
### Security
|
|
341
|
+
|
|
342
|
+
- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
343
|
+
|
|
344
|
+
## [2.2.10] - 2024-10-14
|
|
345
|
+
|
|
346
|
+
- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
|
|
347
|
+
|
|
348
|
+
## [2.2.9] - 2023-03-21
|
|
349
|
+
|
|
350
|
+
- Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc])
|
|
351
|
+
|
|
352
|
+
## [2.2.8] - 2023-07-31
|
|
353
|
+
|
|
354
|
+
- Regenerate SPEC ([#2102](https://github.com/rack/rack/pull/2102), [@skipkayhil](https://github.com/skipkayhil))
|
|
355
|
+
- Limit file extension length of multipart tempfiles ([#2015](https://github.com/rack/rack/pull/2015), [@dentarg](https://github.com/dentarg))
|
|
356
|
+
- Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" ([#2092](https://github.com/rack/rack/pull/2092), [@onigra](https://github.com/onigra) [@dchandekstark](https://github.com/dchandekstark))
|
|
357
|
+
|
|
358
|
+
## [2.2.7] - 2023-03-13
|
|
359
|
+
|
|
360
|
+
- Correct the year number in the changelog ([#2015](https://github.com/rack/rack/pull/2015), [@kimulab](https://github.com/kimulab))
|
|
361
|
+
- Support underscore in host names for Rack 2.2 (Fixes [#2070](https://github.com/rack/rack/issues/2070)) ([#2015](https://github.com/rack/rack/pull/2071), [@jeremyevans](https://github.com/jeremyevans))
|
|
362
|
+
|
|
363
|
+
## [2.2.6.4] - 2023-03-13
|
|
364
|
+
|
|
365
|
+
- [CVE-2023-27539] Avoid ReDoS in header parsing
|
|
366
|
+
|
|
367
|
+
## [2.2.6.3] - 2023-03-02
|
|
368
|
+
|
|
369
|
+
- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
|
|
370
|
+
|
|
371
|
+
## [2.2.6.2] - 2023-01-17
|
|
372
|
+
|
|
373
|
+
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
|
|
374
|
+
|
|
375
|
+
## [2.2.6.1] - 2023-01-17
|
|
376
|
+
|
|
377
|
+
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
|
|
378
|
+
- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
|
|
379
|
+
|
|
380
|
+
## [2.2.6] - 2023-01-17
|
|
381
|
+
|
|
382
|
+
- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot))
|
|
383
|
+
|
|
384
|
+
## [2.2.5] - 2022-12-27
|
|
385
|
+
|
|
386
|
+
### Fixed
|
|
387
|
+
|
|
388
|
+
- `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
|
|
389
|
+
|
|
282
390
|
## [2.2.4] - 2022-06-30
|
|
283
391
|
|
|
284
392
|
- Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [@ioquatix](https://github.com/ioquatix))
|
data/lib/rack/common_logger.rb
CHANGED
|
@@ -20,7 +20,7 @@ module Rack
|
|
|
20
20
|
# The actual format is slightly different than the above due to the
|
|
21
21
|
# separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
|
|
22
22
|
# time in seconds is included at the end.
|
|
23
|
-
FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f
|
|
23
|
+
FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
|
|
24
24
|
|
|
25
25
|
# +logger+ can be any object that supports the +write+ or +<<+ methods,
|
|
26
26
|
# which includes the standard library Logger. These methods are called
|
|
@@ -66,7 +66,8 @@ module Rack
|
|
|
66
66
|
length,
|
|
67
67
|
Utils.clock_time - began_at)
|
|
68
68
|
|
|
69
|
-
msg.gsub!(/[^[:print:]
|
|
69
|
+
msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
|
|
70
|
+
msg[-1] = "\n"
|
|
70
71
|
|
|
71
72
|
logger = @logger || request.get_header(RACK_ERRORS)
|
|
72
73
|
# Standard library logger doesn't support write but it supports << which actually
|
data/lib/rack/media_type.rb
CHANGED
|
@@ -27,6 +27,11 @@ module Rack
|
|
|
27
27
|
# provided. e.g., when the CONTENT_TYPE is "text/plain;charset=utf-8",
|
|
28
28
|
# this method responds with the following Hash:
|
|
29
29
|
# { 'charset' => 'utf-8' }
|
|
30
|
+
#
|
|
31
|
+
# This will pass back parameters with empty strings in the hash if they
|
|
32
|
+
# lack a value (e.g., "text/plain;charset=" will return { 'charset' => '' },
|
|
33
|
+
# and "text/plain;charset" will return { 'charset' => '' }, similarly to
|
|
34
|
+
# the query params parser (barring the latter case, which returns nil instead)).
|
|
30
35
|
def params(content_type)
|
|
31
36
|
return {} if content_type.nil?
|
|
32
37
|
|
|
@@ -40,9 +45,9 @@ module Rack
|
|
|
40
45
|
|
|
41
46
|
private
|
|
42
47
|
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
48
|
+
def strip_doublequotes(str)
|
|
49
|
+
(str && str.start_with?('"') && str.end_with?('"')) ? str[1..-2] : str || ''
|
|
50
|
+
end
|
|
46
51
|
end
|
|
47
52
|
end
|
|
48
53
|
end
|
data/lib/rack/sendfile.rb
CHANGED
data/lib/rack/static.rb
CHANGED
|
@@ -124,8 +124,9 @@ module Rack
|
|
|
124
124
|
|
|
125
125
|
def call(env)
|
|
126
126
|
path = env[PATH_INFO]
|
|
127
|
+
actual_path = Utils.clean_path_info(Utils.unescape_path(path))
|
|
127
128
|
|
|
128
|
-
if can_serve(
|
|
129
|
+
if can_serve(actual_path)
|
|
129
130
|
if overwrite_file_path(path)
|
|
130
131
|
env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
|
|
131
132
|
elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.1.
|
|
4
|
+
version: 3.1.12
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: bin
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date:
|
|
10
|
+
date: 2025-03-10 00:00:00.000000000 Z
|
|
12
11
|
dependencies:
|
|
13
12
|
- !ruby/object:Gem::Dependency
|
|
14
13
|
name: minitest
|
|
@@ -143,7 +142,6 @@ metadata:
|
|
|
143
142
|
changelog_uri: https://github.com/rack/rack/blob/main/CHANGELOG.md
|
|
144
143
|
documentation_uri: https://rubydoc.info/github/rack/rack
|
|
145
144
|
source_code_uri: https://github.com/rack/rack
|
|
146
|
-
post_install_message:
|
|
147
145
|
rdoc_options: []
|
|
148
146
|
require_paths:
|
|
149
147
|
- lib
|
|
@@ -158,8 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
158
156
|
- !ruby/object:Gem::Version
|
|
159
157
|
version: '0'
|
|
160
158
|
requirements: []
|
|
161
|
-
rubygems_version: 3.
|
|
162
|
-
signing_key:
|
|
159
|
+
rubygems_version: 3.6.2
|
|
163
160
|
specification_version: 4
|
|
164
161
|
summary: A modular Ruby webserver interface.
|
|
165
162
|
test_files: []
|