rack 3.1.8 → 3.1.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cd9b9438930771f3687ff42be3f3506df2faeea5d947d8ed4fa9e5eec1b5970c
-  data.tar.gz: 170b7d3e30e472e5a5403f9bb889f37b60e4e9eced41e94f97a88d848e5c2fb4
+  metadata.gz: 558fa2ba3e85c5e5c3775d72153132d6f667aa7390421fb6769b6cc26dd3bd72
+  data.tar.gz: 135df43165c5e6fa3a69cd4857ee2e514cfe7841ed3728889e61185268e86531
 SHA512:
-  metadata.gz: 0a5c0c56cda8181c7ec4e87a348b54a22938d4c450a9647fbbf07aaec37282ff89230d3964ba0dfd9f5bc7f7e60d99eaf704636de143704c5e9156120bd04624
-  data.tar.gz: eeef987e1c6dc77ff1fc40e5cc0e37bde704d354c62217a834e6a4d36828900a71dac09e591a9743273fc5ea678bf603d36c3e165f9c7dbfa1759301c42f957f
+  metadata.gz: 3543b51083a592a6609ac760ee6b4a692b442496258470c3d70cd94ada81c22439c21e5637599e6d85fd0c25983fc0819883f2449466cfb3c41ed8154287b221
+  data.tar.gz: a1da3c54d64e956c1b4b02065da3deaff9ef9e212e2c5366260691caef698bea993ceb9b26e0a26d72f37481fb0f0a91803fe99e864baffbbfa10e31ca4e79cc

data/CHANGELOG.md

@@ -2,8 +2,44 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.1.14] - 2025-05-06
+
+### Security
+
+- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+
+## [3.1.13] - 2025-04-13
+
+- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
+
+## [3.1.12] - 2025-03-11
+
+### Security
+
+- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+
+## [3.1.11] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+## [3.1.10] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+
+## [3.1.9] - 2025-01-31
+
+### Fixed
+
+- `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
+
 ## [3.1.8] - 2024-10-14
 
+### Fixed
+
 - Resolve deprecation warnings about uri `DEFAULT_PARSER`. ([#2249](https://github.com/rack/rack/pull/2249), [@earlopain])
 
 ## [3.1.7] - 2024-07-11
@@ -103,6 +139,34 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 
 - In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
 
+## [3.0.16] - 2025-05-06
+
+### Security
+
+- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+
+## [3.0.15] - 2025-04-13
+
+- Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
+
+## [3.0.14] - 2025-03-11
+
+### Security
+
+- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+
+## [3.0.13] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+## [3.0.12] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+
 ## [3.0.11] - 2024-05-10
 
 - Backport #2062 to 3-0-stable: Do not allow `BodyProxy` to respond to `to_str`, make `to_ary` call close . ([#2062](https://github.com/rack/rack/pull/2062), [@jeremyevans](https://github.com/jeremyevans))
@@ -279,6 +343,76 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.14] - 2025-05-06
+
+### Security
+
+- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+
+## [2.2.13] - 2025-03-11
+
+### Security
+
+- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+
+## [2.2.12] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+## [2.2.11] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+
+## [2.2.10] - 2024-10-14
+
+- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
+
+## [2.2.9] - 2023-03-21
+
+- Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc])
+
+## [2.2.8] - 2023-07-31
+
+- Regenerate SPEC ([#2102](https://github.com/rack/rack/pull/2102), [@skipkayhil](https://github.com/skipkayhil))
+- Limit file extension length of multipart tempfiles ([#2015](https://github.com/rack/rack/pull/2015), [@dentarg](https://github.com/dentarg))
+- Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" ([#2092](https://github.com/rack/rack/pull/2092), [@onigra](https://github.com/onigra) [@dchandekstark](https://github.com/dchandekstark))
+
+## [2.2.7] - 2023-03-13
+
+- Correct the year number in the changelog ([#2015](https://github.com/rack/rack/pull/2015), [@kimulab](https://github.com/kimulab))
+- Support underscore in host names for Rack 2.2 (Fixes [#2070](https://github.com/rack/rack/issues/2070)) ([#2015](https://github.com/rack/rack/pull/2071), [@jeremyevans](https://github.com/jeremyevans))
+
+## [2.2.6.4] - 2023-03-13
+
+- [CVE-2023-27539] Avoid ReDoS in header parsing
+
+## [2.2.6.3] - 2023-03-02
+
+- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+
+## [2.2.6.2] - 2023-01-17
+
+- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+
+## [2.2.6.1] - 2023-01-17
+
+- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+## [2.2.6] - 2023-01-17
+
+- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot))
+
+## [2.2.5] - 2022-12-27
+
+### Fixed
+
+- `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
+
 ## [2.2.4] - 2022-06-30
 
 - Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [@ioquatix](https://github.com/ioquatix))

data/README.md

@@ -183,6 +183,33 @@ quickly and without doing the same web stuff all over:
 Rack exposes several configuration parameters to control various features of the
 implementation.
 
+### `RACK_QUERY_PARSER_BYTESIZE_LIMIT`
+
+This environment variable sets the default for the maximum query string bytesize
+that `Rack::QueryParser` will attempt to parse.  Attempts to use a query string
+that exceeds this number of bytes will result in a
+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
+provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
+
+The default limit can be overridden on a per-`Rack::QueryParser` basis using
+the `bytesize_limit` keyword argument when creating the `Rack::QueryParser`.
+
+### `RACK_QUERY_PARSER_PARAMS_LIMIT`
+
+This environment variable sets the default for the maximum number of query
+parameters that `Rack::QueryParser` will attempt to parse.  Attempts to use a
+query string with more than this many query parameters will result in a
+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
+provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
+
+The default limit can be overridden on a per-`Rack::QueryParser` basis using
+the `params_limit` keyword argument when creating the `Rack::QueryParser`.
+
+This is implemented by counting the number of parameter separators in the
+query string, before attempting parsing, so if the same parameter key is
+used multiple times in the query, each counts as a separate parameter for
+this check.
+
 ### `param_depth_limit`
 
 ```ruby

data/lib/rack/common_logger.rb

@@ -20,7 +20,7 @@ module Rack
     # The actual format is slightly different than the above due to the
     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
     # time in seconds is included at the end.
-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
 
     # +logger+ can be any object that supports the +write+ or +<<+ methods,
     # which includes the standard library Logger.  These methods are called
@@ -66,7 +66,8 @@ module Rack
         length,
         Utils.clock_time - began_at)
 
-      msg.gsub!(/[^[:print:]\n]/) { |c| sprintf("\\x%x", c.ord) }
+      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+      msg[-1] = "\n"
 
       logger = @logger || request.get_header(RACK_ERRORS)
       # Standard library logger doesn't support write but it supports << which actually

data/lib/rack/etag.rb

@@ -32,6 +32,9 @@ module Rack
         body = body.to_ary
         digest = digest_body(body)
         headers[ETAG_STRING] = %(W/"#{digest}") if digest
+
+        # Body was modified, so we need to re-assign it:
+        response[2] = body
       end
 
       unless headers[CACHE_CONTROL]

data/lib/rack/media_type.rb

@@ -27,6 +27,11 @@ module Rack
       # provided.  e.g., when the CONTENT_TYPE is "text/plain;charset=utf-8",
       # this method responds with the following Hash:
       #   { 'charset' => 'utf-8' }
+      #
+      # This will pass back parameters with empty strings in the hash if they
+      # lack a value (e.g., "text/plain;charset=" will return { 'charset' => '' },
+      # and "text/plain;charset" will return { 'charset' => '' }, similarly to 
+      # the query params parser (barring the latter case, which returns nil instead)).
       def params(content_type)
         return {} if content_type.nil?
 
@@ -40,9 +45,9 @@ module Rack
 
       private
 
-        def strip_doublequotes(str)
-          (str.start_with?('"') && str.end_with?('"')) ? str[1..-2] : str
-        end
+      def strip_doublequotes(str)
+        (str && str.start_with?('"') && str.end_with?('"')) ? str[1..-2] : str || ''
+      end
     end
   end
 end

data/lib/rack/query_parser.rb

@@ -21,21 +21,47 @@ module Rack
       include BadRequest
     end
 
-    # ParamsTooDeepError is the error that is raised when params are recursively
-    # nested over the specified limit.
-    class ParamsTooDeepError < RangeError
+    # QueryLimitError is for errors raised when the query provided exceeds one
+    # of the query parser limits.
+    class QueryLimitError < RangeError
       include BadRequest
     end
 
-    def self.make_default(param_depth_limit)
-      new Params, param_depth_limit
+    # ParamsTooDeepError is the old name for the error that is raised when params
+    # are recursively nested over the specified limit. Make it the same as
+    # as QueryLimitError, so that code that rescues ParamsTooDeepError error
+    # to handle bad query strings also now handles other limits.
+    ParamsTooDeepError = QueryLimitError
+
+    def self.make_default(param_depth_limit, **options)
+      new(Params, param_depth_limit, **options)
     end
 
     attr_reader :param_depth_limit
 
-    def initialize(params_class, param_depth_limit)
+    env_int = lambda do |key, val|
+      if str_val = ENV[key]
+        begin
+          val = Integer(str_val, 10)
+        rescue ArgumentError
+          raise ArgumentError, "non-integer value provided for environment variable #{key}"
+        end
+      end
+
+      val
+    end
+
+    BYTESIZE_LIMIT = env_int.call("RACK_QUERY_PARSER_BYTESIZE_LIMIT", 4194304)
+    private_constant :BYTESIZE_LIMIT
+
+    PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
+    private_constant :PARAMS_LIMIT
+
+    def initialize(params_class, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
       @params_class = params_class
       @param_depth_limit = param_depth_limit
+      @bytesize_limit = bytesize_limit
+      @params_limit = params_limit
     end
 
     # Stolen from Mongrel, with some small modifications:
@@ -47,7 +73,7 @@ module Rack
 
       params = make_params
 
-      (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
+      check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
         next if p.empty?
         k, v = p.split('=', 2).map!(&unescaper)
 
@@ -74,7 +100,7 @@ module Rack
       params = make_params
 
       unless qs.nil? || qs.empty?
-        (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
+        check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
           k, v = p.split('=', 2).map! { |s| unescape(s) }
 
           _normalize_params(params, k, v, 0)
@@ -189,6 +215,22 @@ module Rack
       true
     end
 
+    def check_query_string(qs, sep)
+      if qs
+        if qs.bytesize > @bytesize_limit
+          raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})"
+        end
+
+        if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit
+          raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})"
+        end
+
+        qs
+      else
+        ''
+      end
+    end
+
     def unescape(string, encoding = Encoding::UTF_8)
       URI.decode_www_form_component(string, encoding)
     end

data/lib/rack/sendfile.rb

@@ -138,7 +138,7 @@ module Rack
           end
         when '', nil
         else
-          env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n"
+          env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
         end
       end
       response

data/lib/rack/static.rb

@@ -124,8 +124,9 @@ module Rack
 
     def call(env)
       path = env[PATH_INFO]
+      actual_path = Utils.clean_path_info(Utils.unescape_path(path))
 
-      if can_serve(path)
+      if can_serve(actual_path)
         if overwrite_file_path(path)
           env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
         elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])

data/lib/rack/version.rb

@@ -12,7 +12,7 @@
 # so it should be enough just to <tt>require 'rack'</tt> in your code.
 
 module Rack
-  RELEASE = "3.1.8"
+  RELEASE = "3.1.14"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.8
+  version: 3.1.14
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-14 00:00:00.000000000 Z
+date: 2025-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -158,7 +158,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: A modular Ruby webserver interface.