rack 3.1.9 → 3.1.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6b01af1af7b2ac850bd4296234559b6b8056c3253b54b4f0fc1f9f0be48173e8
-  data.tar.gz: 42398750f039d8f0a35a9f6f14455d892c104a3b2d03624ca2c62f20596cc9dc
+  metadata.gz: 58b45f32cc72a649a82bc9aab409e575e4b3b9acb373a7e5015fa6b5fd948845
+  data.tar.gz: 181f48f799ffa1b64a90b6b1d4bcdb1e9af8b9b10bf72cee2a637e4dd0b7c317
 SHA512:
-  metadata.gz: 134254ca758692fa2a977ff12168a28480de90cb941d8d6823f428f6da417859fdafee931592d066eb1917388ec38c346ec8b286be427684ef8eb3d3f59ab2b8
-  data.tar.gz: 5c9a8b860dc38866e9a20237492f800a9ed6b353267abbed6e3ed1f161f45f431017ed0d54f42adfd7b4b3eed1b012345dd8d689fb42ca68cb63194fad4ec7b4
+  metadata.gz: 8657201de040d14a5e345bc2d3b7aa9f58751b9f1c7f14c95c9dbc3cc96a50ce566f544be3464920845b0d0e88a283853c397646546beb1ba7d6c15ab54b490d
+  data.tar.gz: 36bca618d65a42de84c660f82c50d1aed0e809f0ac44665abcfc546405a5548850dfc9d129580254dcef3f77d4c057c9c2e24462ac2f4f3b6e7104ffe0f46a08

data/CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.1.10] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in Rack::CommonLogger.
+
 ## [3.1.9] - 2025-01-31
 
 ### Fixed

data/lib/rack/common_logger.rb

@@ -20,7 +20,7 @@ module Rack
     # The actual format is slightly different than the above due to the
     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
     # time in seconds is included at the end.
-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
 
     # +logger+ can be any object that supports the +write+ or +<<+ methods,
     # which includes the standard library Logger.  These methods are called
@@ -66,7 +66,8 @@ module Rack
         length,
         Utils.clock_time - began_at)
 
-      msg.gsub!(/[^[:print:]\n]/) { |c| sprintf("\\x%x", c.ord) }
+      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+      msg[-1] = "\n"
 
       logger = @logger || request.get_header(RACK_ERRORS)
       # Standard library logger doesn't support write but it supports << which actually

data/lib/rack/version.rb

@@ -12,7 +12,7 @@
 # so it should be enough just to <tt>require 'rack'</tt> in your code.
 
 module Rack
-  RELEASE = "3.1.9"
+  RELEASE = "3.1.10"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.9
+  version: 3.1.10
 platform: ruby
 authors:
 - Leah Neukirchen
 bindir: bin
 cert_chain: []
-date: 2025-01-30 00:00:00.000000000 Z
+date: 2025-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest