RubyGems - rack - Versions diffs - 3.1.9 → 3.1.11 - Mend

rack 3.1.9 → 3.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (6) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6b01af1af7b2ac850bd4296234559b6b8056c3253b54b4f0fc1f9f0be48173e8
-  data.tar.gz: 42398750f039d8f0a35a9f6f14455d892c104a3b2d03624ca2c62f20596cc9dc
+  metadata.gz: 90c0540cb367990c1d880a1645e175ec6b69f3fe8463f415a3f6e85771169914
+  data.tar.gz: b18a53def64cd7b67d70afa9e2748a5ceb49827c44c4481da19749b101574d32
 SHA512:
-  metadata.gz: 134254ca758692fa2a977ff12168a28480de90cb941d8d6823f428f6da417859fdafee931592d066eb1917388ec38c346ec8b286be427684ef8eb3d3f59ab2b8
-  data.tar.gz: 5c9a8b860dc38866e9a20237492f800a9ed6b353267abbed6e3ed1f161f45f431017ed0d54f42adfd7b4b3eed1b012345dd8d689fb42ca68cb63194fad4ec7b4
+  metadata.gz: bf8fa1f298a40a4754768911053dd57c5fc269f81134faaac3cd49375d86e06bcf26999a35c897ee1a24de18d4246320cbf523b0f3666a0586166fbad9790c68
+  data.tar.gz: 8da18291a78c744f9a63a5afaaf24f97c96dddaf34a8b65e1e364cc5ff8dcb0d55007b07b963e9954c0a283bdd1899c5067501c3d465355ccde6829028640fc7

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,18 @@
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+## [3.1.11] - 2025-03-04
+### Security
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+## [3.1.10] - 2025-02-12
+### Security
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
 ## [3.1.9] - 2025-01-31
 ### Fixed
@@ -111,6 +123,18 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 - In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
+## [3.0.13] - 2025-03-04
+### Security
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+## [3.0.12] - 2025-02-12
+### Security
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
 ## [3.0.11] - 2024-05-10
 - Backport #2062 to 3-0-stable: Do not allow `BodyProxy` to respond to `to_str`, make `to_ary` call close . ([#2062](https://github.com/rack/rack/pull/2062), [@jeremyevans](https://github.com/jeremyevans))
@@ -287,6 +311,64 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
+## [2.2.12] - 2025-03-04
+### Security
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+## [2.2.11] - 2025-02-12
+### Security
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+## [2.2.10] - 2024-10-14
+- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
+## [2.2.9] - 2023-03-21
+- Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc])
+## [2.2.8] - 2023-07-31
+- Regenerate SPEC ([#2102](https://github.com/rack/rack/pull/2102), [@skipkayhil](https://github.com/skipkayhil))
+- Limit file extension length of multipart tempfiles ([#2015](https://github.com/rack/rack/pull/2015), [@dentarg](https://github.com/dentarg))
+- Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" ([#2092](https://github.com/rack/rack/pull/2092), [@onigra](https://github.com/onigra) [@dchandekstark](https://github.com/dchandekstark))
+## [2.2.7] - 2023-03-13
+- Correct the year number in the changelog ([#2015](https://github.com/rack/rack/pull/2015), [@kimulab](https://github.com/kimulab))
+- Support underscore in host names for Rack 2.2 (Fixes [#2070](https://github.com/rack/rack/issues/2070)) ([#2015](https://github.com/rack/rack/pull/2071), [@jeremyevans](https://github.com/jeremyevans))
+## [2.2.6.4] - 2023-03-13
+- [CVE-2023-27539] Avoid ReDoS in header parsing
+## [2.2.6.3] - 2023-03-02
+- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+## [2.2.6.2] - 2023-01-17
+- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+## [2.2.6.1] - 2023-01-17
+- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+## [2.2.6] - 2023-01-17
+- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot))
+## [2.2.5] - 2022-12-27
+### Fixed
+- `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
 ## [2.2.4] - 2022-06-30
 - Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [@ioquatix](https://github.com/ioquatix))

data/lib/rack/common_logger.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module Rack
     # The actual format is slightly different than the above due to the
     # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
     # time in seconds is included at the end.
-    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
     # +logger+ can be any object that supports the +write+ or +<<+ methods,
     # which includes the standard library Logger.  These methods are called
@@ -66,7 +66,8 @@ module Rack
         length,
         Utils.clock_time - began_at)
-      msg.gsub!(/[^[:print:]\n]/) { |c| sprintf("\\x%x", c.ord) }
+      msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+      msg[-1] = "\n"
       logger = @logger || request.get_header(RACK_ERRORS)
       # Standard library logger doesn't support write but it supports << which actually

data/lib/rack/sendfile.rb CHANGED Viewed

@@ -138,7 +138,7 @@ module Rack
           end
         when '', nil
         else
-          env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n"
+          env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
         end
       end
       response

data/lib/rack/version.rb CHANGED Viewed

@@ -12,7 +12,7 @@
 # so it should be enough just to <tt>require 'rack'</tt> in your code.
 module Rack
-  RELEASE = "3.1.9"
+  RELEASE = "3.1.11"
   # Return the Rack release as a dotted string.
   def self.release

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.9
+  version: 3.1.11
 platform: ruby
 authors:
 - Leah Neukirchen
 bindir: bin
 cert_chain: []
-date: 2025-01-30 00:00:00.000000000 Z
+date: 2025-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest