rack 3.2.0 → 3.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 17b6834d4c6a07c5cf23757814f450f39e32589ef0a6300310c7ab111a8c99c2
-  data.tar.gz: db3d1475837e3d45082994af134b5ceb9e0b83f400244c33262c343f421798f0
+  metadata.gz: '080d2911dca86ef9f377de17b22e51f04472e25d2af32cc9effd975097785f1a'
+  data.tar.gz: c3ee87b2b5bc8e676986c4b9d48ebfc97420a69a02fb0a945f340f34b4578349
 SHA512:
-  metadata.gz: 36b2bb65194e71b496e946090552bc97f3367426d4c169b0da384ee284068dd809d9d89fc585a49caa313a48e73eea3ce4f1dd47f2a5f103da9ac006f9f6d12a
-  data.tar.gz: 934940c91b89ebcf4a3015d3876e850f470d97ac82e189a390ff07efed1664d153a28546f8576fa99d6e6361f168ab1c6ffd8541509ddfe709436bd649cca29d
+  metadata.gz: bd897ed5e78fb8ce1ba9c542f5233d8c49e309004f826d4e112127a23ff55fd5758ae90b6856b209c156cbc5695eb28c1c27a5d0fb036cdffd94c91a9096fb4e
+  data.tar.gz: 053d5a2eaa6cdaed9404b2da2c7a7e730c73dea77ebdd75a4628b150b1e59bbc5fa2e81ea56edb0a6df6da122f94d621292f74d0263ffe0721d7e07c81e4e897

data/CHANGELOG.md

@@ -2,7 +2,23 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [3.2.2] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [3.2.1] -- 2025-09-02
+
+### Added
+
+- Add support for streaming bodies when using `Rack::Events`. ([#2375](github.com/rack/rack/pull/2375), [@unflxw](https://github.com/unflxw))
+
+### Fixed
+
+- Fix an issue where a `NoMethodError` would be raised when using `Rack::Events` with streaming bodies. ([#2375](github.com/rack/rack/pull/2375), [@unflxw](https://github.com/unflxw))
 
 ## [3.2.0] - 2025-07-31
 
@@ -51,6 +67,14 @@ This release continues Rack's evolution toward a cleaner, more efficient foundat
 - `SERVER_NAME` and `HTTP_HOST` are now more strictly validated according to the relevant specifications. ([#2298](https://github.com/rack/rack/pull/2298), [@ioquatix])
 - `Rack::Lint` now disallows `PATH_INFO="" SCRIPT_NAME=""`. ([#2298](https://github.com/rack/rack/issues/2307), [@jeremyevans])
 
+## [3.1.17] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
 ## [3.1.16] - 2025-06-04
 
 ### Security
@@ -420,6 +444,20 @@ This release introduces major improvements to Rack, including enhanced support f
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.19] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [2.2.18] - 2025-09-25
+
+### Security
+
+- [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
+
 ## [2.2.17] - 2025-06-03
 
 - Backport `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))

data/README.md

@@ -230,6 +230,14 @@ query string, before attempting parsing, so if the same parameter key is
 used multiple times in the query, each counts as a separate parameter for
 this check.
 
+### `RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT`
+
+This environment variable sets the maximum amount of memory Rack will use
+to buffer multipart parameters when parsing a request body. This considers
+the size of the multipart mime headers and the body part for multipart
+parameters that are buffered in memory and do not use tempfiles. This
+defaults to 16MB if not provided.
+
 ### `param_depth_limit`
 
 ```ruby

data/lib/rack/events.rb

@@ -29,12 +29,13 @@ module Rack
   #
   # * on_send(request, response)
   #
-  #   The webserver has started iterating over the response body and presumably
-  #   has started sending data over the wire. This method is always called with
-  #   a request object and the response object.  The response object is
-  #   constructed from the rack triple that the application returned.  Changes
-  #   SHOULD NOT be made to the response object as the webserver has already
-  #   started sending data.  Any mutations will likely result in an exception.
+  #   The webserver has started iterating over the response body, or has called
+  #   the streaming body, and presumably has started sending data over the
+  #   wire. This method is always called with a request object and the response
+  #   object. The response object is constructed from the rack triple that the
+  #   application returned.  Changes SHOULD NOT be made to the response object
+  #   as the webserver has already started sending data.  Any mutations will
+  #   likely result in an exception.
   #
   # * on_finish(request, response)
   #
@@ -90,6 +91,20 @@ module Rack
         @handlers.reverse_each { |handler| handler.on_send request, response }
         super
       end
+
+      def call(stream)
+        @handlers.reverse_each { |handler| handler.on_send request, response }
+        super
+      end
+
+      def respond_to?(method_name, include_all = false)
+        case method_name
+        when :each, :call
+          @body.respond_to?(method_name, include_all)
+        else
+          super
+        end
+      end
     end
 
     class BufferedResponse < Rack::Response::Raw # :nodoc:

data/lib/rack/multipart/parser.rb

@@ -59,6 +59,27 @@ module Rack
         Tempfile.new(["RackMultipart", extension])
       }
 
+      BOUNDARY_START_LIMIT = 16 * 1024
+      private_constant :BOUNDARY_START_LIMIT
+
+      MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024
+      private_constant :MIME_HEADER_BYTESIZE_LIMIT
+
+      env_int = lambda do |key, val|
+        if str_val = ENV[key]
+          begin
+            val = Integer(str_val, 10)
+          rescue ArgumentError
+            raise ArgumentError, "non-integer value provided for environment variable #{key}"
+          end
+        end
+
+        val
+      end
+
+      BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
+      private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
+
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -218,6 +239,8 @@ module Rack
 
         @state = :FAST_FORWARD
         @mime_index = 0
+        @body_retained = nil
+        @retained_size = 0
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".dup)
@@ -294,6 +317,10 @@ module Rack
 
             # retry for opening boundary
           else
+            # We raise if we don't find the multipart boundary, to avoid unbounded memory
+            # buffering. Note that the actual limit is the higher of 16KB and the buffer size (1MB by default)
+            raise Error, "multipart boundary not found within limit" if @sbuf.string.bytesize > BOUNDARY_START_LIMIT
+
             # no boundary found, keep reading data
             return :want_read
           end
@@ -410,16 +437,30 @@ module Rack
             name = filename || "#{content_type || TEXT_PLAIN}[]".dup
           end
 
+          # Mime part head data is retained for both TempfilePart and BufferPart
+          # for the entireity of the parse, even though it isn't used for BufferPart.
+          update_retained_size(head.bytesize)
+
+          # If a filename is given, a TempfilePart will be used, so the body will
+          # not be buffered in memory. However, if a filename is not given, a BufferPart
+          # will be used, and the body will be buffered in memory.
+          @body_retained = !filename
+
           @collector.on_mime_head @mime_index, head, filename, content_type, name
           @state = :MIME_BODY
         else
-          :want_read
+          # We raise if the mime part header is too large, to avoid unbounded memory
+          # buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default)
+          raise Error, "multipart mime part header too large" if @sbuf.string.bytesize > MIME_HEADER_BYTESIZE_LIMIT
+
+          return :want_read
         end
       end
 
       def handle_mime_body
         if (body_with_boundary = @sbuf.check_until(@body_regex)) # check but do not advance the pointer yet
           body = body_with_boundary.sub(@body_regex_at_end, '') # remove the boundary from the string
+          update_retained_size(body.bytesize) if @body_retained
           @collector.on_mime_body @mime_index, body
           @sbuf.pos += body.length + 2 # skip \r\n after the content
           @state = :CONSUME_TOKEN
@@ -428,7 +469,9 @@ module Rack
           # Save what we have so far
           if @rx_max_size < @sbuf.rest_size
             delta = @sbuf.rest_size - @rx_max_size
-            @collector.on_mime_body @mime_index, @sbuf.peek(delta)
+            body = @sbuf.peek(delta)
+            update_retained_size(body.bytesize) if @body_retained
+            @collector.on_mime_body @mime_index, body
             @sbuf.pos += delta
             @sbuf.string = @sbuf.rest
           end
@@ -436,6 +479,13 @@ module Rack
         end
       end
 
+      def update_retained_size(size)
+        @retained_size += size
+        if @retained_size > BUFFERED_UPLOAD_BYTESIZE_LIMIT
+          raise Error, "multipart data over retained size limit"
+        end
+      end
+
       # Scan until the we find the start or end of the boundary.
       # If we find it, return the appropriate symbol for the start or
       # end of the boundary.  If we don't find the start or end of the

data/lib/rack/version.rb

@@ -6,7 +6,7 @@
 # See MIT-LICENSE or https://opensource.org/licenses/MIT.
 
 module Rack
-  VERSION = "3.2.0"
+  VERSION = "3.2.2"
 
   RELEASE = VERSION
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.2.2
 platform: ruby
 authors:
 - Leah Neukirchen
@@ -156,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.9
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []