rack 3.2.1 → 3.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +29 -1
- data/README.md +8 -0
- data/lib/rack/multipart/parser.rb +52 -2
- data/lib/rack/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: '080d2911dca86ef9f377de17b22e51f04472e25d2af32cc9effd975097785f1a'
|
|
4
|
+
data.tar.gz: c3ee87b2b5bc8e676986c4b9d48ebfc97420a69a02fb0a945f340f34b4578349
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bd897ed5e78fb8ce1ba9c542f5233d8c49e309004f826d4e112127a23ff55fd5758ae90b6856b209c156cbc5695eb28c1c27a5d0fb036cdffd94c91a9096fb4e
|
|
7
|
+
data.tar.gz: 053d5a2eaa6cdaed9404b2da2c7a7e730c73dea77ebdd75a4628b150b1e59bbc5fa2e81ea56edb0a6df6da122f94d621292f74d0263ffe0721d7e07c81e4e897
|
data/CHANGELOG.md
CHANGED
|
@@ -2,7 +2,13 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
-
##
|
|
5
|
+
## [3.2.2] - 2025-10-07
|
|
6
|
+
|
|
7
|
+
### Security
|
|
8
|
+
|
|
9
|
+
- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
|
|
10
|
+
- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
|
|
11
|
+
- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
|
|
6
12
|
|
|
7
13
|
## [3.2.1] -- 2025-09-02
|
|
8
14
|
|
|
@@ -61,6 +67,14 @@ This release continues Rack's evolution toward a cleaner, more efficient foundat
|
|
|
61
67
|
- `SERVER_NAME` and `HTTP_HOST` are now more strictly validated according to the relevant specifications. ([#2298](https://github.com/rack/rack/pull/2298), [@ioquatix])
|
|
62
68
|
- `Rack::Lint` now disallows `PATH_INFO="" SCRIPT_NAME=""`. ([#2298](https://github.com/rack/rack/issues/2307), [@jeremyevans])
|
|
63
69
|
|
|
70
|
+
## [3.1.17] - 2025-10-07
|
|
71
|
+
|
|
72
|
+
### Security
|
|
73
|
+
|
|
74
|
+
- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
|
|
75
|
+
- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
|
|
76
|
+
- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
|
|
77
|
+
|
|
64
78
|
## [3.1.16] - 2025-06-04
|
|
65
79
|
|
|
66
80
|
### Security
|
|
@@ -430,6 +444,20 @@ This release introduces major improvements to Rack, including enhanced support f
|
|
|
430
444
|
- Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
|
|
431
445
|
- `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
|
|
432
446
|
|
|
447
|
+
## [2.2.19] - 2025-10-07
|
|
448
|
+
|
|
449
|
+
### Security
|
|
450
|
+
|
|
451
|
+
- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
|
|
452
|
+
- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
|
|
453
|
+
- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
|
|
454
|
+
|
|
455
|
+
## [2.2.18] - 2025-09-25
|
|
456
|
+
|
|
457
|
+
### Security
|
|
458
|
+
|
|
459
|
+
- [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
|
|
460
|
+
|
|
433
461
|
## [2.2.17] - 2025-06-03
|
|
434
462
|
|
|
435
463
|
- Backport `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
|
data/README.md
CHANGED
|
@@ -230,6 +230,14 @@ query string, before attempting parsing, so if the same parameter key is
|
|
|
230
230
|
used multiple times in the query, each counts as a separate parameter for
|
|
231
231
|
this check.
|
|
232
232
|
|
|
233
|
+
### `RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT`
|
|
234
|
+
|
|
235
|
+
This environment variable sets the maximum amount of memory Rack will use
|
|
236
|
+
to buffer multipart parameters when parsing a request body. This considers
|
|
237
|
+
the size of the multipart mime headers and the body part for multipart
|
|
238
|
+
parameters that are buffered in memory and do not use tempfiles. This
|
|
239
|
+
defaults to 16MB if not provided.
|
|
240
|
+
|
|
233
241
|
### `param_depth_limit`
|
|
234
242
|
|
|
235
243
|
```ruby
|
|
@@ -59,6 +59,27 @@ module Rack
|
|
|
59
59
|
Tempfile.new(["RackMultipart", extension])
|
|
60
60
|
}
|
|
61
61
|
|
|
62
|
+
BOUNDARY_START_LIMIT = 16 * 1024
|
|
63
|
+
private_constant :BOUNDARY_START_LIMIT
|
|
64
|
+
|
|
65
|
+
MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024
|
|
66
|
+
private_constant :MIME_HEADER_BYTESIZE_LIMIT
|
|
67
|
+
|
|
68
|
+
env_int = lambda do |key, val|
|
|
69
|
+
if str_val = ENV[key]
|
|
70
|
+
begin
|
|
71
|
+
val = Integer(str_val, 10)
|
|
72
|
+
rescue ArgumentError
|
|
73
|
+
raise ArgumentError, "non-integer value provided for environment variable #{key}"
|
|
74
|
+
end
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
val
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
|
|
81
|
+
private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
|
|
82
|
+
|
|
62
83
|
class BoundedIO # :nodoc:
|
|
63
84
|
def initialize(io, content_length)
|
|
64
85
|
@io = io
|
|
@@ -218,6 +239,8 @@ module Rack
|
|
|
218
239
|
|
|
219
240
|
@state = :FAST_FORWARD
|
|
220
241
|
@mime_index = 0
|
|
242
|
+
@body_retained = nil
|
|
243
|
+
@retained_size = 0
|
|
221
244
|
@collector = Collector.new tempfile
|
|
222
245
|
|
|
223
246
|
@sbuf = StringScanner.new("".dup)
|
|
@@ -294,6 +317,10 @@ module Rack
|
|
|
294
317
|
|
|
295
318
|
# retry for opening boundary
|
|
296
319
|
else
|
|
320
|
+
# We raise if we don't find the multipart boundary, to avoid unbounded memory
|
|
321
|
+
# buffering. Note that the actual limit is the higher of 16KB and the buffer size (1MB by default)
|
|
322
|
+
raise Error, "multipart boundary not found within limit" if @sbuf.string.bytesize > BOUNDARY_START_LIMIT
|
|
323
|
+
|
|
297
324
|
# no boundary found, keep reading data
|
|
298
325
|
return :want_read
|
|
299
326
|
end
|
|
@@ -410,16 +437,30 @@ module Rack
|
|
|
410
437
|
name = filename || "#{content_type || TEXT_PLAIN}[]".dup
|
|
411
438
|
end
|
|
412
439
|
|
|
440
|
+
# Mime part head data is retained for both TempfilePart and BufferPart
|
|
441
|
+
# for the entireity of the parse, even though it isn't used for BufferPart.
|
|
442
|
+
update_retained_size(head.bytesize)
|
|
443
|
+
|
|
444
|
+
# If a filename is given, a TempfilePart will be used, so the body will
|
|
445
|
+
# not be buffered in memory. However, if a filename is not given, a BufferPart
|
|
446
|
+
# will be used, and the body will be buffered in memory.
|
|
447
|
+
@body_retained = !filename
|
|
448
|
+
|
|
413
449
|
@collector.on_mime_head @mime_index, head, filename, content_type, name
|
|
414
450
|
@state = :MIME_BODY
|
|
415
451
|
else
|
|
416
|
-
|
|
452
|
+
# We raise if the mime part header is too large, to avoid unbounded memory
|
|
453
|
+
# buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default)
|
|
454
|
+
raise Error, "multipart mime part header too large" if @sbuf.string.bytesize > MIME_HEADER_BYTESIZE_LIMIT
|
|
455
|
+
|
|
456
|
+
return :want_read
|
|
417
457
|
end
|
|
418
458
|
end
|
|
419
459
|
|
|
420
460
|
def handle_mime_body
|
|
421
461
|
if (body_with_boundary = @sbuf.check_until(@body_regex)) # check but do not advance the pointer yet
|
|
422
462
|
body = body_with_boundary.sub(@body_regex_at_end, '') # remove the boundary from the string
|
|
463
|
+
update_retained_size(body.bytesize) if @body_retained
|
|
423
464
|
@collector.on_mime_body @mime_index, body
|
|
424
465
|
@sbuf.pos += body.length + 2 # skip \r\n after the content
|
|
425
466
|
@state = :CONSUME_TOKEN
|
|
@@ -428,7 +469,9 @@ module Rack
|
|
|
428
469
|
# Save what we have so far
|
|
429
470
|
if @rx_max_size < @sbuf.rest_size
|
|
430
471
|
delta = @sbuf.rest_size - @rx_max_size
|
|
431
|
-
|
|
472
|
+
body = @sbuf.peek(delta)
|
|
473
|
+
update_retained_size(body.bytesize) if @body_retained
|
|
474
|
+
@collector.on_mime_body @mime_index, body
|
|
432
475
|
@sbuf.pos += delta
|
|
433
476
|
@sbuf.string = @sbuf.rest
|
|
434
477
|
end
|
|
@@ -436,6 +479,13 @@ module Rack
|
|
|
436
479
|
end
|
|
437
480
|
end
|
|
438
481
|
|
|
482
|
+
def update_retained_size(size)
|
|
483
|
+
@retained_size += size
|
|
484
|
+
if @retained_size > BUFFERED_UPLOAD_BYTESIZE_LIMIT
|
|
485
|
+
raise Error, "multipart data over retained size limit"
|
|
486
|
+
end
|
|
487
|
+
end
|
|
488
|
+
|
|
439
489
|
# Scan until the we find the start or end of the boundary.
|
|
440
490
|
# If we find it, return the appropriate symbol for the start or
|
|
441
491
|
# end of the boundary. If we don't find the start or end of the
|
data/lib/rack/version.rb
CHANGED