rack 3.2.2 → 3.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -14
- data/lib/rack/query_parser.rb +3 -1
- data/lib/rack/request.rb +4 -1
- data/lib/rack/sendfile.rb +50 -20
- data/lib/rack/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 19fbcf7ac3f253dc5265f02aa7200b80293cba9497712bef24b3bd9af9a7e1e8
|
|
4
|
+
data.tar.gz: fb0dbfc721493fa7483ba1cb4a258b246823bcc2e42dff2ee69519be653ade80
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 44fcb08953ddacf0c82e60513ea4642d95f330fc82d1f4bf06bb8bc9f1e26eb9d19c9c48bf73b639e2b2427173660e1a3d553358b8b536c4236c3e44af2f87df
|
|
7
|
+
data.tar.gz: 584b4862cdab33cb37aca49446d3c0bef33c37a4f9a63c5238105d601c23b86c54ab3b277a570b465590006fcf8edbcd8a8b195fa07f0f40375a3b988b299433
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,13 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [3.2.3] - 2025-10-10
|
|
6
|
+
|
|
7
|
+
### Security
|
|
8
|
+
|
|
9
|
+
- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
|
|
10
|
+
- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
|
|
11
|
+
|
|
5
12
|
## [3.2.2] - 2025-10-07
|
|
6
13
|
|
|
7
14
|
### Security
|
|
@@ -67,6 +74,13 @@ This release continues Rack's evolution toward a cleaner, more efficient foundat
|
|
|
67
74
|
- `SERVER_NAME` and `HTTP_HOST` are now more strictly validated according to the relevant specifications. ([#2298](https://github.com/rack/rack/pull/2298), [@ioquatix])
|
|
68
75
|
- `Rack::Lint` now disallows `PATH_INFO="" SCRIPT_NAME=""`. ([#2298](https://github.com/rack/rack/issues/2307), [@jeremyevans])
|
|
69
76
|
|
|
77
|
+
## [3.1.18] - 2025-10-10
|
|
78
|
+
|
|
79
|
+
### Security
|
|
80
|
+
|
|
81
|
+
- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
|
|
82
|
+
- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
|
|
83
|
+
|
|
70
84
|
## [3.1.17] - 2025-10-07
|
|
71
85
|
|
|
72
86
|
### Security
|
|
@@ -91,7 +105,7 @@ This release continues Rack's evolution toward a cleaner, more efficient foundat
|
|
|
91
105
|
|
|
92
106
|
### Security
|
|
93
107
|
|
|
94
|
-
- [CVE-2025-46727](https://github.com/
|
|
108
|
+
- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
95
109
|
|
|
96
110
|
## [3.1.13] - 2025-04-13
|
|
97
111
|
|
|
@@ -101,19 +115,19 @@ This release continues Rack's evolution toward a cleaner, more efficient foundat
|
|
|
101
115
|
|
|
102
116
|
### Security
|
|
103
117
|
|
|
104
|
-
- [CVE-2025-27610](https://github.com/
|
|
118
|
+
- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
105
119
|
|
|
106
120
|
## [3.1.11] - 2025-03-04
|
|
107
121
|
|
|
108
122
|
### Security
|
|
109
123
|
|
|
110
|
-
- [CVE-2025-27111](https://github.com/
|
|
124
|
+
- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
111
125
|
|
|
112
126
|
## [3.1.10] - 2025-02-12
|
|
113
127
|
|
|
114
128
|
### Security
|
|
115
129
|
|
|
116
|
-
- [CVE-2025-25184](https://github.com/
|
|
130
|
+
- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
117
131
|
|
|
118
132
|
## [3.1.9] - 2025-01-31
|
|
119
133
|
|
|
@@ -146,7 +160,7 @@ This release continues Rack's evolution toward a cleaner, more efficient foundat
|
|
|
146
160
|
|
|
147
161
|
### Security
|
|
148
162
|
|
|
149
|
-
- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/
|
|
163
|
+
- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
|
|
150
164
|
|
|
151
165
|
## [3.1.4] - 2024-06-22
|
|
152
166
|
|
|
@@ -238,7 +252,7 @@ This release is primarily a maintenance release that removes features deprecated
|
|
|
238
252
|
|
|
239
253
|
### Security
|
|
240
254
|
|
|
241
|
-
- [CVE-2025-46727](https://github.com/
|
|
255
|
+
- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
242
256
|
|
|
243
257
|
## [3.0.15] - 2025-04-13
|
|
244
258
|
|
|
@@ -248,13 +262,13 @@ This release is primarily a maintenance release that removes features deprecated
|
|
|
248
262
|
|
|
249
263
|
### Security
|
|
250
264
|
|
|
251
|
-
- [CVE-2025-27610](https://github.com/
|
|
265
|
+
- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
252
266
|
|
|
253
267
|
## [3.0.13] - 2025-03-04
|
|
254
268
|
|
|
255
269
|
### Security
|
|
256
270
|
|
|
257
|
-
- [CVE-2025-27111](https://github.com/
|
|
271
|
+
- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
258
272
|
|
|
259
273
|
### Fixed
|
|
260
274
|
|
|
@@ -264,7 +278,7 @@ This release is primarily a maintenance release that removes features deprecated
|
|
|
264
278
|
|
|
265
279
|
### Security
|
|
266
280
|
|
|
267
|
-
- [CVE-2025-25184](https://github.com/
|
|
281
|
+
- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
268
282
|
|
|
269
283
|
## [3.0.11] - 2024-05-10
|
|
270
284
|
|
|
@@ -444,6 +458,13 @@ This release introduces major improvements to Rack, including enhanced support f
|
|
|
444
458
|
- Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
|
|
445
459
|
- `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
|
|
446
460
|
|
|
461
|
+
## [2.2.20] - 2025-10-10
|
|
462
|
+
|
|
463
|
+
### Security
|
|
464
|
+
|
|
465
|
+
- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
|
|
466
|
+
- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
|
|
467
|
+
|
|
447
468
|
## [2.2.19] - 2025-10-07
|
|
448
469
|
|
|
449
470
|
### Security
|
|
@@ -456,7 +477,7 @@ This release introduces major improvements to Rack, including enhanced support f
|
|
|
456
477
|
|
|
457
478
|
### Security
|
|
458
479
|
|
|
459
|
-
- [CVE-2025-59830](https://github.com/
|
|
480
|
+
- [CVE-2025-59830](https://github.com/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
|
|
460
481
|
|
|
461
482
|
## [2.2.17] - 2025-06-03
|
|
462
483
|
|
|
@@ -476,25 +497,25 @@ This release introduces major improvements to Rack, including enhanced support f
|
|
|
476
497
|
|
|
477
498
|
### Security
|
|
478
499
|
|
|
479
|
-
- [CVE-2025-46727](https://github.com/
|
|
500
|
+
- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
|
|
480
501
|
|
|
481
502
|
## [2.2.13] - 2025-03-11
|
|
482
503
|
|
|
483
504
|
### Security
|
|
484
505
|
|
|
485
|
-
- [CVE-2025-27610](https://github.com/
|
|
506
|
+
- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
|
|
486
507
|
|
|
487
508
|
## [2.2.12] - 2025-03-04
|
|
488
509
|
|
|
489
510
|
### Security
|
|
490
511
|
|
|
491
|
-
- [CVE-2025-27111](https://github.com/
|
|
512
|
+
- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
|
|
492
513
|
|
|
493
514
|
## [2.2.11] - 2025-02-12
|
|
494
515
|
|
|
495
516
|
### Security
|
|
496
517
|
|
|
497
|
-
- [CVE-2025-25184](https://github.com/
|
|
518
|
+
- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
|
|
498
519
|
|
|
499
520
|
## [2.2.10] - 2024-10-14
|
|
500
521
|
|
data/lib/rack/query_parser.rb
CHANGED
|
@@ -57,6 +57,8 @@ module Rack
|
|
|
57
57
|
PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
|
|
58
58
|
private_constant :PARAMS_LIMIT
|
|
59
59
|
|
|
60
|
+
attr_reader :bytesize_limit
|
|
61
|
+
|
|
60
62
|
def initialize(params_class, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
|
|
61
63
|
@params_class = params_class
|
|
62
64
|
@param_depth_limit = param_depth_limit
|
|
@@ -221,7 +223,7 @@ module Rack
|
|
|
221
223
|
return if !qs || qs.empty?
|
|
222
224
|
|
|
223
225
|
if qs.bytesize > @bytesize_limit
|
|
224
|
-
raise QueryLimitError, "total query size
|
|
226
|
+
raise QueryLimitError, "total query size exceeds limit (#{@bytesize_limit})"
|
|
225
227
|
end
|
|
226
228
|
|
|
227
229
|
pairs = qs.split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP, @params_limit + 1)
|
data/lib/rack/request.rb
CHANGED
|
@@ -513,7 +513,10 @@ module Rack
|
|
|
513
513
|
if pairs = Rack::Multipart.parse_multipart(env, Rack::Multipart::ParamList)
|
|
514
514
|
set_header RACK_REQUEST_FORM_PAIRS, pairs
|
|
515
515
|
else
|
|
516
|
-
|
|
516
|
+
# Add 2 bytes. One to check whether it is over the limit, and a second
|
|
517
|
+
# in case the slice! call below removes the last byte
|
|
518
|
+
# If read returns nil, use the empty string
|
|
519
|
+
form_vars = get_header(RACK_INPUT).read(query_parser.bytesize_limit + 2) || ''
|
|
517
520
|
|
|
518
521
|
# Fix for Safari Ajax postings that always append \0
|
|
519
522
|
# form_vars.sub!(/\0\z/, '') # performance replacement:
|
data/lib/rack/sendfile.rb
CHANGED
|
@@ -16,21 +16,21 @@ module Rack
|
|
|
16
16
|
# delivery code.
|
|
17
17
|
#
|
|
18
18
|
# In order to take advantage of this middleware, the response body must
|
|
19
|
-
# respond to +to_path+ and the request must include an x-sendfile-type
|
|
19
|
+
# respond to +to_path+ and the request must include an `x-sendfile-type`
|
|
20
20
|
# header. Rack::Files and other components implement +to_path+ so there's
|
|
21
|
-
# rarely anything you need to do in your application. The x-sendfile-type
|
|
21
|
+
# rarely anything you need to do in your application. The `x-sendfile-type`
|
|
22
22
|
# header is typically set in your web servers configuration. The following
|
|
23
23
|
# sections attempt to document
|
|
24
24
|
#
|
|
25
25
|
# === Nginx
|
|
26
26
|
#
|
|
27
|
-
# Nginx supports the x-accel-redirect header. This is similar to x-sendfile
|
|
27
|
+
# Nginx supports the `x-accel-redirect` header. This is similar to `x-sendfile`
|
|
28
28
|
# but requires parts of the filesystem to be mapped into a private URL
|
|
29
29
|
# hierarchy.
|
|
30
30
|
#
|
|
31
31
|
# The following example shows the Nginx configuration required to create
|
|
32
|
-
# a private "/files/" area, enable x-accel-redirect
|
|
33
|
-
# x-
|
|
32
|
+
# a private "/files/" area, enable `x-accel-redirect`, and pass the special
|
|
33
|
+
# `x-accel-mapping` header to the backend:
|
|
34
34
|
#
|
|
35
35
|
# location ~ /files/(.*) {
|
|
36
36
|
# internal;
|
|
@@ -44,24 +44,29 @@ module Rack
|
|
|
44
44
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
45
45
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
46
46
|
#
|
|
47
|
-
# proxy_set_header x-sendfile-type x-accel-redirect;
|
|
48
47
|
# proxy_set_header x-accel-mapping /var/www/=/files/;
|
|
49
48
|
#
|
|
50
49
|
# proxy_pass http://127.0.0.1:8080/;
|
|
51
50
|
# }
|
|
52
51
|
#
|
|
53
|
-
#
|
|
54
|
-
# The x-accel-mapping header should specify the location on the file system,
|
|
52
|
+
# The `x-accel-mapping` header should specify the location on the file system,
|
|
55
53
|
# followed by an equals sign (=), followed name of the private URL pattern
|
|
56
54
|
# that it maps to. The middleware performs a simple substitution on the
|
|
57
55
|
# resulting path.
|
|
58
56
|
#
|
|
57
|
+
# To enable `x-accel-redirect`, you must configure the middleware explicitly:
|
|
58
|
+
#
|
|
59
|
+
# use Rack::Sendfile, "x-accel-redirect"
|
|
60
|
+
#
|
|
61
|
+
# For security reasons, the `x-sendfile-type` header from requests is ignored.
|
|
62
|
+
# The sendfile variation must be set via the middleware constructor.
|
|
63
|
+
#
|
|
59
64
|
# See Also: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile
|
|
60
65
|
#
|
|
61
66
|
# === lighttpd
|
|
62
67
|
#
|
|
63
|
-
# Lighttpd has supported some variation of the x-sendfile header for some
|
|
64
|
-
# time, although only recent version support x-sendfile in a reverse proxy
|
|
68
|
+
# Lighttpd has supported some variation of the `x-sendfile` header for some
|
|
69
|
+
# time, although only recent version support `x-sendfile` in a reverse proxy
|
|
65
70
|
# configuration.
|
|
66
71
|
#
|
|
67
72
|
# $HTTP["host"] == "example.com" {
|
|
@@ -83,7 +88,7 @@ module Rack
|
|
|
83
88
|
#
|
|
84
89
|
# === Apache
|
|
85
90
|
#
|
|
86
|
-
# x-sendfile is supported under Apache 2.x using a separate module:
|
|
91
|
+
# `x-sendfile` is supported under Apache 2.x using a separate module:
|
|
87
92
|
#
|
|
88
93
|
# https://tn123.org/mod_xsendfile/
|
|
89
94
|
#
|
|
@@ -97,16 +102,28 @@ module Rack
|
|
|
97
102
|
# === Mapping parameter
|
|
98
103
|
#
|
|
99
104
|
# The third parameter allows for an overriding extension of the
|
|
100
|
-
# x-accel-mapping header. Mappings should be provided in tuples of internal to
|
|
105
|
+
# `x-accel-mapping` header. Mappings should be provided in tuples of internal to
|
|
101
106
|
# external. The internal values may contain regular expression syntax, they
|
|
102
107
|
# will be matched with case indifference.
|
|
108
|
+
#
|
|
109
|
+
# When `x-accel-redirect` is explicitly enabled via the variation parameter,
|
|
110
|
+
# and no application-level mappings are provided, the middleware will read
|
|
111
|
+
# the `x-accel-mapping` header from the proxy. This allows nginx to control
|
|
112
|
+
# the path mapping without requiring application-level configuration.
|
|
113
|
+
#
|
|
114
|
+
# === Security
|
|
115
|
+
#
|
|
116
|
+
# For security reasons, the `x-sendfile-type` header from HTTP requests is
|
|
117
|
+
# ignored. The sendfile variation must be explicitly configured via the
|
|
118
|
+
# middleware constructor to prevent information disclosure vulnerabilities
|
|
119
|
+
# where attackers could bypass proxy restrictions.
|
|
103
120
|
|
|
104
121
|
class Sendfile
|
|
105
122
|
def initialize(app, variation = nil, mappings = [])
|
|
106
123
|
@app = app
|
|
107
124
|
@variation = variation
|
|
108
125
|
@mappings = mappings.map do |internal, external|
|
|
109
|
-
[
|
|
126
|
+
[/\A#{internal}/i, external]
|
|
110
127
|
end
|
|
111
128
|
end
|
|
112
129
|
|
|
@@ -145,22 +162,35 @@ module Rack
|
|
|
145
162
|
end
|
|
146
163
|
|
|
147
164
|
private
|
|
165
|
+
|
|
148
166
|
def variation(env)
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
167
|
+
# Note: HTTP_X_SENDFILE_TYPE is intentionally NOT read for security reasons.
|
|
168
|
+
# Attackers could use this header to enable x-accel-redirect and bypass proxy restrictions.
|
|
169
|
+
@variation || env['sendfile.type']
|
|
170
|
+
end
|
|
171
|
+
|
|
172
|
+
def x_accel_mapping(env)
|
|
173
|
+
# Only allow header when:
|
|
174
|
+
# 1. `x-accel-redirect` is explicitly enabled via constructor.
|
|
175
|
+
# 2. No application-level mappings are configured.
|
|
176
|
+
return nil unless @variation =~ /x-accel-redirect/i
|
|
177
|
+
return nil if @mappings.any?
|
|
178
|
+
|
|
179
|
+
env['HTTP_X_ACCEL_MAPPING']
|
|
152
180
|
end
|
|
153
181
|
|
|
154
182
|
def map_accel_path(env, path)
|
|
155
183
|
if mapping = @mappings.find { |internal, _| internal =~ path }
|
|
156
|
-
path.sub(*mapping)
|
|
157
|
-
elsif mapping = env
|
|
184
|
+
return path.sub(*mapping)
|
|
185
|
+
elsif mapping = x_accel_mapping(env)
|
|
186
|
+
# Safe to use header: explicit config + no app mappings:
|
|
158
187
|
mapping.split(',').map(&:strip).each do |m|
|
|
159
188
|
internal, external = m.split('=', 2).map(&:strip)
|
|
160
|
-
new_path = path.sub(
|
|
189
|
+
new_path = path.sub(/\A#{internal}/i, external)
|
|
161
190
|
return new_path unless path == new_path
|
|
162
191
|
end
|
|
163
|
-
|
|
192
|
+
|
|
193
|
+
return path
|
|
164
194
|
end
|
|
165
195
|
end
|
|
166
196
|
end
|
data/lib/rack/version.rb
CHANGED