RubyGems - rack - Versions diffs - 3.2.3 → 3.2.5 - Mend

rack 3.2.3 → 3.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 19fbcf7ac3f253dc5265f02aa7200b80293cba9497712bef24b3bd9af9a7e1e8
-  data.tar.gz: fb0dbfc721493fa7483ba1cb4a258b246823bcc2e42dff2ee69519be653ade80
+  metadata.gz: dcab43418ebec9227dad4a8e8fbfeb403097a3c34bcebc63a230350984c68ab9
+  data.tar.gz: 6b82c8e25fa9bc835cfe24a05da9731bd9a0654b40a56a01c6f77ac7fc7029f4
 SHA512:
-  metadata.gz: 44fcb08953ddacf0c82e60513ea4642d95f330fc82d1f4bf06bb8bc9f1e26eb9d19c9c48bf73b639e2b2427173660e1a3d553358b8b536c4236c3e44af2f87df
-  data.tar.gz: 584b4862cdab33cb37aca49446d3c0bef33c37a4f9a63c5238105d601c23b86c54ab3b277a570b465590006fcf8edbcd8a8b195fa07f0f40375a3b988b299433
+  metadata.gz: a727df6903901d26a8d4e031302cb0c5b45134b9e31b2443b6e4d4a595233f4d18d58ff265cafbd9e344e4b7958fd3d27b6e46d57c6f37c9744617da8eba6db4
+  data.tar.gz: 8c914906cc9c4d0610ab8dc0de815cb714311261dc50ef6d1a6c1b5ecacd9d3f58e477014176a0044dd1f1dd24ecc55554eb6eebe78995205bd6c47bee83d9eb

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,23 @@
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+## Unreleased
+### Security
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
+### Fixed
+- Fix `Rack::MockResponse#body` when the body is a Proc. ([#2420](https://github.com/rack/rack/pull/2420), [#2423](https://github.com/rack/rack/pull/2423), [@tavianator](https://github.com/tavianator), [@ioquatix])
+## [3.2.4] - 2025-11-03
+### Fixed
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
 ## [3.2.3] - 2025-10-10
 ### Security
@@ -74,6 +91,12 @@ This release continues Rack's evolution toward a cleaner, more efficient foundat
 - `SERVER_NAME` and `HTTP_HOST` are now more strictly validated according to the relevant specifications. ([#2298](https://github.com/rack/rack/pull/2298), [@ioquatix])
 - `Rack::Lint` now disallows `PATH_INFO="" SCRIPT_NAME=""`. ([#2298](https://github.com/rack/rack/issues/2307), [@jeremyevans])
+## [3.1.19] - 2025-11-03
+### Fixed
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
 ## [3.1.18] - 2025-10-10
 ### Security
@@ -458,6 +481,12 @@ This release introduces major improvements to Rack, including enhanced support f
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
+## [2.2.21] - 2025-11-03
+### Fixed
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
 ## [2.2.20] - 2025-10-10
 ### Security

data/lib/rack/directory.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Rack
   # If +app+ is not specified, a Rack::Files of the same +root+ will be used.
   class Directory
-    DIR_FILE = "<tr><td class='name'><a href='%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
+    DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
     DIR_PAGE_HEADER = <<-PAGE
 <html><head>
   <title>%s</title>
@@ -82,6 +82,7 @@ table { width:100%%; }
     # Set the root directory and application for serving files.
     def initialize(root, app = nil)
       @root = ::File.expand_path(root)
+      @root_with_separator = @root.end_with?(::File::SEPARATOR) ? @root : "#{@root}#{::File::SEPARATOR}"
       @app = app || Files.new(@root)
       @head = Head.new(method(:get))
     end
@@ -118,7 +119,9 @@ table { width:100%%; }
     # Rack response to use for requests with paths outside the root, or nil if path is inside the root.
     def check_forbidden(path_info)
       return unless path_info.include? ".."
-      return if ::File.expand_path(::File.join(@root, path_info)).start_with?(@root)
+      expanded_path = ::File.expand_path(::File.join(@root, path_info))
+      return if expanded_path == @root || expanded_path.start_with?(@root_with_separator)
       body = "Forbidden\n"
       [403, { CONTENT_TYPE => "text/plain",

data/lib/rack/mock_response.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require 'stringio'
 require 'time'
 require_relative 'response'
@@ -82,8 +83,16 @@ module Rack
       #   end
       buffer = @buffered_body = String.new
-      @body.each do |chunk|
-        buffer << chunk
+      begin
+        if @body.respond_to?(:each)
+          @body.each do |chunk|
+            buffer << chunk
+          end
+        else
+          @body.call(StringIO.new(buffer))
+        end
+      ensure
+        @body.close if @body.respond_to?(:close)
       end
       return buffer

data/lib/rack/multipart/parser.rb CHANGED Viewed

@@ -451,7 +451,7 @@ module Rack
         else
           # We raise if the mime part header is too large, to avoid unbounded memory
           # buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default)
-          raise Error, "multipart mime part header too large" if @sbuf.string.bytesize > MIME_HEADER_BYTESIZE_LIMIT
+          raise Error, "multipart mime part header too large" if @sbuf.rest.bytesize > MIME_HEADER_BYTESIZE_LIMIT
           return :want_read
         end

data/lib/rack/version.rb CHANGED Viewed

@@ -6,7 +6,7 @@
 # See MIT-LICENSE or https://opensource.org/licenses/MIT.
 module Rack
-  VERSION = "3.2.3"
+  VERSION = "3.2.5"
   RELEASE = VERSION

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.2.3
+  version: 3.2.5
 platform: ruby
 authors:
 - Leah Neukirchen
@@ -156,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.3
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []