rack 1.6.1 → 1.6.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/HISTORY.md +4 -1
- data/lib/rack.rb +1 -1
- data/lib/rack/handler.rb +1 -1
- data/lib/rack/handler/webrick.rb +0 -1
- data/lib/rack/mime.rb +1 -0
- data/lib/rack/static.rb +3 -3
- data/lib/rack/utils.rb +11 -4
- data/rack.gemspec +1 -1
- data/test/spec_handler.rb +4 -0
- data/test/spec_utils.rb +12 -0
- metadata +3 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ab38bb5c60cd46486301f9260b5a573ee1f433f2
|
|
4
|
+
data.tar.gz: e17cf5cf671ebd4aa03826847d006be00c964c4a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 71969e78c1454c8dcf6bd20e0fcb59f367d0e1a1b6ad32a512c866cb88f18ca1d98cb2074e704596a84fb91b64760e730dc590c1caf4b480ab5dae50994d776d
|
|
7
|
+
data.tar.gz: 5748ff056a909a1d1ee5ef717ccca1b04a5c6a076397cdefc05b23235a1f4fb3e8d3b833a65e3dbaa57c29efe7184eba7a69b47c59d5ca7d5e004cff228538e2
|
data/HISTORY.md
CHANGED
|
@@ -1,5 +1,8 @@
|
|
|
1
|
+
Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org>
|
|
2
|
+
|
|
3
|
+
* Prevent extremely deep parameters from being parsed. CVE-2015-3225
|
|
4
|
+
|
|
1
5
|
### December 18th, Thirty sixth public release 1.6.0
|
|
2
|
-
- TODO
|
|
3
6
|
|
|
4
7
|
### February 7th, Thirty fifth public release 1.5.2
|
|
5
8
|
- Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
|
data/lib/rack.rb
CHANGED
data/lib/rack/handler.rb
CHANGED
data/lib/rack/handler/webrick.rb
CHANGED
|
@@ -28,7 +28,6 @@ module Rack
|
|
|
28
28
|
|
|
29
29
|
options[:BindAddress] = options.delete(:Host) || default_host
|
|
30
30
|
options[:Port] ||= 8080
|
|
31
|
-
options[:OutputBufferSize] = 5
|
|
32
31
|
@server = ::WEBrick::HTTPServer.new(options)
|
|
33
32
|
@server.mount "/", Rack::Handler::WEBrick, app
|
|
34
33
|
yield @server if block_given?
|
data/lib/rack/mime.rb
CHANGED
|
@@ -614,6 +614,7 @@ module Rack
|
|
|
614
614
|
".wmx" => "video/x-ms-wmx",
|
|
615
615
|
".wmz" => "application/x-ms-wmz",
|
|
616
616
|
".woff" => "application/font-woff",
|
|
617
|
+
".woff2" => "application/font-woff2",
|
|
617
618
|
".wpd" => "application/vnd.wordperfect",
|
|
618
619
|
".wpl" => "application/vnd.ms-wpl",
|
|
619
620
|
".wps" => "application/vnd.ms-works",
|
data/lib/rack/static.rb
CHANGED
|
@@ -53,8 +53,8 @@ module Rack
|
|
|
53
53
|
# 4) Regular Expressions / Regexp
|
|
54
54
|
# Provide a regular expression
|
|
55
55
|
# %r{\.(?:css|js)\z} => Matches files ending in .css or .js
|
|
56
|
-
# /\.(?:eot|ttf|otf|woff|svg)\z/ => Matches files ending in
|
|
57
|
-
# the most common web font formats (.eot, .ttf, .otf, .woff, .svg)
|
|
56
|
+
# /\.(?:eot|ttf|otf|woff2|woff|svg)\z/ => Matches files ending in
|
|
57
|
+
# the most common web font formats (.eot, .ttf, .otf, .woff2, .woff, .svg)
|
|
58
58
|
# Note: This Regexp is available as a shortcut, using the :fonts rule
|
|
59
59
|
#
|
|
60
60
|
# 5) Font Shortcut
|
|
@@ -132,7 +132,7 @@ module Rack
|
|
|
132
132
|
when :all
|
|
133
133
|
true
|
|
134
134
|
when :fonts
|
|
135
|
-
path =~ /\.(?:ttf|otf|eot|woff|svg)\z/
|
|
135
|
+
path =~ /\.(?:ttf|otf|eot|woff2|woff|svg)\z/
|
|
136
136
|
when String
|
|
137
137
|
path = ::Rack::Utils.unescape(path)
|
|
138
138
|
path.start_with?(rule) || path.start_with?('/' + rule)
|
data/lib/rack/utils.rb
CHANGED
|
@@ -61,6 +61,7 @@ module Rack
|
|
|
61
61
|
|
|
62
62
|
class << self
|
|
63
63
|
attr_accessor :key_space_limit
|
|
64
|
+
attr_accessor :param_depth_limit
|
|
64
65
|
attr_accessor :multipart_part_limit
|
|
65
66
|
end
|
|
66
67
|
|
|
@@ -68,6 +69,10 @@ module Rack
|
|
|
68
69
|
# This helps prevent a rogue client from flooding a Request.
|
|
69
70
|
self.key_space_limit = 65536
|
|
70
71
|
|
|
72
|
+
# Default depth at which the parameter parser will raise an exception for
|
|
73
|
+
# being too deep. This helps prevent SystemStackErrors
|
|
74
|
+
self.param_depth_limit = 100
|
|
75
|
+
|
|
71
76
|
# The maximum number of parts a request can contain. Accepting too many part
|
|
72
77
|
# can lead to the server running out of file handles.
|
|
73
78
|
# Set to `0` for no limit.
|
|
@@ -126,7 +131,9 @@ module Rack
|
|
|
126
131
|
# normalize_params recursively expands parameters into structural types. If
|
|
127
132
|
# the structural types represented by two different parameter names are in
|
|
128
133
|
# conflict, a ParameterTypeError is raised.
|
|
129
|
-
def normalize_params(params, name, v = nil)
|
|
134
|
+
def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit)
|
|
135
|
+
raise RangeError if depth <= 0
|
|
136
|
+
|
|
130
137
|
name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
|
|
131
138
|
k = $1 || ''
|
|
132
139
|
after = $' || ''
|
|
@@ -146,14 +153,14 @@ module Rack
|
|
|
146
153
|
params[k] ||= []
|
|
147
154
|
raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
|
|
148
155
|
if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
|
|
149
|
-
normalize_params(params[k].last, child_key, v)
|
|
156
|
+
normalize_params(params[k].last, child_key, v, depth - 1)
|
|
150
157
|
else
|
|
151
|
-
params[k] << normalize_params(params.class.new, child_key, v)
|
|
158
|
+
params[k] << normalize_params(params.class.new, child_key, v, depth - 1)
|
|
152
159
|
end
|
|
153
160
|
else
|
|
154
161
|
params[k] ||= params.class.new
|
|
155
162
|
raise ParameterTypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k])
|
|
156
|
-
params[k] = normalize_params(params[k], after, v)
|
|
163
|
+
params[k] = normalize_params(params[k], after, v, depth - 1)
|
|
157
164
|
end
|
|
158
165
|
|
|
159
166
|
return params
|
data/rack.gemspec
CHANGED
data/test/spec_handler.rb
CHANGED
data/test/spec_utils.rb
CHANGED
|
@@ -134,6 +134,18 @@ describe Rack::Utils do
|
|
|
134
134
|
}.should.not.raise
|
|
135
135
|
end
|
|
136
136
|
|
|
137
|
+
should "raise an exception if the params are too deep" do
|
|
138
|
+
len = Rack::Utils.param_depth_limit
|
|
139
|
+
|
|
140
|
+
lambda {
|
|
141
|
+
Rack::Utils.parse_nested_query("foo#{"[a]" * len}=bar")
|
|
142
|
+
}.should.raise(RangeError)
|
|
143
|
+
|
|
144
|
+
lambda {
|
|
145
|
+
Rack::Utils.parse_nested_query("foo#{"[a]" * (len - 1)}=bar")
|
|
146
|
+
}.should.not.raise
|
|
147
|
+
end
|
|
148
|
+
|
|
137
149
|
should "parse nested query strings correctly" do
|
|
138
150
|
Rack::Utils.parse_nested_query("foo").
|
|
139
151
|
should.equal "foo" => nil
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.
|
|
4
|
+
version: 1.6.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Christian Neukirchen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-06-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bacon
|
|
@@ -254,7 +254,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
254
254
|
version: '0'
|
|
255
255
|
requirements: []
|
|
256
256
|
rubyforge_project: rack
|
|
257
|
-
rubygems_version: 2.4.
|
|
257
|
+
rubygems_version: 2.4.5
|
|
258
258
|
signing_key:
|
|
259
259
|
specification_version: 4
|
|
260
260
|
summary: a modular Ruby webserver interface
|
|
@@ -308,4 +308,3 @@ test_files:
|
|
|
308
308
|
- test/spec_utils.rb
|
|
309
309
|
- test/spec_version.rb
|
|
310
310
|
- test/spec_webrick.rb
|
|
311
|
-
has_rdoc:
|