rack 2.0.9 → 2.0.9.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/HISTORY.md +5 -0
- data/SPEC +7 -8
- data/lib/rack/common_logger.rb +3 -0
- data/lib/rack/lint.rb +1 -1
- data/lib/rack/multipart/parser.rb +2 -1
- data/lib/rack/multipart.rb +1 -2
- data/lib/rack.rb +1 -1
- data/test/cgi/test.gz +0 -0
- data/test/multipart/filename_with_escaped_quotes_and_modification_param +1 -1
- data/test/spec_common_logger.rb +12 -0
- data/test/spec_lint.rb +5 -0
- data/test/spec_multipart.rb +1 -14
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3d7540b6cecf9193ad7a6ca8f1be4e4a97cf56b3d9a54d420b21ca164af57b66
|
|
4
|
+
data.tar.gz: b966e0e74ffe6c9b813bbbb222ec3d5ff5b331878feb57440c23a74ebf93197d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e9d484bfb940bb4894a9c4be9cf7c88f5b7d13c55bbd1b7dfc110b6dee577d6aa724614ec7e9f3861f860e4d699933ee49b5e32fca1affdae6541f459176260a
|
|
7
|
+
data.tar.gz: 4ddec5784e6318979bfcefd89c12882f2da022ddb216e99df6d570871e35b9ba9f693872245f031a3fb8505361b966b41dae0d32b180fcb53a8bdec1f329f57f
|
data/HISTORY.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
Fri May 27 08:27:04 2022 Aaron Patterson <tenderlove@ruby-lang.org>
|
|
2
|
+
|
|
3
|
+
* [CVE-2022-30123] Fix shell escaping issue in Common Logger
|
|
4
|
+
* [CVE-2022-30122] Restrict parsing of broken MIME attachments
|
|
5
|
+
|
|
1
6
|
Sun Dec 4 18:48:03 2015 Jeremy Daer <jeremydaer@gmail.com>
|
|
2
7
|
|
|
3
8
|
* First-party "SameSite" cookies. Browsers omit SameSite cookies
|
data/SPEC
CHANGED
|
@@ -60,8 +60,8 @@ below.
|
|
|
60
60
|
the presence or absence of the
|
|
61
61
|
appropriate HTTP header in the
|
|
62
62
|
request. See
|
|
63
|
-
|
|
64
|
-
RFC3875 section 4.1.18
|
|
63
|
+
{https://tools.ietf.org/html/rfc3875#section-4.1.18
|
|
64
|
+
RFC3875 section 4.1.18} for
|
|
65
65
|
specific behavior.
|
|
66
66
|
In addition to this, the Rack environment must include these
|
|
67
67
|
Rack-specific variables:
|
|
@@ -98,13 +98,12 @@ Rack-specific variables:
|
|
|
98
98
|
Additional environment specifications have approved to
|
|
99
99
|
standardized middleware APIs. None of these are required to
|
|
100
100
|
be implemented by the server.
|
|
101
|
-
<tt>rack.session</tt>:: A hash like interface for storing
|
|
102
|
-
request session data.
|
|
101
|
+
<tt>rack.session</tt>:: A hash like interface for storing request session data.
|
|
103
102
|
The store must implement:
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
103
|
+
store(key, value) (aliased as []=);
|
|
104
|
+
fetch(key, default = nil) (aliased as []);
|
|
105
|
+
delete(key);
|
|
106
|
+
clear;
|
|
108
107
|
<tt>rack.logger</tt>:: A common object interface for logging messages.
|
|
109
108
|
The object must implement:
|
|
110
109
|
info(message, &block)
|
data/lib/rack/common_logger.rb
CHANGED
|
@@ -54,7 +54,10 @@ module Rack
|
|
|
54
54
|
length,
|
|
55
55
|
now - began_at ]
|
|
56
56
|
|
|
57
|
+
msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
|
|
58
|
+
|
|
57
59
|
logger = @logger || env[RACK_ERRORS]
|
|
60
|
+
|
|
58
61
|
# Standard library logger doesn't support write but it supports << which actually
|
|
59
62
|
# calls to write on the log device without formatting
|
|
60
63
|
if logger.respond_to?(:write)
|
data/lib/rack/lint.rb
CHANGED
|
@@ -295,7 +295,7 @@ module Rack
|
|
|
295
295
|
check_hijack env
|
|
296
296
|
|
|
297
297
|
## * The <tt>REQUEST_METHOD</tt> must be a valid token.
|
|
298
|
-
assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
|
|
298
|
+
assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
|
|
299
299
|
env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
|
|
300
300
|
}
|
|
301
301
|
|
|
@@ -302,8 +302,9 @@ module Rack
|
|
|
302
302
|
elsif filename = params['filename*']
|
|
303
303
|
encoding, _, filename = filename.split("'", 3)
|
|
304
304
|
end
|
|
305
|
-
when
|
|
305
|
+
when BROKEN
|
|
306
306
|
filename = $1
|
|
307
|
+
filename = $1 if filename =~ /^"(.*)"$/
|
|
307
308
|
end
|
|
308
309
|
|
|
309
310
|
return unless filename
|
data/lib/rack/multipart.rb
CHANGED
|
@@ -14,8 +14,7 @@ module Rack
|
|
|
14
14
|
TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
|
|
15
15
|
CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
|
|
16
16
|
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
|
|
17
|
-
|
|
18
|
-
BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
|
|
17
|
+
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
|
|
19
18
|
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
|
|
20
19
|
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*\s+name=(#{VALUE})/ni
|
|
21
20
|
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
|
data/lib/rack.rb
CHANGED
data/test/cgi/test.gz
CHANGED
|
File without changes
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
--AaB03x
|
|
2
2
|
Content-Type: image/jpeg
|
|
3
|
-
Content-Disposition: attachment; name="files"; filename=""human" genome.jpeg"; modification-date="Wed, 12 Feb 1997 16:29:51 -0500";
|
|
3
|
+
Content-Disposition: attachment; name="files"; filename="\"human\" genome.jpeg"; modification-date="Wed, 12 Feb 1997 16:29:51 -0500";
|
|
4
4
|
Content-Description: a complete map of the human genome
|
|
5
5
|
|
|
6
6
|
contents
|
data/test/spec_common_logger.rb
CHANGED
|
@@ -21,6 +21,10 @@ describe Rack::CommonLogger do
|
|
|
21
21
|
[200,
|
|
22
22
|
{"Content-Type" => "text/html", "Content-Length" => "0"},
|
|
23
23
|
[]]}
|
|
24
|
+
app_without_lint = lambda { |env|
|
|
25
|
+
[200,
|
|
26
|
+
{ "content-type" => "text/html", "content-length" => length.to_s },
|
|
27
|
+
[obj]]}
|
|
24
28
|
|
|
25
29
|
it "log to rack.errors by default" do
|
|
26
30
|
res = Rack::MockRequest.new(Rack::CommonLogger.new(app)).get("/")
|
|
@@ -85,6 +89,14 @@ describe Rack::CommonLogger do
|
|
|
85
89
|
(0..1).must_include duration.to_f
|
|
86
90
|
end
|
|
87
91
|
|
|
92
|
+
it "escapes non printable characters except newline" do
|
|
93
|
+
logdev = StringIO.new
|
|
94
|
+
log = Logger.new(logdev)
|
|
95
|
+
Rack::MockRequest.new(Rack::CommonLogger.new(app_without_lint, log)).request("GET\b", "/hello")
|
|
96
|
+
|
|
97
|
+
logdev.string.must_match(/GET\\x8 \/hello/)
|
|
98
|
+
end
|
|
99
|
+
|
|
88
100
|
def length
|
|
89
101
|
123
|
|
90
102
|
end
|
data/test/spec_lint.rb
CHANGED
|
@@ -96,6 +96,11 @@ describe Rack::Lint do
|
|
|
96
96
|
}.must_raise(Rack::Lint::LintError).
|
|
97
97
|
message.must_match(/REQUEST_METHOD/)
|
|
98
98
|
|
|
99
|
+
lambda {
|
|
100
|
+
Rack::Lint.new(nil).call(env("REQUEST_METHOD" => "OOPS?\b!"))
|
|
101
|
+
}.must_raise(Rack::Lint::LintError).
|
|
102
|
+
message.must_match(/OOPS\?\\/)
|
|
103
|
+
|
|
99
104
|
lambda {
|
|
100
105
|
Rack::Lint.new(nil).call(env("SCRIPT_NAME" => "howdy"))
|
|
101
106
|
}.must_raise(Rack::Lint::LintError).
|
data/test/spec_multipart.rb
CHANGED
|
@@ -381,19 +381,6 @@ describe Rack::Multipart do
|
|
|
381
381
|
params["files"][:tempfile].read.must_equal "contents"
|
|
382
382
|
end
|
|
383
383
|
|
|
384
|
-
it "parse filename with unescaped quotes" do
|
|
385
|
-
env = Rack::MockRequest.env_for("/", multipart_fixture(:filename_with_unescaped_quotes))
|
|
386
|
-
params = Rack::Multipart.parse_multipart(env)
|
|
387
|
-
params["files"][:type].must_equal "application/octet-stream"
|
|
388
|
-
params["files"][:filename].must_equal "escape \"quotes"
|
|
389
|
-
params["files"][:head].must_equal "Content-Disposition: form-data; " +
|
|
390
|
-
"name=\"files\"; " +
|
|
391
|
-
"filename=\"escape \"quotes\"\r\n" +
|
|
392
|
-
"Content-Type: application/octet-stream\r\n"
|
|
393
|
-
params["files"][:name].must_equal "files"
|
|
394
|
-
params["files"][:tempfile].read.must_equal "contents"
|
|
395
|
-
end
|
|
396
|
-
|
|
397
384
|
it "parse filename with escaped quotes and modification param" do
|
|
398
385
|
env = Rack::MockRequest.env_for("/", multipart_fixture(:filename_with_escaped_quotes_and_modification_param))
|
|
399
386
|
params = Rack::Multipart.parse_multipart(env)
|
|
@@ -402,7 +389,7 @@ describe Rack::Multipart do
|
|
|
402
389
|
params["files"][:head].must_equal "Content-Type: image/jpeg\r\n" +
|
|
403
390
|
"Content-Disposition: attachment; " +
|
|
404
391
|
"name=\"files\"; " +
|
|
405
|
-
"filename=\"
|
|
392
|
+
"filename=\"\\\"human\\\" genome.jpeg\"; " +
|
|
406
393
|
"modification-date=\"Wed, 12 Feb 1997 16:29:51 -0500\";\r\n" +
|
|
407
394
|
"Content-Description: a complete map of the human genome\r\n"
|
|
408
395
|
params["files"][:name].must_equal "files"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.9
|
|
4
|
+
version: 2.0.9.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-05-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -275,7 +275,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
275
275
|
- !ruby/object:Gem::Version
|
|
276
276
|
version: '0'
|
|
277
277
|
requirements: []
|
|
278
|
-
rubygems_version: 3.1
|
|
278
|
+
rubygems_version: 3.0.3.1
|
|
279
279
|
signing_key:
|
|
280
280
|
specification_version: 4
|
|
281
281
|
summary: a modular Ruby webserver interface
|