rack 2.0.9.1 → 2.0.9.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/HISTORY.md +6 -0
- data/lib/rack/multipart.rb +2 -2
- data/lib/rack/utils.rb +6 -5
- data/lib/rack.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bc237005e0685c87558593892557c95cd2b19a69344a5e7730861c4737710068
|
|
4
|
+
data.tar.gz: c6f06fabfb75b648b39013635615bb0c234b46e06bb21ee0d34fa984bc8a4327
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 91d96b990c872a04ed4dfc6eeea2ee24c7229d1bc382fb19ee56a2d63df67ef155e76e2ff760b5fce600101bf49f4359ed021959f1d72789821c71db4653e67a
|
|
7
|
+
data.tar.gz: bf4aceee4f04788e44dac8838ff210be458f6869264c380da218ad1d8f60651900212c6f2b6e1909666d9861a2d7865a85da8b4ff836b5ad075d3fe7cf9293f2
|
data/HISTORY.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
Tue Jan 17 12:27:04 2023 Aaron Patterson <tenderlove@ruby-lang.org>
|
|
2
|
+
|
|
3
|
+
* [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
|
|
4
|
+
* [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
|
|
5
|
+
* [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
|
|
6
|
+
|
|
1
7
|
Fri May 27 08:27:04 2022 Aaron Patterson <tenderlove@ruby-lang.org>
|
|
2
8
|
|
|
3
9
|
* [CVE-2022-30123] Fix shell escaping issue in Common Logger
|
data/lib/rack/multipart.rb
CHANGED
|
@@ -16,10 +16,10 @@ module Rack
|
|
|
16
16
|
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
|
|
17
17
|
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
|
|
18
18
|
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
|
|
19
|
-
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition
|
|
19
|
+
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s+name=(#{VALUE})/ni
|
|
20
20
|
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
|
|
21
21
|
# Updated definitions from RFC 2231
|
|
22
|
-
ATTRIBUTE_CHAR = %r{[^ \
|
|
22
|
+
ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
|
|
23
23
|
ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
|
|
24
24
|
SECTION = /\*[0-9]+/
|
|
25
25
|
REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/
|
data/lib/rack/utils.rb
CHANGED
|
@@ -365,17 +365,18 @@ module Rack
|
|
|
365
365
|
return nil unless http_range && http_range =~ /bytes=([^;]+)/
|
|
366
366
|
ranges = []
|
|
367
367
|
$1.split(/,\s*/).each do |range_spec|
|
|
368
|
-
return nil
|
|
369
|
-
|
|
370
|
-
|
|
371
|
-
|
|
368
|
+
return nil unless range_spec.include?('-')
|
|
369
|
+
range = range_spec.split('-')
|
|
370
|
+
r0, r1 = range[0], range[1]
|
|
371
|
+
if r0.nil? || r0.empty?
|
|
372
|
+
return nil if r1.nil?
|
|
372
373
|
# suffix-byte-range-spec, represents trailing suffix of file
|
|
373
374
|
r0 = size - r1.to_i
|
|
374
375
|
r0 = 0 if r0 < 0
|
|
375
376
|
r1 = size - 1
|
|
376
377
|
else
|
|
377
378
|
r0 = r0.to_i
|
|
378
|
-
if r1.
|
|
379
|
+
if r1.nil?
|
|
379
380
|
r1 = size - 1
|
|
380
381
|
else
|
|
381
382
|
r1 = r1.to_i
|
data/lib/rack.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.9.
|
|
4
|
+
version: 2.0.9.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-01-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -260,7 +260,7 @@ homepage: https://rack.github.io/
|
|
|
260
260
|
licenses:
|
|
261
261
|
- MIT
|
|
262
262
|
metadata: {}
|
|
263
|
-
post_install_message:
|
|
263
|
+
post_install_message:
|
|
264
264
|
rdoc_options: []
|
|
265
265
|
require_paths:
|
|
266
266
|
- lib
|
|
@@ -275,8 +275,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
275
275
|
- !ruby/object:Gem::Version
|
|
276
276
|
version: '0'
|
|
277
277
|
requirements: []
|
|
278
|
-
rubygems_version: 3.
|
|
279
|
-
signing_key:
|
|
278
|
+
rubygems_version: 3.1.6
|
|
279
|
+
signing_key:
|
|
280
280
|
specification_version: 4
|
|
281
281
|
summary: a modular Ruby webserver interface
|
|
282
282
|
test_files:
|