rack 2.1.4.1 → 2.1.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 328f3d4ad7c94b2662ae35cc3633d67060bac8f0acf2728c414094a3c0c3c001
-  data.tar.gz: 00f0493d8fa4c8393059d9b3d8da2e0e6401cec2e734daee5ee9c806648a3878
+  metadata.gz: edbcf6126aae323681d2fdc8e61fbbc036661d3354419ac07a389499c9f2f04a
+  data.tar.gz: a1071b44bbf6fa93a58ad2739f9df6f9450666c18aa94e7c69b8e813f3c290a4
 SHA512:
-  metadata.gz: d2987fc196b4eb837e26917c2b8deadfbbd58ff3909a6e12acf3e9bef334d1d0da36bf1d08f10054bee2b57e4e2872dd64964d73ce225cdf028402ec5d52db05
-  data.tar.gz: e6276012db31f2c93f433d40c9d3be4beb7999d974d9d1f33eb830d4a4953f6e94840533917dd2e0eddd73e9d95e71f56a3fa72599f70796ecf88fe88677fcd1
+  metadata.gz: 555cbd0c544abc9102e68450e0e2f7a1a6a758adac673087562419bd85073b5d4130c6446349a1efb68f0cd13ae94863eb083d3e528ec12d6c9e0d71c7047dd1
+  data.tar.gz: 6028521bbb96e209dde73311e30e614f680359ded81465bb23723a45ada328c661104a7487bf5cebc238831504a4e5f370a763769a4dd50d7df1b524da27c24d

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## [2.1.4.2] - 2022-01-17
+
+- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
 ## [2.1.4.1] - 2022-05-27
 
 - [CVE-2022-30123] Fix shell escaping issue in Common Logger

data/lib/rack/multipart.rb

@@ -18,10 +18,10 @@ module Rack
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
     BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/

data/lib/rack/utils.rb

@@ -350,17 +350,18 @@ module Rack
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
       $1.split(/,\s*/).each do |range_spec|
-        return nil  unless range_spec =~ /(\d*)-(\d*)/
-        r0, r1 = $1, $2
-        if r0.empty?
-          return nil  if r1.empty?
+        return nil unless range_spec.include?('-')
+        range = range_spec.split('-')
+        r0, r1 = range[0], range[1]
+        if r0.nil? || r0.empty?
+          return nil if r1.nil?
           # suffix-byte-range-spec, represents trailing suffix of file
           r0 = size - r1.to_i
           r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i
-          if r1.empty?
+          if r1.nil?
             r1 = size - 1
           else
             r1 = r1.to_i

data/lib/rack.rb

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.1.4.1"
+  RELEASE = "2.1.4.2"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.1.4.1
+  version: 2.1.4.2
 platform: ruby
 authors:
 - Leah Neukirchen
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-27 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -170,7 +170,7 @@ metadata:
   homepage_uri: https://rack.github.io
   mailing_list_uri: https://groups.google.com/forum/#!forum/rack-devel
   source_code_uri: https://github.com/rack/rack
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -185,8 +185,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.1.6
+signing_key:
 specification_version: 4
 summary: a modular Ruby webserver interface
 test_files: []