rack 2.2.3 → 2.2.3.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/SPEC.rdoc +5 -9
- data/lib/rack/common_logger.rb +3 -0
- data/lib/rack/lint.rb +1 -1
- data/lib/rack/multipart/parser.rb +2 -1
- data/lib/rack/multipart.rb +1 -2
- data/lib/rack/version.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cd07394d5db5fbf3068cc076eea4059190c06a6e466de13383400bec4ff12e52
|
|
4
|
+
data.tar.gz: ae077819a035b88761b3fffe4f48d948c05e88d2b4942a6589216d929936a47d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 405db34fbc0eca9a8cf15a7887c73a939b33fc25b1283fbc4791a2fbd25053565a19ad891c0b3704b0120157b118997a08b627b856de1dfc088705759930ced2
|
|
7
|
+
data.tar.gz: 98d7b2f6277118a8fa4b7dd7f43eafbc5c4724474b1bb481f798df97b688ec13b61d821d62c04f5839a96ffd298d4a6a2e22f6e2be6d54b0f8485bee37372bc7
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,11 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## [2.2.3.1] - 2022-05-27
|
|
6
|
+
|
|
7
|
+
- [CVE-2022-30123] Fix shell escaping issue in Common Logger
|
|
8
|
+
- [CVE-2022-30122] Restrict parsing of broken MIME attachments
|
|
9
|
+
|
|
5
10
|
## [2.2.3] - 2020-02-11
|
|
6
11
|
|
|
7
12
|
- [CVE-2020-8184] Only decode cookie values
|
data/SPEC.rdoc
CHANGED
|
@@ -42,18 +42,17 @@ below.
|
|
|
42
42
|
<tt>QUERY_STRING</tt>:: The portion of the request URL that
|
|
43
43
|
follows the <tt>?</tt>, if any. May be
|
|
44
44
|
empty, but is always required!
|
|
45
|
-
<tt>SERVER_NAME</tt
|
|
45
|
+
<tt>SERVER_NAME</tt>, <tt>SERVER_PORT</tt>::
|
|
46
|
+
When combined with <tt>SCRIPT_NAME</tt> and
|
|
46
47
|
<tt>PATH_INFO</tt>, these variables can be
|
|
47
48
|
used to complete the URL. Note, however,
|
|
48
49
|
that <tt>HTTP_HOST</tt>, if present,
|
|
49
50
|
should be used in preference to
|
|
50
51
|
<tt>SERVER_NAME</tt> for reconstructing
|
|
51
52
|
the request URL.
|
|
52
|
-
<tt>SERVER_NAME</tt>
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
server is running on. Should be specified if
|
|
56
|
-
the server is running on a non-standard port.
|
|
53
|
+
<tt>SERVER_NAME</tt> and <tt>SERVER_PORT</tt>
|
|
54
|
+
can never be empty strings, and so
|
|
55
|
+
are always required.
|
|
57
56
|
<tt>HTTP_</tt> Variables:: Variables corresponding to the
|
|
58
57
|
client-supplied HTTP request
|
|
59
58
|
headers (i.e., variables whose
|
|
@@ -123,9 +122,6 @@ and should be prefixed uniquely. The prefix <tt>rack.</tt>
|
|
|
123
122
|
is reserved for use with the Rack core distribution and other
|
|
124
123
|
accepted specifications and must not be used otherwise.
|
|
125
124
|
|
|
126
|
-
The <tt>SERVER_PORT</tt> must be an Integer if set.
|
|
127
|
-
The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
|
|
128
|
-
The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
|
|
129
125
|
The environment must not contain the keys
|
|
130
126
|
<tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
|
|
131
127
|
(use the versions without <tt>HTTP_</tt>).
|
data/lib/rack/common_logger.rb
CHANGED
|
@@ -60,7 +60,10 @@ module Rack
|
|
|
60
60
|
length,
|
|
61
61
|
Utils.clock_time - began_at ]
|
|
62
62
|
|
|
63
|
+
msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
|
|
64
|
+
|
|
63
65
|
logger = @logger || env[RACK_ERRORS]
|
|
66
|
+
|
|
64
67
|
# Standard library logger doesn't support write but it supports << which actually
|
|
65
68
|
# calls to write on the log device without formatting
|
|
66
69
|
if logger.respond_to?(:write)
|
data/lib/rack/lint.rb
CHANGED
|
@@ -337,7 +337,7 @@ module Rack
|
|
|
337
337
|
check_hijack env
|
|
338
338
|
|
|
339
339
|
## * The <tt>REQUEST_METHOD</tt> must be a valid token.
|
|
340
|
-
assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD]}") {
|
|
340
|
+
assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
|
|
341
341
|
env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
|
|
342
342
|
}
|
|
343
343
|
|
|
@@ -301,8 +301,9 @@ module Rack
|
|
|
301
301
|
elsif filename = params['filename*']
|
|
302
302
|
encoding, _, filename = filename.split("'", 3)
|
|
303
303
|
end
|
|
304
|
-
when
|
|
304
|
+
when BROKEN
|
|
305
305
|
filename = $1
|
|
306
|
+
filename = $1 if filename =~ /^"(.*)"$/
|
|
306
307
|
end
|
|
307
308
|
|
|
308
309
|
return unless filename
|
data/lib/rack/multipart.rb
CHANGED
|
@@ -16,8 +16,7 @@ module Rack
|
|
|
16
16
|
TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
|
|
17
17
|
CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
|
|
18
18
|
VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
|
|
19
|
-
|
|
20
|
-
BROKEN_UNQUOTED = /^#{CONDISP}.*;\s*filename=(#{TOKEN})/i
|
|
19
|
+
BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
|
|
21
20
|
MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
|
|
22
21
|
MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
|
|
23
22
|
MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.3
|
|
4
|
+
version: 2.2.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-05-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -169,7 +169,7 @@ metadata:
|
|
|
169
169
|
changelog_uri: https://github.com/rack/rack/blob/master/CHANGELOG.md
|
|
170
170
|
documentation_uri: https://rubydoc.info/github/rack/rack
|
|
171
171
|
source_code_uri: https://github.com/rack/rack
|
|
172
|
-
post_install_message:
|
|
172
|
+
post_install_message:
|
|
173
173
|
rdoc_options: []
|
|
174
174
|
require_paths:
|
|
175
175
|
- lib
|
|
@@ -184,8 +184,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
184
184
|
- !ruby/object:Gem::Version
|
|
185
185
|
version: '0'
|
|
186
186
|
requirements: []
|
|
187
|
-
rubygems_version: 3.
|
|
188
|
-
signing_key:
|
|
187
|
+
rubygems_version: 3.0.3.1
|
|
188
|
+
signing_key:
|
|
189
189
|
specification_version: 4
|
|
190
190
|
summary: A modular Ruby webserver interface.
|
|
191
191
|
test_files: []
|