RubyGems - rack - Versions diffs - 2.2.6 → 2.2.6.1 - Mend

rack 2.2.6 → 2.2.6.1

This version of rack might be problematic. Click here for more details.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d54f10515698af167ad8556adf035c50ee77ce1709ae10dba45eda21053f074d
-  data.tar.gz: f6d5ba0e92c0e8e0922748a92aae4050aa634bcad66ef5b27ccc291357f80ef0
+  metadata.gz: 3954ca2ddaa60814965ba95a0b8b9c3b38f6dc6348d343f0b950f3b2780748fa
+  data.tar.gz: a9df63f5080312265894683c21ccaae362c85233112c8d34f1b1919b8c46e5b6
 SHA512:
-  metadata.gz: 7e6dc127a2d5df49186e309c2a766f0598428503a2e08308c72b7f91a3291dab391a245c61d1dcbce9a2cf0e4e30cb9d6b213949873167e10da55cd1731c2833
-  data.tar.gz: 5a995a9dceda0364ed9715c162b14b92d7cb69d8078fb565d4cf78c0a7e495760b5715ec87e2998e1a0f7350cdb126d6ec9b2178cbe511a258164f36e4f00b68
+  metadata.gz: 03cae09c56cf3e3033bd5e46eecb114931b65ce5d1cfe843a6514c55c19cb518ec7e52444bdb7976932e4647b7fb66be2100062b5ba816b65c17079139382986
+  data.tar.gz: 1b86e1c18186276473daedac322a237e48fdd51b885ae291800eb1c5500c97f468dfeb7f5a0ac89540f8e2d654e6c414cfa0bdea0fb8cccc84259387386c6f40

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,12 @@
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.2.6.1] - 2022-01-17
+- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
 ## [2.2.6] - 2022-01-17
 - Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot))

data/lib/rack/multipart.rb CHANGED Viewed

@@ -18,10 +18,10 @@ module Rack
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
     BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/

data/lib/rack/version.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
-  RELEASE = "2.2.6"
+  RELEASE = "2.2.6.1"
   # Return the Rack release as a dotted string.
   def self.release

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.2.6
+  version: 2.2.6.1
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-16 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -184,7 +184,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: A modular Ruby webserver interface.