rack 3.1.19 → 3.1.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/lib/rack/directory.rb +5 -2
- data/lib/rack/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a488ddfe5c740f9e46a70c38210547991b02820facbdcc083dcfc8819c356a13
|
|
4
|
+
data.tar.gz: b8725e15bfe9c87116be051393bfb50347be679eabd108ee8cfefc8a0fa31925
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0af4c23fa7431ad434e0ea9dad90ced022c47bff29bf8a161b3f7feb107ae7ee0ff69c487548d0da29c80cee24848c2922b6d78e3da14687212a57fa61a16f84
|
|
7
|
+
data.tar.gz: 1ef0da78779595bc3f56d80b9959feb0a725b2190d717a2c4df9ef5c04bb76bbf1888297383a9cb058974e3107d693e8779b2410b55869da4916367bce091b0f
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,13 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
4
4
|
|
|
5
|
+
## Unreleased
|
|
6
|
+
|
|
7
|
+
### Security
|
|
8
|
+
|
|
9
|
+
- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
|
|
10
|
+
- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
|
|
11
|
+
|
|
5
12
|
## [3.1.19] - 2025-11-03
|
|
6
13
|
|
|
7
14
|
### Fixed
|
data/lib/rack/directory.rb
CHANGED
|
@@ -17,7 +17,7 @@ module Rack
|
|
|
17
17
|
# If +app+ is not specified, a Rack::Files of the same +root+ will be used.
|
|
18
18
|
|
|
19
19
|
class Directory
|
|
20
|
-
DIR_FILE = "<tr><td class='name'><a href='
|
|
20
|
+
DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
|
|
21
21
|
DIR_PAGE_HEADER = <<-PAGE
|
|
22
22
|
<html><head>
|
|
23
23
|
<title>%s</title>
|
|
@@ -82,6 +82,7 @@ table { width:100%%; }
|
|
|
82
82
|
# Set the root directory and application for serving files.
|
|
83
83
|
def initialize(root, app = nil)
|
|
84
84
|
@root = ::File.expand_path(root)
|
|
85
|
+
@root_with_separator = @root.end_with?(::File::SEPARATOR) ? @root : "#{@root}#{::File::SEPARATOR}"
|
|
85
86
|
@app = app || Files.new(@root)
|
|
86
87
|
@head = Head.new(method(:get))
|
|
87
88
|
end
|
|
@@ -118,7 +119,9 @@ table { width:100%%; }
|
|
|
118
119
|
# Rack response to use for requests with paths outside the root, or nil if path is inside the root.
|
|
119
120
|
def check_forbidden(path_info)
|
|
120
121
|
return unless path_info.include? ".."
|
|
121
|
-
|
|
122
|
+
|
|
123
|
+
expanded_path = ::File.expand_path(::File.join(@root, path_info))
|
|
124
|
+
return if expanded_path == @root || expanded_path.start_with?(@root_with_separator)
|
|
122
125
|
|
|
123
126
|
body = "Forbidden\n"
|
|
124
127
|
[403, { CONTENT_TYPE => "text/plain",
|
data/lib/rack/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.1.
|
|
4
|
+
version: 3.1.20
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leah Neukirchen
|
|
@@ -156,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
156
156
|
- !ruby/object:Gem::Version
|
|
157
157
|
version: '0'
|
|
158
158
|
requirements: []
|
|
159
|
-
rubygems_version:
|
|
159
|
+
rubygems_version: 4.0.3
|
|
160
160
|
specification_version: 4
|
|
161
161
|
summary: A modular Ruby webserver interface.
|
|
162
162
|
test_files: []
|