RubyGems - rack - Versions diffs - 3.1.4 → 3.1.5 - Mend

rack 3.1.4 → 3.1.5

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d917c34d2fcdaa2370573215d80d8cae52d56db08a1dc3beb404cab4eb22456d
-  data.tar.gz: e73e6d8c063583b0a0b41a8559ac4791e097ddd1bf3a80285df04198ad7f4c7f
+  metadata.gz: 3c10c6fa362f15e1169822a88e4fe9edfa36b01e48ba5d338bf55e94889a097f
+  data.tar.gz: c205f62d2490fda13b70cc5d0b3be62af5cad3efa950d5ceabc0e1980d3fef83
 SHA512:
-  metadata.gz: 297f63ac060e32452f551675b1de70d988db2e3dd0bfa9f84209c5bb4e607ddec895bf92c350220a70ecf3f0b51a911a1f93844ff542cd9ba7102b151acf0e8c
-  data.tar.gz: da58b8eb44af3347196d6b965158a90141860ad064bb500c845b80b585953f6f074817c59798f534b71cd8a65814420da519a1157bde86f97f4d0ff67014d41c
+  metadata.gz: 466e3dd3536d81196d86f1cc0a3fa8e833cfe96b523843160aef33267aab0e0e46501d5f163f2a72d4e3401385c43312237f67da26932b2d192c9d1bfb3dcfdc
+  data.tar.gz: 3bcf798901aeaa5a94524864925160077f07ac26ebaa9e3ad6b080afbe45fb0a7f1f9ee89d990720aeae7d5b8dd73e2e1bf82a264323649219b59682b56cc09a

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,12 @@
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+## [3.1.5] - 2024-07-02
+### Security
+- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
 ## [3.1.4] - 2024-06-22
 ### Fixed
@@ -131,7 +137,7 @@ All notable changes to this project will be documented in this file. For info on
 - `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
-## [3.0.2] -2022-12-05
+## [3.0.2] - 2022-12-05
 ### Fixed

data/lib/rack/request.rb CHANGED Viewed

@@ -642,8 +642,10 @@ module Rack
       end
       def parse_http_accept_header(header)
-        header.to_s.split(/\s*,\s*/).map do |part|
-          attribute, parameters = part.split(/\s*;\s*/, 2)
+        header.to_s.split(',').map do |part|
+          attribute, parameters = part.split(';', 2)
+          attribute.strip!
+          parameters&.strip!
           quality = 1.0
           if parameters and /\Aq=([\d.]+)/ =~ parameters
             quality = $1.to_f

data/lib/rack/version.rb CHANGED Viewed

@@ -12,7 +12,7 @@
 # so it should be enough just to <tt>require 'rack'</tt> in your code.
 module Rack
-  RELEASE = "3.1.4"
+  RELEASE = "3.1.5"
   # Return the Rack release as a dotted string.
   def self.release

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.1.4
+  version: 3.1.5
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-22 00:00:00.000000000 Z
+date: 2024-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest