rack 3.2.5 → 3.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dcab43418ebec9227dad4a8e8fbfeb403097a3c34bcebc63a230350984c68ab9
-  data.tar.gz: 6b82c8e25fa9bc835cfe24a05da9731bd9a0654b40a56a01c6f77ac7fc7029f4
+  metadata.gz: 37024c5110b365f1dd0b5627dd903edf42344fa9ad98a99af672e220d2370288
+  data.tar.gz: d0bd60323a75ff2828b33713963dcb5769898abc82a7ab3c2b9ac4ad36550b88
 SHA512:
-  metadata.gz: a727df6903901d26a8d4e031302cb0c5b45134b9e31b2443b6e4d4a595233f4d18d58ff265cafbd9e344e4b7958fd3d27b6e46d57c6f37c9744617da8eba6db4
-  data.tar.gz: 8c914906cc9c4d0610ab8dc0de815cb714311261dc50ef6d1a6c1b5ecacd9d3f58e477014176a0044dd1f1dd24ecc55554eb6eebe78995205bd6c47bee83d9eb
+  metadata.gz: 825e73fe75136333217b5f395f25245fe295fa4749a8068711011ba5c47350043941e4a4319837015e211f6cbd29952970fdc79f5deb0364c76d995c8d9de457
+  data.tar.gz: 57b8333f46704c6aead2d24ab214ab99ddb8296f93cc62298385d20bf4bffad829fae3b5e3a658e399d1628ab355a9abd69e4e1f2d08971740547b6ff1425f5b

data/CHANGELOG.md

@@ -2,7 +2,25 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [3.2.6] - 2026-04-01
+
+### Security
+
+- [CVE-2026-34763](https://github.com/advisories/GHSA-7mqq-6cf9-v2qp) Root directory disclosure via unescaped regex interpolation in `Rack::Directory`.
+- [CVE-2026-34230](https://github.com/advisories/GHSA-v569-hp3g-36wr) Avoid O(n^2) algorithm in `Rack::Utils.select_best_encoding` which could lead to denial of service.
+- [CVE-2026-32762](https://github.com/advisories/GHSA-qfgr-crr9-7r49) Forwarded header semicolon injection enables Host and Scheme spoofing.
+- [CVE-2026-26961](https://github.com/advisories/GHSA-vgpv-f759-9wx3) Raise error for multipart requests with multiple boundary parameters.
+- [CVE-2026-34786](https://github.com/advisories/GHSA-q4qf-9j86-f5mh) `Rack::Static` `header_rules` bypass via URL-encoded path mismatch.
+- [CVE-2026-34831](https://github.com/advisories/GHSA-q2ww-5357-x388) `Content-Length` mismatch in `Rack::Files` error responses.
+- [CVE-2026-34826](https://github.com/advisories/GHSA-x8cg-fq8g-mxfx) Multipart byte range processing allows denial of service via excessive overlapping ranges.
+- [CVE-2026-34835](https://github.com/advisories/GHSA-g2pf-xv49-m2h5) `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
+- [CVE-2026-34830](https://github.com/advisories/GHSA-qv7j-4883-hwh7) `Rack::Sendfile` header-based `X-Accel-Mapping` regex injection enables unauthorized `X-Accel-Redirect`.
+- [CVE-2026-34785](https://github.com/advisories/GHSA-h2jq-g4cq-5ppq) `Rack::Static` prefix matching can expose unintended files under the static root.
+- [CVE-2026-34829](https://github.com/advisories/GHSA-8vqr-qjwx-82mw) Multipart parsing without `Content-Length` header allows unbounded chunked file uploads.
+- [CVE-2026-34827](https://github.com/advisories/GHSA-v6x5-cg8r-vv6x) Quadratic-time multipart header parsing allows denial of service via escape-heavy quoted parameters.
+- [CVE-2026-26962](https://github.com/advisories/GHSA-rx22-g9mx-qrhv) Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.
+
+## [3.2.5] - 2026-02-16
 
 ### Security
 
@@ -91,6 +109,13 @@ This release continues Rack's evolution toward a cleaner, more efficient foundat
 - `SERVER_NAME` and `HTTP_HOST` are now more strictly validated according to the relevant specifications. ([#2298](https://github.com/rack/rack/pull/2298), [@ioquatix])
 - `Rack::Lint` now disallows `PATH_INFO="" SCRIPT_NAME=""`. ([#2298](https://github.com/rack/rack/issues/2307), [@jeremyevans])
 
+## [3.1.20] - 2026-02-16
+
+### Security
+
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
+
 ## [3.1.19] - 2025-11-03
 
 ### Fixed
@@ -481,6 +506,13 @@ This release introduces major improvements to Rack, including enhanced support f
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.22] - 2026-02-16
+
+### Security
+
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
+
 ## [2.2.21] - 2025-11-03
 
 ### Fixed

data/lib/rack/directory.rb

@@ -51,7 +51,7 @@ table { width:100%%; }
     class DirectoryBody < Struct.new(:root, :path, :files)
       # Yield strings for each part of the directory entry
       def each
-        show_path = Utils.escape_html(path.sub(/^#{root}/, ''))
+        show_path = Utils.escape_html(path.sub(/\A#{Regexp.escape(root)}/, ''))
         yield(DIR_PAGE_HEADER % [ show_path, show_path ])
 
         unless path.chomp('/') == root

data/lib/rack/files.rb

@@ -194,7 +194,7 @@ EOF
         status,
         {
           CONTENT_TYPE   => "text/plain",
-          CONTENT_LENGTH => body.size.to_s,
+          CONTENT_LENGTH => body.bytesize.to_s,
           "x-cascade" => "pass"
         }.merge!(headers),
         [body]

data/lib/rack/multipart/parser.rb

@@ -33,7 +33,7 @@ module Rack
     EOL = "\r\n"
     FWS = /[ \t]+(?:\r\n[ \t]+)?/ # whitespace with optional folding
     HEADER_VALUE = "(?:[^\r\n]|\r\n[ \t])*" # anything but a non-folding CRLF
-    MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|ni
+    MULTIPART = %r|\Amultipart/.*?boundary(\s*)=\"?([^\";,]+)\"?|ni
     MULTIPART_CONTENT_TYPE = /^Content-Type:#{FWS}?(#{HEADER_VALUE})/ni
     MULTIPART_CONTENT_DISPOSITION = /^Content-Disposition:#{FWS}?(#{HEADER_VALUE})/ni
     MULTIPART_CONTENT_ID = /^Content-ID:#{FWS}?(#{HEADER_VALUE})/ni
@@ -80,6 +80,13 @@ module Rack
       BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
       private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
 
+      bytesize_limit = env_int.call("RACK_MULTIPART_PARSER_BYTESIZE_LIMIT", 10 * 1024 * 1024 * 1024)
+      PARSER_BYTESIZE_LIMIT = bytesize_limit > 0 ? bytesize_limit : nil
+      private_constant :PARSER_BYTESIZE_LIMIT
+
+      CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT = env_int.call("RACK_MULTIPART_CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT", 8 * 1024)
+      private_constant :CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT
+
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -116,7 +123,15 @@ module Rack
         return unless content_type
         data = content_type.match(MULTIPART)
         return unless data
-        data[1]
+
+        unless data[1].empty?
+          raise Error, "whitespace between boundary parameter name and equal sign"
+        end
+        if data.post_match.match?(/boundary\s*=/i)
+          raise BoundaryTooLongError, "multiple boundary parameters found in multipart content type"
+        end
+
+        data[2]
       end
 
       def self.parse(io, content_length, content_type, tmpfile, bufsize, qp)
@@ -125,6 +140,10 @@ module Rack
         boundary = parse_boundary content_type
         return EMPTY unless boundary
 
+        if PARSER_BYTESIZE_LIMIT && content_length && content_length > PARSER_BYTESIZE_LIMIT
+          raise Error, "multipart Content-Length #{content_length} exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+        end
+
         if boundary.length > 70
           # RFC 1521 Section 7.2.1 imposes a 70 character maximum for the boundary.
           # Most clients use no more than 55 characters.
@@ -241,6 +260,8 @@ module Rack
         @mime_index = 0
         @body_retained = nil
         @retained_size = 0
+        @total_bytes_read = (0 if PARSER_BYTESIZE_LIMIT)
+        @content_disposition_quoted_escapes = 0
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".dup)
@@ -252,6 +273,7 @@ module Rack
       end
 
       def parse(io)
+        @total_bytes_read &&= nil if io.is_a?(BoundedIO)
         outbuf = String.new
         read_data(io, outbuf)
 
@@ -290,6 +312,12 @@ module Rack
       def read_data(io, outbuf)
         content = io.read(@bufsize, outbuf)
         handle_empty_content!(content)
+        if @total_bytes_read
+          @total_bytes_read += content.bytesize
+          if @total_bytes_read > PARSER_BYTESIZE_LIMIT
+            raise Error, "multipart upload exceeds limit of #{PARSER_BYTESIZE_LIMIT} bytes"
+          end
+        end
         @sbuf.concat(content)
       end
 
@@ -339,13 +367,21 @@ module Rack
 
       CONTENT_DISPOSITION_MAX_PARAMS = 16
       CONTENT_DISPOSITION_MAX_BYTES = 1536
+      OBS_UNFOLD = /\r\n([ \t])/
+      private_constant :OBS_UNFOLD
+
       def handle_mime_head
         if @sbuf.scan_until(@head_regex)
           head = @sbuf[1]
           content_type = head[MULTIPART_CONTENT_TYPE, 1]
+          content_type.gsub!(OBS_UNFOLD, '\1') if content_type
+
           if (disposition = head[MULTIPART_CONTENT_DISPOSITION, 1]) &&
               disposition.bytesize <= CONTENT_DISPOSITION_MAX_BYTES
 
+            # Implement OBS unfolding (RFC 5322 Section 2.2.3)
+            disposition.gsub!(OBS_UNFOLD, '\1')
+
             # ignore actual content-disposition value (should always be form-data)
             i = disposition.index(';')
             disposition.slice!(0, i+1)
@@ -383,6 +419,11 @@ module Rack
                   # stop parsing parameter value if found ending quote
                   break if c == '"'
 
+                  @content_disposition_quoted_escapes += 1
+                  if @content_disposition_quoted_escapes > CONTENT_DISPOSITION_QUOTED_ESCAPES_LIMIT
+                    raise Error, "number of quoted escapes during content disposition parsing exceeds limit"
+                  end
+
                   escaped_char = disposition.slice!(0, 1)
                   if param == 'filename' && escaped_char != '"'
                     # Possible IE uploaded filename, append both escape backslash and value

data/lib/rack/request.rb

@@ -723,8 +723,8 @@ module Rack
           # Match IPv6 as a string of hex digits and colons in square brackets
           \[(?<address>#{ipv6})\]
           |
-          # Match any other printable string (except square brackets) as a hostname
-          (?<address>[[[:graph:]&&[^\[\]]]]*?)
+          # Match characters allowed by RFC 3986 Section 3.2.2
+          (?<address>[-a-zA-Z0-9._~%!$&'()*+,;=]*?)
         )
         (:(?<port>\d+))?
         \z

data/lib/rack/sendfile.rb

@@ -51,7 +51,7 @@ module Rack
   #
   # The `x-accel-mapping` header should specify the location on the file system,
   # followed by an equals sign (=), followed name of the private URL pattern
-  # that it maps to. The middleware performs a simple substitution on the
+  # that it maps to. The middleware performs a case-insensitive substitution on the
   # resulting path.
   #
   # To enable `x-accel-redirect`, you must configure the middleware explicitly:
@@ -186,7 +186,7 @@ module Rack
         # Safe to use header: explicit config + no app mappings:
         mapping.split(',').map(&:strip).each do |m|
           internal, external = m.split('=', 2).map(&:strip)
-          new_path = path.sub(/\A#{internal}/i, external)
+          new_path = path.sub(/\A#{Regexp.escape(internal)}/i, external)
           return new_path unless path == new_path
         end
 

data/lib/rack/static.rb

@@ -93,6 +93,9 @@ module Rack
     def initialize(app, options = {})
       @app = app
       @urls = options[:urls] || ["/favicon.ico"]
+      if @urls.kind_of?(Array)
+        @urls = @urls.map { |url| [url, url.end_with?('/') ? url : "#{url}/".freeze].freeze }.freeze
+      end
       @index = options[:index]
       @gzip = options[:gzip]
       @cascade = options[:cascade]
@@ -115,7 +118,7 @@ module Rack
     end
 
     def route_file(path)
-      @urls.kind_of?(Array) && @urls.any? { |url| path.index(url) == 0 }
+      @urls.kind_of?(Array) && @urls.any? { |url, url_slash| path == url || path.start_with?(url_slash) }
     end
 
     def can_serve(path)
@@ -165,6 +168,8 @@ module Rack
 
     # Convert HTTP header rules to HTTP headers
     def applicable_rules(path)
+      path = ::Rack::Utils.unescape_path(path)
+
       @header_rules.find_all do |rule, new_headers|
         case rule
         when :all
@@ -172,10 +177,9 @@ module Rack
         when :fonts
           /\.(?:ttf|otf|eot|woff2|woff|svg)\z/.match?(path)
         when String
-          path = ::Rack::Utils.unescape(path)
           path.start_with?(rule) || path.start_with?('/' + rule)
         when Array
-          /\.(#{rule.join('|')})\z/.match?(path)
+          /\.#{Regexp.union(rule)}\z/.match?(path)
         when Regexp
           rule.match?(path)
         else

data/lib/rack/utils.rb

@@ -146,17 +146,77 @@ module Rack
       end
     end
 
+    ALLOWED_FORWARED_PARAMS = %w[by for host proto].to_h { |name| [name, name.to_sym] }.freeze
+    private_constant :ALLOWED_FORWARED_PARAMS
+
     def forwarded_values(forwarded_header)
-      return nil unless forwarded_header
-      forwarded_header = forwarded_header.to_s.gsub("\n", ";")
-
-      forwarded_header.split(';').each_with_object({}) do |field, values|
-        field.split(',').each do |pair|
-          pair = pair.split('=').map(&:strip).join('=')
-          return nil unless pair =~ /\A(by|for|host|proto)="?([^"]+)"?\Z/i
-          (values[$1.downcase.to_sym] ||= []) << $2
+      return unless forwarded_header
+      header = forwarded_header.to_s.tr("\n", ";")
+      header.sub!(/\A[\s;,]+/, '')
+      num_params = num_escapes = 0
+      max_params = max_escapes = 1024
+      params = {}
+
+      # Parse parameter list
+      while i = header.index('=')
+        # Only parse up to max parameters, to avoid potential denial of service
+        num_params += 1
+        return if num_params > max_params
+
+        # Found end of parameter name, ensure forward progress in loop
+        param = header.slice!(0, i+1)
+
+        # Remove ending equals and preceding whitespace from parameter name
+        param.chomp!('=')
+        param.strip!
+        param.downcase!
+        return unless param = ALLOWED_FORWARED_PARAMS[param]
+
+        if header[0] == '"'
+          # Parameter value is quoted, parse it, handling backslash escapes
+          header.slice!(0, 1)
+          value = String.new
+
+          while i = header.index(/(["\\])/)
+            c = $1
+
+            # Append all content until ending quote or escape
+            value << header.slice!(0, i)
+
+            # Remove either backslash or ending quote,
+            # ensures forward progress in loop
+            header.slice!(0, 1)
+
+            # stop parsing parameter value if found ending quote
+            break if c == '"'
+
+            # Only allow up to max escapes, to avoid potential denial of service
+            num_escapes += 1
+            return if num_escapes > max_escapes
+            escaped_char = header.slice!(0, 1)
+            value << escaped_char
+          end
+        else
+          if i = header.index(/[;,]/)
+            # Parameter value unquoted (which may be invalid), value ends at comma or semicolon
+            value = header.slice!(0, i)
+            value.sub!(/[\s;,]+\z/, '')
+          else
+            # If no ending semicolon, assume remainder of line is value and stop parsing
+            header.strip!
+            value = header
+            header = ''
+          end
+          value.lstrip!
         end
+
+        (params[param] ||= []) << value
+
+        # skip trailing semicolons/commas/whitespace, to proceed to next parameter
+        header.sub!(/\A[\s;,]+/, '') unless header.empty?
       end
+
+      params
     end
     module_function :forwarded_values
 
@@ -193,17 +253,41 @@ module Rack
     # :nocov:
     end
 
+    # Given an array of available encoding strings, and an array of
+    # acceptable encodings for a request, where each element of the
+    # acceptable encodings array is an array where the first element
+    # is an encoding name and the second element is the numeric
+    # priority for the encoding, return the available encoding with
+    # the highest priority.
+    #
+    # The accept_encoding argument is typically generated by calling
+    # Request#accept_encoding.
+    #
+    # Example:
+    #
+    #   select_best_encoding(%w(compress gzip identity),
+    #                        [["compress", 0.5], ["gzip", 1.0]])
+    #   # => "gzip"
+    #
+    # To reduce denial of service potential, only the first 16
+    # acceptable encodings are considered.
     def select_best_encoding(available_encodings, accept_encoding)
       # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
 
+      # Only process the first 16 encodings
+      accept_encoding = accept_encoding[0...16]
       expanded_accept_encoding = []
+      wildcard_seen = false
 
       accept_encoding.each do |m, q|
         preference = available_encodings.index(m) || available_encodings.size
 
         if m == "*"
-          (available_encodings - accept_encoding.map(&:first)).each do |m2|
-            expanded_accept_encoding << [m2, q, preference]
+          unless wildcard_seen
+            (available_encodings - accept_encoding.map(&:first)).each do |m2|
+              expanded_accept_encoding << [m2, q, preference]
+            end
+            wildcard_seen = true
           end
         else
           expanded_accept_encoding << [m, q, preference]
@@ -211,7 +295,13 @@ module Rack
       end
 
       encoding_candidates = expanded_accept_encoding
-        .sort_by { |_, q, p| [-q, p] }
+        .sort do |(_, q1, p1), (_, q2, p2)|
+          if r = (q1 <=> q2).nonzero?
+            -r
+          else
+            (p1 <=> p2).nonzero? || 0
+          end
+        end
         .map!(&:first)
 
       unless encoding_candidates.include?("identity")
@@ -399,17 +489,19 @@ module Rack
     # Parses the "Range:" header, if present, into an array of Range objects.
     # Returns nil if the header is missing or syntactically invalid.
     # Returns an empty array if none of the ranges are satisfiable.
-    def byte_ranges(env, size)
-      get_byte_ranges env['HTTP_RANGE'], size
+    def byte_ranges(env, size, max_ranges: 100)
+      get_byte_ranges env['HTTP_RANGE'], size, max_ranges: max_ranges
     end
 
-    def get_byte_ranges(http_range, size)
+    def get_byte_ranges(http_range, size, max_ranges: 100)
       # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
       # Ignore Range when file size is 0 to avoid a 416 error.
       return nil if size.zero?
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
+      byte_range = $1
+      return nil if byte_range.count(',') >= max_ranges
       ranges = []
-      $1.split(/,[ \t]*/).each do |range_spec|
+      byte_range.split(/,[ \t]*/).each do |range_spec|
         return nil unless range_spec.include?('-')
         range = range_spec.split('-')
         r0, r1 = range[0], range[1]

data/lib/rack/version.rb

@@ -6,7 +6,7 @@
 # See MIT-LICENSE or https://opensource.org/licenses/MIT.
 
 module Rack
-  VERSION = "3.2.5"
+  VERSION = "3.2.6"
 
   RELEASE = VERSION
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.2.5
+  version: 3.2.6
 platform: ruby
 authors:
 - Leah Neukirchen
@@ -156,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.6
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []