sinatra 3.0.2 → 3.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 51d1e07bf88ff5cf3837bb62442c1e72ac0fcf0a76c1704d4807490dc03d9154
-  data.tar.gz: 7b3aa08a0f94b508478e33c3840b3100ffc74a77d9bf6a1422010c3cbfc1193d
+  metadata.gz: 7596f4ab9a68b8aeebf1a916c1cd752a3e7dd2714dd7fa09b8def139f5b2b8f9
+  data.tar.gz: 38ee8094ab7b9bf06a30c4bbefa2b915af6a8c1d1c4c2ec4b97918e07e8dce25
 SHA512:
-  metadata.gz: 10ffb0b48fbbd7677e4b4be938db356e005096d36b993695c1a60c27600b504a4ab38e7e920465b03f72eb60ff1b860b885c621d394d3f9b0160f848fc1a68ee
-  data.tar.gz: e1f70f1588cf5e35d806c5f6b245920e310362fefc9e5f54e99e632bb6b532c54955d8eda8675a80294a9526a648121e70f512df88c88886ecbb7ceb75eeb951
+  metadata.gz: 1f2f27088c9dfb616693cbac0bfc80a2c831e8c4126c3fc86d9b9888e0b5a20bab767d0120a1ef1045466e7d4228d265503b91cb23e2c4502d5dea494017cbda
+  data.tar.gz: 1e941fdfd3658202725a247ca4d363fb2d2026a9aa1176f61ca170620317e75dccca16b702ca377f65169a8633e43e9c724076581777e46a13e053b717b8212e

data/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 * _Your new feature here._
 
+## 3.0.4 / 2022-11-25
+
+* Fix: Escape filename in the Content-Disposition header. [#1841](https://github.com/sinatra/sinatra/pull/1841) by Kunpei Sakai
+
+## 3.0.3 / 2022-11-11
+
+* Fix: fixed ReDoS for Rack::Protection::IPSpoofing. [#1823](https://github.com/sinatra/sinatra/pull/1823) by @ooooooo-q
+
 ## 3.0.2 / 2022-10-01
 
 * New: Add Haml 6 support. [#1820](https://github.com/sinatra/sinatra/pull/1820) by Jordan Owens
@@ -70,6 +78,8 @@
 
 ## 2.2.0 / 2022-02-15
 
+* Breaking change: Add `#select`, `#reject` and `#compact` methods to `Sinatra::IndifferentHash`. If hash keys need to be converted to symbols, call `#to_h` to get a `Hash` instance first. [#1711](https://github.com/sinatra/sinatra/pull/1711) by Olivier Bellone
+
 * Handle EOFError raised by Rack and return Bad Request 400 status. [#1743](https://github.com/sinatra/sinatra/pull/1743) by tamazon
 
 * Minor refactors in `base.rb`. [#1640](https://github.com/sinatra/sinatra/pull/1640) by ceclinux
@@ -100,8 +110,6 @@
 
 * Remove unnecessary `test_files` from the gemspec. [#1712](https://github.com/sinatra/sinatra/pull/1712) by Masataka Pocke Kuwabara
 
-* Add `#select`, `#reject` and `#compact` methods to `Sinatra::IndifferentHash`. [#1711](https://github.com/sinatra/sinatra/pull/1711) by Olivier Bellone
-
 * Docs: Spanish documentation: Update README.es.md with removal of Thin. [#1630](https://github.com/sinatra/sinatra/pull/1630) by Espartaco Palma
 
 * Docs: German documentation: Fixed typos in German README.md. [#1648](https://github.com/sinatra/sinatra/pull/1648) by Juri

data/Gemfile

@@ -15,9 +15,14 @@ gem 'rake'
 
 rack_version = ENV['rack'].to_s
 rack_version = nil if rack_version.empty? || (rack_version == 'stable')
-rack_version = { github: 'rack/rack' } if rack_version == 'main'
+rack_version = { github: 'rack/rack' } if rack_version == 'latest'
 gem 'rack', rack_version
 
+puma_version = ENV['puma'].to_s
+puma_version = nil if puma_version.empty? || (puma_version == 'stable')
+puma_version = { github: 'puma/puma' } if puma_version == 'latest'
+gem 'puma', puma_version
+
 gem 'minitest', '~> 5.0'
 gem 'rack-test', github: 'rack/rack-test'
 gem 'rubocop', '~> 1.32.0', require: false
@@ -40,7 +45,6 @@ gem 'liquid'
 gem 'markaby'
 gem 'nokogiri', '> 1.5.0'
 gem 'pandoc-ruby', '~> 2.0.2'
-gem 'puma'
 gem 'rabl'
 gem 'rainbows', platforms: [:mri] # uses #fork
 gem 'rdiscount', platforms: [:ruby]

data/README.md

@@ -938,7 +938,7 @@ __END__
 
 @@ layout
 %html
-  = yield
+  != yield
 
 @@ index
 %div.title Hello world.
@@ -2903,4 +2903,4 @@ SemVerTag.
 * API documentation for the [latest release](http://www.rubydoc.info/gems/sinatra)
   or the [current HEAD](http://www.rubydoc.info/github/sinatra/sinatra) on
   [RubyDoc](http://www.rubydoc.info/)
-* [CI server](https://travis-ci.org/sinatra/sinatra)
+* [CI Actions](https://github.com/sinatra/sinatra/actions)

data/VERSION

@@ -1 +1 @@
-3.0.2
+3.0.4

data/lib/sinatra/base.rb

@@ -396,13 +396,20 @@ module Sinatra
       response['Content-Type'] = mime_type
     end
 
+    # https://html.spec.whatwg.org/#multipart-form-data
+    MULTIPART_FORM_DATA_REPLACEMENT_TABLE = {
+      '"'  => '%22',
+      "\r" => '%0D',
+      "\n" => '%0A'
+    }.freeze
+
     # Set the Content-Disposition to "attachment" with the specified filename,
     # instructing the user agents to prompt to save.
     def attachment(filename = nil, disposition = :attachment)
       response['Content-Disposition'] = disposition.to_s.dup
       return unless filename
 
-      params = format('; filename="%s"', File.basename(filename))
+      params = format('; filename="%s"', File.basename(filename).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE))
       response['Content-Disposition'] << params
       ext = File.extname(filename)
       content_type(ext) unless response['Content-Type'] || ext.empty?

data/lib/sinatra/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sinatra
-  VERSION = '3.0.1'
+  VERSION = '3.0.3'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sinatra
 version: !ruby/object:Gem::Version
-  version: 3.0.2
+  version: 3.0.4
 platform: ruby
 authors:
 - Blake Mizerany
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-01 00:00:00.000000000 Z
+date: 2022-11-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mustermann
@@ -53,14 +53,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.0.2
+        version: 3.0.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.0.2
+        version: 3.0.4
 - !ruby/object:Gem::Dependency
   name: tilt
   requirement: !ruby/object:Gem::Requirement