Version in base suite: 2.2.6.4-1+deb12u1 Base version: ruby-rack_2.2.6.4-1+deb12u1 Target version: ruby-rack_2.2.13-1~deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/ruby-rack/ruby-rack_2.2.6.4-1+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/ruby-rack/ruby-rack_2.2.13-1~deb12u1.dsc .github/workflows/development.yml | 6 CHANGELOG.md | 43 + SPEC.rdoc | 14 debian/changelog | 9 debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch | 51 - debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch | 2 debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch | 46 - debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch | 30 debian/patches/series | 3 debian/patches/skip-unreadable-dir-test.patch | 8 lib/rack/auth/basic.rb | 3 lib/rack/auth/digest/nonce.rb | 5 lib/rack/common_logger.rb | 5 lib/rack/lint.rb | 365 ++++------ lib/rack/media_type.rb | 13 lib/rack/multipart/parser.rb | 12 lib/rack/request.rb | 2 lib/rack/sendfile.rb | 2 lib/rack/session/cookie.rb | 6 lib/rack/static.rb | 3 lib/rack/utils.rb | 12 lib/rack/version.rb | 2 test/spec_common_logger.rb | 7 test/spec_multipart.rb | 22 test/spec_request.rb | 27 test/spec_sendfile.rb | 2 test/spec_static.rb | 6 test/spec_utils.rb | 4 28 files changed, 349 insertions(+), 361 deletions(-) diff -Nru ruby-rack-2.2.6.4/.github/workflows/development.yml ruby-rack-2.2.13/.github/workflows/development.yml --- ruby-rack-2.2.6.4/.github/workflows/development.yml 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/.github/workflows/development.yml 2025-03-10 21:18:07.000000000 +0000 @@ -7,8 +7,8 @@ strategy: fail-fast: false matrix: - os: [ubuntu-20.04] - ruby: [2.3, 2.4, 2.5, 2.6, 2.7, '3.0', 3.1, 3.2] + os: [ubuntu-latest] + ruby: [2.3, 2.4, 2.5, 2.6, 2.7, '3.0', 3.1, 3.2, 3.3, 3.4] runs-on: ${{matrix.os}} steps: - uses: actions/checkout@v2 @@ -17,7 +17,7 @@ with: ruby-version: ${{matrix.ruby}} - - uses: actions/cache@v1 + - uses: actions/cache@v4 with: path: vendor/bundle key: bundle-use-ruby-${{matrix.os}}-${{matrix.ruby}}-${{hashFiles('**/Gemfile')}} diff -Nru ruby-rack-2.2.6.4/CHANGELOG.md ruby-rack-2.2.13/CHANGELOG.md --- ruby-rack-2.2.6.4/CHANGELOG.md 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/CHANGELOG.md 2025-03-10 21:18:07.000000000 +0000 @@ -2,6 +2,43 @@ All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/). +## [2.2.13] - 2025-03-11 + +### Security + +- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`. + +## [2.2.12] - 2025-03-04 + +### Security + +- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`. + +## [2.2.11] - 2025-02-12 + +### Security + +- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`. + +## [2.2.10] - 2024-10-14 + +- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot)) + +## [2.2.9] - 2023-03-21 + +- Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc]) + +## [2.2.8] - 2023-07-31 + +- Regenerate SPEC ([#2102](https://github.com/rack/rack/pull/2102), [@skipkayhil](https://github.com/skipkayhil)) +- Limit file extension length of multipart tempfiles ([#2015](https://github.com/rack/rack/pull/2015), [@dentarg](https://github.com/dentarg)) +- Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" ([#2092](https://github.com/rack/rack/pull/2092), [@onigra](https://github.com/onigra) [@dchandekstark](https://github.com/dchandekstark)) + +## [2.2.7] - 2023-03-13 + +- Correct the year number in the changelog ([#2015](https://github.com/rack/rack/pull/2015), [@kimulab](https://github.com/kimulab)) +- Support underscore in host names for Rack 2.2 (Fixes [#2070](https://github.com/rack/rack/issues/2070)) ([#2015](https://github.com/rack/rack/pull/2071), [@jeremyevans](https://github.com/jeremyevans)) + ## [2.2.6.4] - 2023-03-13 - [CVE-2023-27539] Avoid ReDoS in header parsing @@ -10,16 +47,16 @@ - [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts -## [2.2.6.2] - 2022-01-17 +## [2.2.6.2] - 2023-01-17 - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges -## [2.2.6.1] - 2022-01-17 +## [2.2.6.1] - 2023-01-17 - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS) -## [2.2.6] - 2022-01-17 +## [2.2.6] - 2023-01-17 - Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot)) diff -Nru ruby-rack-2.2.6.4/SPEC.rdoc ruby-rack-2.2.13/SPEC.rdoc --- ruby-rack-2.2.6.4/SPEC.rdoc 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/SPEC.rdoc 2025-03-10 21:18:07.000000000 +0000 @@ -42,17 +42,18 @@ QUERY_STRING:: The portion of the request URL that follows the ?, if any. May be empty, but is always required! -SERVER_NAME, SERVER_PORT:: - When combined with SCRIPT_NAME and +SERVER_NAME:: When combined with SCRIPT_NAME and PATH_INFO, these variables can be used to complete the URL. Note, however, that HTTP_HOST, if present, should be used in preference to SERVER_NAME for reconstructing the request URL. - SERVER_NAME and SERVER_PORT - can never be empty strings, and so - are always required. + SERVER_NAME can never be an empty + string, and so is always required. +SERVER_PORT:: An optional +Integer+ which is the port the + server is running on. Should be specified if + the server is running on a non-standard port. HTTP_ Variables:: Variables corresponding to the client-supplied HTTP request headers (i.e., variables whose @@ -122,6 +123,9 @@ is reserved for use with the Rack core distribution and other accepted specifications and must not be used otherwise. +The SERVER_PORT must be an Integer if set. +The SERVER_NAME must be a valid authority as defined by RFC7540. +The HTTP_HOST must be a valid authority as defined by RFC7540. The environment must not contain the keys HTTP_CONTENT_TYPE or HTTP_CONTENT_LENGTH (use the versions without HTTP_). diff -Nru ruby-rack-2.2.6.4/debian/changelog ruby-rack-2.2.13/debian/changelog --- ruby-rack-2.2.6.4/debian/changelog 2024-05-02 20:39:36.000000000 +0000 +++ ruby-rack-2.2.13/debian/changelog 2025-03-20 03:57:37.000000000 +0000 @@ -1,3 +1,12 @@ +ruby-rack (2.2.13-1~deb12u1) bookworm-security; urgency=medium + + * New upstream version 2.2.13. + - Fixes: CVE-2025-27610, CVE-2025-27111, CVE-2025-25184. + - Closes: #1100444, #1099546, #1098257. + * Drop patches that have been applied in v2.2.13. + + -- Utkarsh Gupta Thu, 20 Mar 2025 09:27:37 +0530 + ruby-rack (2.2.6.4-1+deb12u1) bookworm-security; urgency=medium * Non-maintainer upload. diff -Nru ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch ruby-rack-2.2.13/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch --- ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 2024-05-02 20:11:55.000000000 +0000 +++ ruby-rack-2.2.13/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,51 +0,0 @@ -From 0dd2a6314a1677ba38d2f94b18ecf21a5fbfaa1d Mon Sep 17 00:00:00 2001 -From: Jean Boussier -Date: Wed, 6 Dec 2023 18:32:19 +0100 -Subject: Avoid 2nd degree polynomial regexp in MediaType - ---- - lib/rack/media_type.rb | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb -index 41937c99..7fc1e39d 100644 ---- a/lib/rack/media_type.rb -+++ b/lib/rack/media_type.rb -@@ -4,7 +4,7 @@ module Rack - # Rack::MediaType parse media type and parameters out of content_type string - - class MediaType -- SPLIT_PATTERN = %r{\s*[;,]\s*} -+ SPLIT_PATTERN = /[;,]/ - - class << self - # The media type (type/subtype) portion of the CONTENT_TYPE header -@@ -15,7 +15,11 @@ module Rack - # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 - def type(content_type) - return nil unless content_type -- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase! -+ if type = content_type.split(SPLIT_PATTERN, 2).first -+ type.rstrip! -+ type.downcase! -+ type -+ end - end - - # The media type parameters provided in CONTENT_TYPE as a Hash, or -@@ -27,9 +31,10 @@ module Rack - return {} if content_type.nil? - - content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh| -+ s.strip! - k, v = s.split('=', 2) -- -- hsh[k.tap(&:downcase!)] = strip_doublequotes(v) -+ k.downcase! -+ hsh[k] = strip_doublequotes(v) - end - end - --- -2.30.2 - diff -Nru ruby-rack-2.2.6.4/debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch ruby-rack-2.2.13/debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch --- ruby-rack-2.2.6.4/debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch 2023-03-23 20:02:43.000000000 +0000 +++ ruby-rack-2.2.13/debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch 2025-03-20 03:57:37.000000000 +0000 @@ -47,7 +47,7 @@ @server = server end end -@@ -41,7 +41,7 @@ +@@ -43,7 +43,7 @@ response["HTTP_VERSION"].must_equal "HTTP/1.1" response["SERVER_PROTOCOL"].must_equal "HTTP/1.1" response["SERVER_PORT"].must_equal "9204" diff -Nru ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch ruby-rack-2.2.13/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch --- ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 2024-05-02 20:11:55.000000000 +0000 +++ ruby-rack-2.2.13/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,46 +0,0 @@ -From ca18315cb37dffb378b56a64a6e0cefcb1df8fc0 Mon Sep 17 00:00:00 2001 -From: Aaron Patterson -Date: Tue, 13 Feb 2024 13:34:34 -0800 -Subject: Return an empty array when ranges are too large - -If the sum of the requested ranges is larger than the file itself, -return an empty array. In other words, refuse to respond with any bytes. - -[CVE-2024-26141] ---- - lib/rack/utils.rb | 3 +++ - test/spec_utils.rb | 4 ++++ - 2 files changed, 7 insertions(+) - -diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb -index c8e61ea1..72700503 100644 ---- a/lib/rack/utils.rb -+++ b/lib/rack/utils.rb -@@ -380,6 +380,9 @@ module Rack - end - ranges << (r0..r1) if r0 <= r1 - end -+ -+ return [] if ranges.map(&:size).sum > size -+ - ranges - end - -diff --git a/test/spec_utils.rb b/test/spec_utils.rb -index 90676258..6b069914 100644 ---- a/test/spec_utils.rb -+++ b/test/spec_utils.rb -@@ -590,6 +590,10 @@ describe Rack::Utils, "cookies" do - end - - describe Rack::Utils, "byte_range" do -+ it "returns an empty list if the sum of the ranges is too large" do -+ assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500) -+ end -+ - it "ignore missing or syntactically invalid byte ranges" do - Rack::Utils.byte_ranges({}, 500).must_be_nil - Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil --- -2.30.2 - diff -Nru ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch ruby-rack-2.2.13/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch --- ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 2024-05-02 20:11:55.000000000 +0000 +++ ruby-rack-2.2.13/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -From 3f0a5391ed7118f10bae56b369b2c525942f26c6 Mon Sep 17 00:00:00 2001 -From: Aaron Patterson -Date: Wed, 21 Feb 2024 11:05:06 -0800 -Subject: Fixing ReDoS in header parsing - -Thanks svalkanov - -[CVE-2024-26146] ---- - lib/rack/utils.rb | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb -index 72700503..ccf39e30 100644 ---- a/lib/rack/utils.rb -+++ b/lib/rack/utils.rb -@@ -142,8 +142,8 @@ module Rack - end - - def q_values(q_value_header) -- q_value_header.to_s.split(/\s*,\s*/).map do |part| -- value, parameters = part.split(/\s*;\s*/, 2) -+ q_value_header.to_s.split(',').map do |part| -+ value, parameters = part.split(';', 2).map(&:strip) - quality = 1.0 - if parameters && (md = /\Aq=([\d.]+)/.match(parameters)) - quality = md[1].to_f --- -2.30.2 - diff -Nru ruby-rack-2.2.6.4/debian/patches/series ruby-rack-2.2.13/debian/patches/series --- ruby-rack-2.2.6.4/debian/patches/series 2024-05-02 20:39:36.000000000 +0000 +++ ruby-rack-2.2.13/debian/patches/series 2025-03-20 03:57:37.000000000 +0000 @@ -1,6 +1,3 @@ skip-random-failure.patch 0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch skip-unreadable-dir-test.patch -0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch -0002-Return-an-empty-array-when-ranges-are-too-large.patch -0003-Fixing-ReDoS-in-header-parsing.patch diff -Nru ruby-rack-2.2.6.4/debian/patches/skip-unreadable-dir-test.patch ruby-rack-2.2.13/debian/patches/skip-unreadable-dir-test.patch --- ruby-rack-2.2.6.4/debian/patches/skip-unreadable-dir-test.patch 2023-03-23 20:02:43.000000000 +0000 +++ ruby-rack-2.2.13/debian/patches/skip-unreadable-dir-test.patch 2025-03-20 03:57:37.000000000 +0000 @@ -4,11 +4,9 @@ Author: HIGUCHI Daisuke (VDR dai) Forwarded: not-needed -Index: ruby-rack/test/spec_directory.rb -=================================================================== ---- ruby-rack.orig/test/spec_directory.rb -+++ ruby-rack/test/spec_directory.rb -@@ -54,6 +54,7 @@ describe Rack::Directory do +--- a/test/spec_directory.rb ++++ b/test/spec_directory.rb +@@ -54,6 +54,7 @@ end it "return 404 for unreadable directories" do diff -Nru ruby-rack-2.2.6.4/lib/rack/auth/basic.rb ruby-rack-2.2.13/lib/rack/auth/basic.rb --- ruby-rack-2.2.6.4/lib/rack/auth/basic.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/auth/basic.rb 2025-03-10 21:18:07.000000000 +0000 @@ -2,7 +2,6 @@ require_relative 'abstract/handler' require_relative 'abstract/request' -require 'base64' module Rack module Auth @@ -48,7 +47,7 @@ end def credentials - @credentials ||= Base64.decode64(params).split(':', 2) + @credentials ||= params.unpack("m").first.split(':', 2) end def username diff -Nru ruby-rack-2.2.6.4/lib/rack/auth/digest/nonce.rb ruby-rack-2.2.13/lib/rack/auth/digest/nonce.rb --- ruby-rack-2.2.6.4/lib/rack/auth/digest/nonce.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/auth/digest/nonce.rb 2025-03-10 21:18:07.000000000 +0000 @@ -1,7 +1,6 @@ # frozen_string_literal: true require 'digest/md5' -require 'base64' module Rack module Auth @@ -21,7 +20,7 @@ end def self.parse(string) - new(*Base64.decode64(string).split(' ', 2)) + new(*string.unpack("m").first.split(' ', 2)) end def initialize(timestamp = Time.now, given_digest = nil) @@ -29,7 +28,7 @@ end def to_s - Base64.encode64("#{@timestamp} #{digest}").strip + ["#{@timestamp} #{digest}"].pack("m").strip end def digest diff -Nru ruby-rack-2.2.6.4/lib/rack/common_logger.rb ruby-rack-2.2.13/lib/rack/common_logger.rb --- ruby-rack-2.2.6.4/lib/rack/common_logger.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/common_logger.rb 2025-03-10 21:18:07.000000000 +0000 @@ -15,7 +15,7 @@ # The actual format is slightly different than the above due to the # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed # time in seconds is included at the end. - FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n} + FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f } # +logger+ can be any object that supports the +write+ or +<<+ methods, # which includes the standard library Logger. These methods are called @@ -60,7 +60,8 @@ length, Utils.clock_time - began_at ] - msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" } + msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) } + msg[-1] = "\n" logger = @logger || env[RACK_ERRORS] diff -Nru ruby-rack-2.2.6.4/lib/rack/lint.rb ruby-rack-2.2.13/lib/rack/lint.rb --- ruby-rack-2.2.6.4/lib/rack/lint.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/lint.rb 2025-03-10 21:18:07.000000000 +0000 @@ -40,7 +40,7 @@ def _call(env) ## It takes exactly one argument, the *environment* - assert("No env given") { env } + raise LintError, "No env given" unless env check_env env env[RACK_INPUT] = InputWrapper.new(env[RACK_INPUT]) @@ -48,12 +48,8 @@ ## and returns an Array of exactly three values: ary = @app.call(env) - assert("response is not an Array, but #{ary.class}") { - ary.kind_of? Array - } - assert("response array has #{ary.size} elements instead of 3") { - ary.size == 3 - } + raise LintError, "response is not an Array, but #{ary.class}" unless ary.kind_of? Array + raise LintError, "response array has #{ary.size} elements instead of 3" unless ary.size == 3 status, headers, @body = ary ## The *status*, @@ -78,12 +74,8 @@ ## The environment must be an unfrozen instance of Hash that includes ## CGI-like headers. The application is free to modify the ## environment. - assert("env #{env.inspect} is not a Hash, but #{env.class}") { - env.kind_of? Hash - } - assert("env should not be frozen, but is") { - !env.frozen? - } + raise LintError, "env #{env.inspect} is not a Hash, but #{env.class}" unless env.kind_of? Hash + raise LintError, "env should not be frozen, but is" if env.frozen? ## ## The environment is required to include these variables @@ -195,73 +187,73 @@ ## The store must implement: if session = env[RACK_SESSION] ## store(key, value) (aliased as []=); - assert("session #{session.inspect} must respond to store and []=") { - session.respond_to?(:store) && session.respond_to?(:[]=) - } + unless session.respond_to?(:store) && session.respond_to?(:[]=) + raise LintError, "session #{session.inspect} must respond to store and []=" + end ## fetch(key, default = nil) (aliased as []); - assert("session #{session.inspect} must respond to fetch and []") { - session.respond_to?(:fetch) && session.respond_to?(:[]) - } + unless session.respond_to?(:fetch) && session.respond_to?(:[]) + raise LintError, "session #{session.inspect} must respond to fetch and []" + end ## delete(key); - assert("session #{session.inspect} must respond to delete") { - session.respond_to?(:delete) - } + unless session.respond_to?(:delete) + raise LintError, "session #{session.inspect} must respond to delete" + end ## clear; - assert("session #{session.inspect} must respond to clear") { - session.respond_to?(:clear) - } + unless session.respond_to?(:clear) + raise LintError, "session #{session.inspect} must respond to clear" + end ## to_hash (returning unfrozen Hash instance); - assert("session #{session.inspect} must respond to to_hash and return unfrozen Hash instance") { - session.respond_to?(:to_hash) && session.to_hash.kind_of?(Hash) && !session.to_hash.frozen? - } + unless session.respond_to?(:to_hash) && session.to_hash.kind_of?(Hash) && !session.to_hash.frozen? + raise LintError, "session #{session.inspect} must respond to to_hash and return unfrozen Hash instance" + end end ## rack.logger:: A common object interface for logging messages. ## The object must implement: if logger = env[RACK_LOGGER] ## info(message, &block) - assert("logger #{logger.inspect} must respond to info") { - logger.respond_to?(:info) - } + unless logger.respond_to?(:info) + raise LintError, "logger #{logger.inspect} must respond to info" + end ## debug(message, &block) - assert("logger #{logger.inspect} must respond to debug") { - logger.respond_to?(:debug) - } + unless logger.respond_to?(:debug) + raise LintError, "logger #{logger.inspect} must respond to debug" + end ## warn(message, &block) - assert("logger #{logger.inspect} must respond to warn") { - logger.respond_to?(:warn) - } + unless logger.respond_to?(:warn) + raise LintError, "logger #{logger.inspect} must respond to warn" + end ## error(message, &block) - assert("logger #{logger.inspect} must respond to error") { - logger.respond_to?(:error) - } + unless logger.respond_to?(:error) + raise LintError, "logger #{logger.inspect} must respond to error" + end ## fatal(message, &block) - assert("logger #{logger.inspect} must respond to fatal") { - logger.respond_to?(:fatal) - } + unless logger.respond_to?(:fatal) + raise LintError, "logger #{logger.inspect} must respond to fatal" + end end ## rack.multipart.buffer_size:: An Integer hint to the multipart parser as to what chunk size to use for reads and writes. if bufsize = env[RACK_MULTIPART_BUFFER_SIZE] - assert("rack.multipart.buffer_size must be an Integer > 0 if specified") { - bufsize.is_a?(Integer) && bufsize > 0 - } + unless bufsize.is_a?(Integer) && bufsize > 0 + raise LintError, "rack.multipart.buffer_size must be an Integer > 0 if specified" + end end ## rack.multipart.tempfile_factory:: An object responding to #call with two arguments, the filename and content_type given for the multipart form field, and returning an IO-like object that responds to #<< and optionally #rewind. This factory will be used to instantiate the tempfile for each multipart form file upload field, rather than the default class of Tempfile. if tempfile_factory = env[RACK_MULTIPART_TEMPFILE_FACTORY] - assert("rack.multipart.tempfile_factory must respond to #call") { tempfile_factory.respond_to?(:call) } + raise LintError, "rack.multipart.tempfile_factory must respond to #call" unless tempfile_factory.respond_to?(:call) env[RACK_MULTIPART_TEMPFILE_FACTORY] = lambda do |filename, content_type| io = tempfile_factory.call(filename, content_type) - assert("rack.multipart.tempfile_factory return value must respond to #<<") { io.respond_to?(:<<) } + raise LintError, "rack.multipart.tempfile_factory return value must respond to #<<" unless io.respond_to?(:<<) io end end @@ -276,32 +268,32 @@ %w[REQUEST_METHOD SERVER_NAME QUERY_STRING rack.version rack.input rack.errors rack.multithread rack.multiprocess rack.run_once].each { |header| - assert("env missing required key #{header}") { env.include? header } + raise LintError, "env missing required key #{header}" unless env.include? header } ## The SERVER_PORT must be an Integer if set. - assert("env[SERVER_PORT] is not an Integer") do - server_port = env["SERVER_PORT"] - server_port.nil? || (Integer(server_port) rescue false) + server_port = env["SERVER_PORT"] + unless server_port.nil? || (Integer(server_port) rescue false) + raise LintError, "env[SERVER_PORT] is not an Integer" end ## The SERVER_NAME must be a valid authority as defined by RFC7540. - assert("#{env[SERVER_NAME]} must be a valid authority") do - URI.parse("http://#{env[SERVER_NAME]}/") rescue false + unless (URI.parse("http://#{env[SERVER_NAME]}/") rescue false) + raise LintError, "#{env[SERVER_NAME]} must be a valid authority" end ## The HTTP_HOST must be a valid authority as defined by RFC7540. - assert("#{env[HTTP_HOST]} must be a valid authority") do - URI.parse("http://#{env[HTTP_HOST]}/") rescue false + unless (URI.parse("http://#{env[HTTP_HOST]}/") rescue false) + raise LintError, "#{env[HTTP_HOST]} must be a valid authority" end ## The environment must not contain the keys ## HTTP_CONTENT_TYPE or HTTP_CONTENT_LENGTH ## (use the versions without HTTP_). %w[HTTP_CONTENT_TYPE HTTP_CONTENT_LENGTH].each { |header| - assert("env contains #{header}, must use #{header[5, -1]}") { - not env.include? header - } + if env.include? header + raise LintError, "env contains #{header}, must use #{header[5, -1]}" + end } ## The CGI keys (named without a period) must have String values. @@ -309,25 +301,25 @@ ## they should use ASCII-8BIT encoding. env.each { |key, value| next if key.include? "." # Skip extensions - assert("env variable #{key} has non-string value #{value.inspect}") { - value.kind_of? String - } + unless value.kind_of? String + raise LintError, "env variable #{key} has non-string value #{value.inspect}" + end next if value.encoding == Encoding::ASCII_8BIT - assert("env variable #{key} has value containing non-ASCII characters and has non-ASCII-8BIT encoding #{value.inspect} encoding: #{value.encoding}") { - value.b !~ /[\x80-\xff]/n - } + unless value.b !~ /[\x80-\xff]/n + raise LintError, "env variable #{key} has value containing non-ASCII characters and has non-ASCII-8BIT encoding #{value.inspect} encoding: #{value.encoding}" + end } ## There are the following restrictions: ## * rack.version must be an array of Integers. - assert("rack.version must be an Array, was #{env[RACK_VERSION].class}") { - env[RACK_VERSION].kind_of? Array - } + unless env[RACK_VERSION].kind_of? Array + raise LintError, "rack.version must be an Array, was #{env[RACK_VERSION].class}" + end ## * rack.url_scheme must either be +http+ or +https+. - assert("rack.url_scheme unknown: #{env[RACK_URL_SCHEME].inspect}") { - %w[http https].include?(env[RACK_URL_SCHEME]) - } + unless %w[http https].include?(env[RACK_URL_SCHEME]) + raise LintError, "rack.url_scheme unknown: #{env[RACK_URL_SCHEME].inspect}" + end ## * There must be a valid input stream in rack.input. check_input env[RACK_INPUT] @@ -337,37 +329,33 @@ check_hijack env ## * The REQUEST_METHOD must be a valid token. - assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") { - env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/ - } + unless env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/ + raise LintError, "REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}" + end ## * The SCRIPT_NAME, if non-empty, must start with / - assert("SCRIPT_NAME must start with /") { - !env.include?(SCRIPT_NAME) || - env[SCRIPT_NAME] == "" || - env[SCRIPT_NAME] =~ /\A\// - } + if env.include?(SCRIPT_NAME) && env[SCRIPT_NAME] != "" && env[SCRIPT_NAME] !~ /\A\// + raise LintError, "SCRIPT_NAME must start with /" + end ## * The PATH_INFO, if non-empty, must start with / - assert("PATH_INFO must start with /") { - !env.include?(PATH_INFO) || - env[PATH_INFO] == "" || - env[PATH_INFO] =~ /\A\// - } + if env.include?(PATH_INFO) && env[PATH_INFO] != "" && env[PATH_INFO] !~ /\A\// + raise LintError, "PATH_INFO must start with /" + end ## * The CONTENT_LENGTH, if given, must consist of digits only. - assert("Invalid CONTENT_LENGTH: #{env["CONTENT_LENGTH"]}") { - !env.include?("CONTENT_LENGTH") || env["CONTENT_LENGTH"] =~ /\A\d+\z/ - } + if env.include?("CONTENT_LENGTH") && env["CONTENT_LENGTH"] !~ /\A\d+\z/ + raise LintError, "Invalid CONTENT_LENGTH: #{env["CONTENT_LENGTH"]}" + end ## * One of SCRIPT_NAME or PATH_INFO must be ## set. PATH_INFO should be / if ## SCRIPT_NAME is empty. - assert("One of SCRIPT_NAME or PATH_INFO must be set (make PATH_INFO '/' if SCRIPT_NAME is empty)") { - env[SCRIPT_NAME] || env[PATH_INFO] - } + unless env[SCRIPT_NAME] || env[PATH_INFO] + raise LintError, "One of SCRIPT_NAME or PATH_INFO must be set (make PATH_INFO '/' if SCRIPT_NAME is empty)" + end ## SCRIPT_NAME never should be /, but instead be empty. - assert("SCRIPT_NAME cannot be '/', make it '' and PATH_INFO '/'") { - env[SCRIPT_NAME] != "/" - } + unless env[SCRIPT_NAME] != "/" + raise LintError, "SCRIPT_NAME cannot be '/', make it '' and PATH_INFO '/'" + end end ## === The Input Stream @@ -377,18 +365,18 @@ def check_input(input) ## When applicable, its external encoding must be "ASCII-8BIT" and it ## must be opened in binary mode, for Ruby 1.9 compatibility. - assert("rack.input #{input} does not have ASCII-8BIT as its external encoding") { - input.external_encoding == Encoding::ASCII_8BIT - } if input.respond_to?(:external_encoding) - assert("rack.input #{input} is not opened in binary mode") { - input.binmode? - } if input.respond_to?(:binmode?) + if input.respond_to?(:external_encoding) && input.external_encoding != Encoding::ASCII_8BIT + raise LintError, "rack.input #{input} does not have ASCII-8BIT as its external encoding" + end + if input.respond_to?(:binmode?) && !input.binmode? + raise LintError, "rack.input #{input} is not opened in binary mode" + end ## The input stream must respond to +gets+, +each+, +read+ and +rewind+. [:gets, :each, :read, :rewind].each { |method| - assert("rack.input #{input} does not respond to ##{method}") { - input.respond_to? method - } + unless input.respond_to? method + raise LintError, "rack.input #{input} does not respond to ##{method}" + end } end @@ -402,11 +390,11 @@ ## * +gets+ must be called without arguments and return a string, ## or +nil+ on EOF. def gets(*args) - assert("rack.input#gets called with arguments") { args.size == 0 } + raise LintError, "rack.input#gets called with arguments" unless args.size == 0 v = @input.gets - assert("rack.input#gets didn't return a String") { - v.nil? or v.kind_of? String - } + unless v.nil? or v.kind_of? String + raise LintError, "rack.input#gets didn't return a String" + end v end @@ -428,32 +416,32 @@ ## If +buffer+ is given, then the read data will be placed ## into +buffer+ instead of a newly created String object. def read(*args) - assert("rack.input#read called with too many arguments") { - args.size <= 2 - } + unless args.size <= 2 + raise LintError, "rack.input#read called with too many arguments" + end if args.size >= 1 - assert("rack.input#read called with non-integer and non-nil length") { - args.first.kind_of?(Integer) || args.first.nil? - } - assert("rack.input#read called with a negative length") { - args.first.nil? || args.first >= 0 - } + unless args.first.kind_of?(Integer) || args.first.nil? + raise LintError, "rack.input#read called with non-integer and non-nil length" + end + unless args.first.nil? || args.first >= 0 + raise LintError, "rack.input#read called with a negative length" + end end if args.size >= 2 - assert("rack.input#read called with non-String buffer") { - args[1].kind_of?(String) - } + unless args[1].kind_of?(String) + raise LintError, "rack.input#read called with non-String buffer" + end end v = @input.read(*args) - assert("rack.input#read didn't return nil or a String") { - v.nil? or v.kind_of? String - } + unless v.nil? or v.kind_of? String + raise LintError, "rack.input#read didn't return nil or a String" + end if args[0].nil? - assert("rack.input#read(nil) returned nil on EOF") { - !v.nil? - } + unless !v.nil? + raise LintError, "rack.input#read(nil) returned nil on EOF" + end end v @@ -461,11 +449,11 @@ ## * +each+ must be called without arguments and only yield Strings. def each(*args) - assert("rack.input#each called with arguments") { args.size == 0 } + raise LintError, "rack.input#each called with arguments" unless args.size == 0 @input.each { |line| - assert("rack.input#each didn't yield a String") { - line.kind_of? String - } + unless line.kind_of? String + raise LintError, "rack.input#each didn't yield a String" + end yield line } end @@ -476,20 +464,18 @@ ## developers must buffer the input data into some rewindable object ## if the underlying input stream is not rewindable. def rewind(*args) - assert("rack.input#rewind called with arguments") { args.size == 0 } - assert("rack.input#rewind raised Errno::ESPIPE") { - begin - @input.rewind - true - rescue Errno::ESPIPE - false - end - } + raise LintError, "rack.input#rewind called with arguments" unless args.size == 0 + begin + @input.rewind + true + rescue Errno::ESPIPE + raise LintError, "rack.input#rewind raised Errno::ESPIPE" + end end ## * +close+ must never be called on the input stream. def close(*args) - assert("rack.input#close must not be called") { false } + raise LintError, "rack.input#close must not be called" end end @@ -497,9 +483,9 @@ def check_error(error) ## The error stream must respond to +puts+, +write+ and +flush+. [:puts, :write, :flush].each { |method| - assert("rack.error #{error} does not respond to ##{method}") { - error.respond_to? method - } + unless error.respond_to? method + raise LintError, "rack.error #{error} does not respond to ##{method}" + end } end @@ -517,7 +503,7 @@ ## * +write+ must be called with a single argument that is a String. def write(str) - assert("rack.errors#write not called with a String") { str.kind_of? String } + raise LintError, "rack.errors#write not called with a String" unless str.kind_of? String @error.write str end @@ -529,7 +515,7 @@ ## * +close+ must never be called on the error stream. def close(*args) - assert("rack.errors#close must not be called") { false } + raise LintError, "rack.errors#close must not be called" end end @@ -547,7 +533,7 @@ def initialize(io) @io = io REQUIRED_METHODS.each do |meth| - assert("rack.hijack_io must respond to #{meth}") { io.respond_to? meth } + raise LintError, "rack.hijack_io must respond to #{meth}" unless io.respond_to? meth end end end @@ -563,7 +549,7 @@ if env[RACK_IS_HIJACK] ## If rack.hijack? is true then rack.hijack must respond to #call. original_hijack = env[RACK_HIJACK] - assert("rack.hijack must respond to call") { original_hijack.respond_to?(:call) } + raise LintError, "rack.hijack must respond to call" unless original_hijack.respond_to?(:call) env[RACK_HIJACK] = proc do ## rack.hijack must return the io that will also be assigned (or is ## already present, in rack.hijack_io. @@ -596,10 +582,10 @@ else ## ## If rack.hijack? is false, then rack.hijack should not be set. - assert("rack.hijack? is false, but rack.hijack is present") { env[RACK_HIJACK].nil? } + raise LintError, "rack.hijack? is false, but rack.hijack is present" unless env[RACK_HIJACK].nil? ## ## If rack.hijack? is false, then rack.hijack_io should not be set. - assert("rack.hijack? is false, but rack.hijack_io is present") { env[RACK_HIJACK_IO].nil? } + raise LintError, "rack.hijack? is false, but rack.hijack_io is present" unless env[RACK_HIJACK_IO].nil? end end @@ -630,9 +616,9 @@ ## the rack.hijack response API is in use. if env[RACK_IS_HIJACK] && headers[RACK_HIJACK] - assert('rack.hijack header must respond to #call') { - headers[RACK_HIJACK].respond_to? :call - } + unless headers[RACK_HIJACK].respond_to? :call + raise LintError, 'rack.hijack header must respond to #call' + end original_hijack = headers[RACK_HIJACK] proc do |io| original_hijack.call HijackWrapper.new(io) @@ -641,9 +627,9 @@ ## ## The special response header rack.hijack must only be set ## if the request env has rack.hijack? true. - assert('rack.hijack header must not be present if server does not support hijacking') { - headers[RACK_HIJACK].nil? - } + unless headers[RACK_HIJACK].nil? + raise LintError, 'rack.hijack header must not be present if server does not support hijacking' + end nil end @@ -661,42 +647,45 @@ def check_status(status) ## This is an HTTP status. When parsed as integer (+to_i+), it must be ## greater than or equal to 100. - assert("Status must be >=100 seen as integer") { status.to_i >= 100 } + unless status.to_i >= 100 + raise LintError, "Status must be >=100 seen as integer" + end end ## === The Headers def check_headers(header) ## The header must respond to +each+, and yield values of key and value. - assert("headers object should respond to #each, but doesn't (got #{header.class} as headers)") { - header.respond_to? :each - } + unless header.respond_to? :each + raise LintError, "headers object should respond to #each, but doesn't (got #{header.class} as headers)" + end header.each { |key, value| ## The header keys must be Strings. - assert("header key must be a string, was #{key.class}") { - key.kind_of? String - } + unless key.kind_of? String + raise LintError, "header key must be a string, was #{key.class}" + end ## Special headers starting "rack." are for communicating with the ## server, and must not be sent back to the client. next if key =~ /^rack\..+$/ ## The header must not contain a +Status+ key. - assert("header must not contain Status") { key.downcase != "status" } + raise LintError, "header must not contain Status" if key.downcase == "status" ## The header must conform to RFC7230 token specification, i.e. cannot ## contain non-printable ASCII, DQUOTE or "(),/:;<=>?@[\]{}". - assert("invalid header name: #{key}") { key !~ /[\(\),\/:;<=>\?@\[\\\]{}[:cntrl:]]/ } + raise LintError, "invalid header name: #{key}" if key =~ /[\(\),\/:;<=>\?@\[\\\]{}[:cntrl:]]/ ## The values of the header must be Strings, - assert("a header value must be a String, but the value of " + - "'#{key}' is a #{value.class}") { value.kind_of? String } + unless value.kind_of? String + raise LintError, "a header value must be a String, but the value of '#{key}' is a #{value.class}" + end ## consisting of lines (for multiple header values, e.g. multiple ## Set-Cookie values) separated by "\\n". value.split("\n").each { |item| ## The lines must not contain characters below 037. - assert("invalid header value #{key}: #{item.inspect}") { - item !~ /[\000-\037]/ - } + if item =~ /[\000-\037]/ + raise LintError, "invalid header value #{key}: #{item.inspect}" + end } } end @@ -707,9 +696,9 @@ ## There must not be a Content-Type, when the +Status+ is 1xx, ## 204 or 304. if key.downcase == "content-type" - assert("Content-Type header found in #{status} response, not allowed") { - not Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i - } + if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i + raise LintError, "Content-Type header found in #{status} response, not allowed" + end return end } @@ -721,9 +710,9 @@ if key.downcase == 'content-length' ## There must not be a Content-Length header when the ## +Status+ is 1xx, 204 or 304. - assert("Content-Length header found in #{status} response, not allowed") { - not Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i - } + if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i + raise LintError, "Content-Length header found in #{status} response, not allowed" + end @content_length = value end } @@ -731,13 +720,13 @@ def verify_content_length(bytes) if @head_request - assert("Response body was given for HEAD request, but should be empty") { - bytes == 0 - } + unless bytes == 0 + raise LintError, "Response body was given for HEAD request, but should be empty" + end elsif @content_length - assert("Content-Length header was #{@content_length}, but should be #{bytes}") { - @content_length == bytes.to_s - } + unless @content_length == bytes.to_s + raise LintError, "Content-Length header was #{@content_length}, but should be #{bytes}" + end end end @@ -747,15 +736,15 @@ bytes = 0 ## The Body must respond to +each+ - assert("Response body must respond to each") do - @body.respond_to?(:each) + unless @body.respond_to?(:each) + raise LintError, "Response body must respond to each" end @body.each { |part| ## and must only yield String values. - assert("Body yielded non-string value #{part.inspect}") { - part.kind_of? String - } + unless part.kind_of? String + raise LintError, "Body yielded non-string value #{part.inspect}" + end bytes += part.bytesize yield part } @@ -768,7 +757,7 @@ ## If the Body responds to +close+, it will be called after iteration. If ## the body is replaced by a middleware after action, the original body ## must be closed first, if it responds to close. - # XXX howto: assert("Body has not been closed") { @closed } + # XXX howto: raise LintError, "Body has not been closed" unless @closed ## @@ -779,9 +768,9 @@ ## transport the response. if @body.respond_to?(:to_path) - assert("The file identified by body.to_path does not exist") { - ::File.exist? @body.to_path - } + unless ::File.exist? @body.to_path + raise LintError, "The file identified by body.to_path does not exist" + end end ## diff -Nru ruby-rack-2.2.6.4/lib/rack/media_type.rb ruby-rack-2.2.13/lib/rack/media_type.rb --- ruby-rack-2.2.6.4/lib/rack/media_type.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/media_type.rb 2025-03-10 21:18:07.000000000 +0000 @@ -4,7 +4,7 @@ # Rack::MediaType parse media type and parameters out of content_type string class MediaType - SPLIT_PATTERN = %r{\s*[;,]\s*} + SPLIT_PATTERN = /[;,]/ class << self # The media type (type/subtype) portion of the CONTENT_TYPE header @@ -15,7 +15,11 @@ # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 def type(content_type) return nil unless content_type - content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase! + if type = content_type.split(SPLIT_PATTERN, 2).first + type.rstrip! + type.downcase! + type + end end # The media type parameters provided in CONTENT_TYPE as a Hash, or @@ -27,9 +31,10 @@ return {} if content_type.nil? content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh| + s.strip! k, v = s.split('=', 2) - - hsh[k.tap(&:downcase!)] = strip_doublequotes(v) + k.downcase! + hsh[k] = strip_doublequotes(v) end end diff -Nru ruby-rack-2.2.6.4/lib/rack/multipart/parser.rb ruby-rack-2.2.13/lib/rack/multipart/parser.rb --- ruby-rack-2.2.6.4/lib/rack/multipart/parser.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/multipart/parser.rb 2025-03-10 21:18:07.000000000 +0000 @@ -13,7 +13,9 @@ BUFSIZE = 1_048_576 TEXT_PLAIN = "text/plain" TEMPFILE_FACTORY = lambda { |filename, content_type| - Tempfile.new(["RackMultipart", ::File.extname(filename.gsub("\0", '%00'))]) + extension = ::File.extname(filename.gsub("\0", '%00'))[0, 129] + + Tempfile.new(["RackMultipart", extension]) } BOUNDARY_REGEX = /\A([^\n]*(?:\n|\Z))/ @@ -189,6 +191,7 @@ @sbuf = StringScanner.new("".dup) @body_regex = /(?:#{EOL})?#{Regexp.quote(@boundary)}(?:#{EOL}|--)/m + @end_boundary_size = boundary.bytesize + 6 # (-- at start, -- at finish, EOL at end) @rx_max_size = EOL.size + @boundary.bytesize + [EOL.size, '--'.size].max @head_regex = /(.*?#{EOL})#{EOL}/m end @@ -229,7 +232,12 @@ end def handle_fast_forward - if consume_boundary + tok = consume_boundary + + if tok == :END_BOUNDARY && @sbuf.pos == @end_boundary_size && @sbuf.eos? + # stop parsing a buffer if a buffer is only an end boundary. + @state = :DONE + elsif tok @state = :MIME_HEAD else raise EOFError, "bad content body" if @sbuf.rest_size >= @bufsize diff -Nru ruby-rack-2.2.6.4/lib/rack/request.rb ruby-rack-2.2.13/lib/rack/request.rb --- ruby-rack-2.2.6.4/lib/rack/request.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/request.rb 2025-03-10 21:18:07.000000000 +0000 @@ -608,7 +608,7 @@ (?[\d\.]+) | # A hostname: - (?[a-zA-Z0-9\.\-]+) + (?[a-zA-Z0-9\.\-_]+) ) # The optional port: (:(?\d+))? diff -Nru ruby-rack-2.2.6.4/lib/rack/sendfile.rb ruby-rack-2.2.13/lib/rack/sendfile.rb --- ruby-rack-2.2.6.4/lib/rack/sendfile.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/sendfile.rb 2025-03-10 21:18:07.000000000 +0000 @@ -133,7 +133,7 @@ end when '', nil else - env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n" + env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}" end end [status, headers, body] diff -Nru ruby-rack-2.2.6.4/lib/rack/session/cookie.rb ruby-rack-2.2.13/lib/rack/session/cookie.rb --- ruby-rack-2.2.6.4/lib/rack/session/cookie.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/session/cookie.rb 2025-03-10 21:18:07.000000000 +0000 @@ -4,7 +4,7 @@ require 'zlib' require_relative 'abstract/id' require 'json' -require 'base64' +require 'delegate' module Rack @@ -50,11 +50,11 @@ # Encode session cookies as Base64 class Base64 def encode(str) - ::Base64.strict_encode64(str) + [str].pack("m0") end def decode(str) - ::Base64.decode64(str) + str.unpack("m").first end # Encode session cookies as Marshaled Base64 data diff -Nru ruby-rack-2.2.6.4/lib/rack/static.rb ruby-rack-2.2.13/lib/rack/static.rb --- ruby-rack-2.2.6.4/lib/rack/static.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/static.rb 2025-03-10 21:18:07.000000000 +0000 @@ -122,8 +122,9 @@ def call(env) path = env[PATH_INFO] + actual_path = Utils.clean_path_info(Utils.unescape_path(path)) - if can_serve(path) + if can_serve(actual_path) if overwrite_file_path(path) env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path]) elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING']) diff -Nru ruby-rack-2.2.6.4/lib/rack/utils.rb ruby-rack-2.2.13/lib/rack/utils.rb --- ruby-rack-2.2.6.4/lib/rack/utils.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/utils.rb 2025-03-10 21:18:07.000000000 +0000 @@ -24,6 +24,7 @@ RFC2822_DAY_NAME = [ 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' ] RFC2822_MONTH_NAME = [ 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ] + RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new class << self attr_accessor :default_query_parser @@ -42,13 +43,13 @@ # Like URI escaping, but with %20 instead of +. Strictly speaking this is # true URI escaping. def escape_path(s) - ::URI::DEFAULT_PARSER.escape s + RFC2396_PARSER.escape s end # Unescapes the **path** component of a URI. See Rack::Utils.unescape for # unescaping query parameters or form components. def unescape_path(s) - ::URI::DEFAULT_PARSER.unescape s + RFC2396_PARSER.unescape s end # Unescapes a URI escaped string with +encoding+. +encoding+ will be the @@ -142,8 +143,8 @@ end def q_values(q_value_header) - q_value_header.to_s.split(/\s*,\s*/).map do |part| - value, parameters = part.split(/\s*;\s*/, 2) + q_value_header.to_s.split(',').map do |part| + value, parameters = part.split(';', 2).map(&:strip) quality = 1.0 if parameters && (md = /\Aq=([\d.]+)/.match(parameters)) quality = md[1].to_f @@ -380,6 +381,9 @@ end ranges << (r0..r1) if r0 <= r1 end + + return [] if ranges.map(&:size).inject(0, :+) > size + ranges end diff -Nru ruby-rack-2.2.6.4/lib/rack/version.rb ruby-rack-2.2.13/lib/rack/version.rb --- ruby-rack-2.2.6.4/lib/rack/version.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/lib/rack/version.rb 2025-03-10 21:18:07.000000000 +0000 @@ -20,7 +20,7 @@ VERSION.join(".") end - RELEASE = "2.2.6.4" + RELEASE = "2.2.13" # Return the Rack release as a dotted string. def self.release diff -Nru ruby-rack-2.2.6.4/test/spec_common_logger.rb ruby-rack-2.2.13/test/spec_common_logger.rb --- ruby-rack-2.2.6.4/test/spec_common_logger.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/test/spec_common_logger.rb 2025-03-10 21:18:07.000000000 +0000 @@ -87,12 +87,17 @@ (0..1).must_include duration.to_f end - it "escapes non printable characters except newline" do + it "escapes non printable characters including newline" do logdev = StringIO.new log = Logger.new(logdev) Rack::MockRequest.new(Rack::CommonLogger.new(app_without_lint, log)).request("GET\b", "/hello") logdev.string.must_match(/GET\\x8 \/hello/) + + Rack::MockRequest.new(Rack::CommonLogger.new(app, log)).get("/", 'REMOTE_USER' => "foo\nbar", "QUERY_STRING" => "bar\nbaz") + logdev.string[-1].must_equal "\n" + logdev.string.must_include("foo\\xabar") + logdev.string.must_include("bar\\xabaz") end it "log path with PATH_INFO" do diff -Nru ruby-rack-2.2.6.4/test/spec_multipart.rb ruby-rack-2.2.13/test/spec_multipart.rb --- ruby-rack-2.2.6.4/test/spec_multipart.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/test/spec_multipart.rb 2025-03-10 21:18:07.000000000 +0000 @@ -704,6 +704,28 @@ params["file"][:filename].must_equal 'long' * 100 end + it "limits very long file name extensions in multipart tempfiles" do + data = <<-EOF +--AaB03x\r +content-type: text/plain\r +content-disposition: attachment; name=file; filename=foo.#{'a' * 1000}\r +\r +contents\r +--AaB03x--\r + EOF + + options = { + "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x", + "CONTENT_LENGTH" => data.length.to_s, + :input => StringIO.new(data) + } + env = Rack::MockRequest.env_for("/", options) + params = Rack::Multipart.parse_multipart(env) + + params["file"][:filename].must_equal "foo.#{'a' * 1000}" + File.extname(env["rack.tempfiles"][0]).must_equal ".#{'a' * 128}" + end + it "parse unquoted parameter values at end of line" do data = <<-EOF --AaB03x\r diff -Nru ruby-rack-2.2.6.4/test/spec_request.rb ruby-rack-2.2.13/test/spec_request.rb --- ruby-rack-2.2.6.4/test/spec_request.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/test/spec_request.rb 2025-03-10 21:18:07.000000000 +0000 @@ -122,6 +122,11 @@ req.hostname.must_equal "123foo.example.com" req = make_request \ + Rack::MockRequest.env_for("/", "HTTP_HOST" => "some_service:3001") + req.host.must_equal "some_service" + req.hostname.must_equal "some_service" + + req = make_request \ Rack::MockRequest.env_for("/", "SERVER_NAME" => "example.org", "SERVER_PORT" => "9292") req.host.must_equal "example.org" req.hostname.must_equal "example.org" @@ -157,6 +162,10 @@ req.port.must_equal 81 req = make_request \ + Rack::MockRequest.env_for("/", "HTTP_HOST" => "some_service:3001") + req.port.must_equal 3001 + + req = make_request \ Rack::MockRequest.env_for("/", "SERVER_NAME" => "example.org", "SERVER_PORT" => "9292") req.port.must_equal 9292 @@ -1000,6 +1009,24 @@ f[:tempfile].size.must_equal 76 end + it "parse multipart delimiter-only boundary" do + input = < "multipart/form-data, boundary=AaB03x", + "CONTENT_LENGTH" => input.size, + :input => input + ) + + req = make_request mr + req.query_string.must_equal "" + req.GET.must_be :empty? + req.POST.must_be :empty? + req.params.must_equal({}) + end + it "MultipartPartLimitError when request has too many multipart file parts if limit set" do begin data = 10000.times.map { "--AaB03x\r\nContent-Type: text/plain\r\nContent-Disposition: attachment; name=#{SecureRandom.hex(10)}; filename=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n") diff -Nru ruby-rack-2.2.6.4/test/spec_sendfile.rb ruby-rack-2.2.13/test/spec_sendfile.rb --- ruby-rack-2.2.6.4/test/spec_sendfile.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/test/spec_sendfile.rb 2025-03-10 21:18:07.000000000 +0000 @@ -48,7 +48,7 @@ response.headers.wont_include 'X-Sendfile' io.rewind - io.read.must_equal "Unknown x-sendfile variation: 'X-Banana'.\n" + io.read.must_equal "Unknown x-sendfile variation: \"X-Banana\"\n" end end diff -Nru ruby-rack-2.2.6.4/test/spec_static.rb ruby-rack-2.2.13/test/spec_static.rb --- ruby-rack-2.2.6.4/test/spec_static.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/test/spec_static.rb 2025-03-10 21:18:07.000000000 +0000 @@ -43,6 +43,12 @@ res.body.must_match(/ruby/) end + it "does not serve files outside :urls" do + res = @request.get("/cgi/../#{File.basename(__FILE__)}") + res.must_be :ok? + res.body.must_equal "Hello World" + end + it "404s if url root is known but it can't find the file" do res = @request.get("/cgi/foo") res.must_be :not_found? diff -Nru ruby-rack-2.2.6.4/test/spec_utils.rb ruby-rack-2.2.13/test/spec_utils.rb --- ruby-rack-2.2.6.4/test/spec_utils.rb 2023-03-13 18:07:51.000000000 +0000 +++ ruby-rack-2.2.13/test/spec_utils.rb 2025-03-10 21:18:07.000000000 +0000 @@ -590,6 +590,10 @@ end describe Rack::Utils, "byte_range" do + it "returns an empty list if the sum of the ranges is too large" do + assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500) + end + it "ignore missing or syntactically invalid byte ranges" do Rack::Utils.byte_ranges({}, 500).must_be_nil Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil