Version in base suite: 2.2.6.4-1+deb12u1
Base version: ruby-rack_2.2.6.4-1+deb12u1
Target version: ruby-rack_2.2.13-1~deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/ruby-rack/ruby-rack_2.2.6.4-1+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/ruby-rack/ruby-rack_2.2.13-1~deb12u1.dsc
.github/workflows/development.yml | 6
CHANGELOG.md | 43 +
SPEC.rdoc | 14
debian/changelog | 9
debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch | 51 -
debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch | 2
debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch | 46 -
debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch | 30
debian/patches/series | 3
debian/patches/skip-unreadable-dir-test.patch | 8
lib/rack/auth/basic.rb | 3
lib/rack/auth/digest/nonce.rb | 5
lib/rack/common_logger.rb | 5
lib/rack/lint.rb | 365 ++++------
lib/rack/media_type.rb | 13
lib/rack/multipart/parser.rb | 12
lib/rack/request.rb | 2
lib/rack/sendfile.rb | 2
lib/rack/session/cookie.rb | 6
lib/rack/static.rb | 3
lib/rack/utils.rb | 12
lib/rack/version.rb | 2
test/spec_common_logger.rb | 7
test/spec_multipart.rb | 22
test/spec_request.rb | 27
test/spec_sendfile.rb | 2
test/spec_static.rb | 6
test/spec_utils.rb | 4
28 files changed, 349 insertions(+), 361 deletions(-)
diff -Nru ruby-rack-2.2.6.4/.github/workflows/development.yml ruby-rack-2.2.13/.github/workflows/development.yml
--- ruby-rack-2.2.6.4/.github/workflows/development.yml 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/.github/workflows/development.yml 2025-03-10 21:18:07.000000000 +0000
@@ -7,8 +7,8 @@
strategy:
fail-fast: false
matrix:
- os: [ubuntu-20.04]
- ruby: [2.3, 2.4, 2.5, 2.6, 2.7, '3.0', 3.1, 3.2]
+ os: [ubuntu-latest]
+ ruby: [2.3, 2.4, 2.5, 2.6, 2.7, '3.0', 3.1, 3.2, 3.3, 3.4]
runs-on: ${{matrix.os}}
steps:
- uses: actions/checkout@v2
@@ -17,7 +17,7 @@
with:
ruby-version: ${{matrix.ruby}}
- - uses: actions/cache@v1
+ - uses: actions/cache@v4
with:
path: vendor/bundle
key: bundle-use-ruby-${{matrix.os}}-${{matrix.ruby}}-${{hashFiles('**/Gemfile')}}
diff -Nru ruby-rack-2.2.6.4/CHANGELOG.md ruby-rack-2.2.13/CHANGELOG.md
--- ruby-rack-2.2.6.4/CHANGELOG.md 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/CHANGELOG.md 2025-03-10 21:18:07.000000000 +0000
@@ -2,6 +2,43 @@
All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.2.13] - 2025-03-11
+
+### Security
+
+- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+
+## [2.2.12] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+## [2.2.11] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+
+## [2.2.10] - 2024-10-14
+
+- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
+
+## [2.2.9] - 2023-03-21
+
+- Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc])
+
+## [2.2.8] - 2023-07-31
+
+- Regenerate SPEC ([#2102](https://github.com/rack/rack/pull/2102), [@skipkayhil](https://github.com/skipkayhil))
+- Limit file extension length of multipart tempfiles ([#2015](https://github.com/rack/rack/pull/2015), [@dentarg](https://github.com/dentarg))
+- Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" ([#2092](https://github.com/rack/rack/pull/2092), [@onigra](https://github.com/onigra) [@dchandekstark](https://github.com/dchandekstark))
+
+## [2.2.7] - 2023-03-13
+
+- Correct the year number in the changelog ([#2015](https://github.com/rack/rack/pull/2015), [@kimulab](https://github.com/kimulab))
+- Support underscore in host names for Rack 2.2 (Fixes [#2070](https://github.com/rack/rack/issues/2070)) ([#2015](https://github.com/rack/rack/pull/2071), [@jeremyevans](https://github.com/jeremyevans))
+
## [2.2.6.4] - 2023-03-13
- [CVE-2023-27539] Avoid ReDoS in header parsing
@@ -10,16 +47,16 @@
- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
-## [2.2.6.2] - 2022-01-17
+## [2.2.6.2] - 2023-01-17
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
-## [2.2.6.1] - 2022-01-17
+## [2.2.6.1] - 2023-01-17
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
-## [2.2.6] - 2022-01-17
+## [2.2.6] - 2023-01-17
- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot))
diff -Nru ruby-rack-2.2.6.4/SPEC.rdoc ruby-rack-2.2.13/SPEC.rdoc
--- ruby-rack-2.2.6.4/SPEC.rdoc 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/SPEC.rdoc 2025-03-10 21:18:07.000000000 +0000
@@ -42,17 +42,18 @@
QUERY_STRING:: The portion of the request URL that
follows the ?, if any. May be
empty, but is always required!
-SERVER_NAME, SERVER_PORT::
- When combined with SCRIPT_NAME and
+SERVER_NAME:: When combined with SCRIPT_NAME and
PATH_INFO, these variables can be
used to complete the URL. Note, however,
that HTTP_HOST, if present,
should be used in preference to
SERVER_NAME for reconstructing
the request URL.
- SERVER_NAME and SERVER_PORT
- can never be empty strings, and so
- are always required.
+ SERVER_NAME can never be an empty
+ string, and so is always required.
+SERVER_PORT:: An optional +Integer+ which is the port the
+ server is running on. Should be specified if
+ the server is running on a non-standard port.
HTTP_ Variables:: Variables corresponding to the
client-supplied HTTP request
headers (i.e., variables whose
@@ -122,6 +123,9 @@
is reserved for use with the Rack core distribution and other
accepted specifications and must not be used otherwise.
+The SERVER_PORT must be an Integer if set.
+The SERVER_NAME must be a valid authority as defined by RFC7540.
+The HTTP_HOST must be a valid authority as defined by RFC7540.
The environment must not contain the keys
HTTP_CONTENT_TYPE or HTTP_CONTENT_LENGTH
(use the versions without HTTP_).
diff -Nru ruby-rack-2.2.6.4/debian/changelog ruby-rack-2.2.13/debian/changelog
--- ruby-rack-2.2.6.4/debian/changelog 2024-05-02 20:39:36.000000000 +0000
+++ ruby-rack-2.2.13/debian/changelog 2025-03-20 03:57:37.000000000 +0000
@@ -1,3 +1,12 @@
+ruby-rack (2.2.13-1~deb12u1) bookworm-security; urgency=medium
+
+ * New upstream version 2.2.13.
+ - Fixes: CVE-2025-27610, CVE-2025-27111, CVE-2025-25184.
+ - Closes: #1100444, #1099546, #1098257.
+ * Drop patches that have been applied in v2.2.13.
+
+ -- Utkarsh Gupta Thu, 20 Mar 2025 09:27:37 +0530
+
ruby-rack (2.2.6.4-1+deb12u1) bookworm-security; urgency=medium
* Non-maintainer upload.
diff -Nru ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch ruby-rack-2.2.13/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
--- ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 2024-05-02 20:11:55.000000000 +0000
+++ ruby-rack-2.2.13/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 1970-01-01 00:00:00.000000000 +0000
@@ -1,51 +0,0 @@
-From 0dd2a6314a1677ba38d2f94b18ecf21a5fbfaa1d Mon Sep 17 00:00:00 2001
-From: Jean Boussier
-Date: Wed, 6 Dec 2023 18:32:19 +0100
-Subject: Avoid 2nd degree polynomial regexp in MediaType
-
----
- lib/rack/media_type.rb | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb
-index 41937c99..7fc1e39d 100644
---- a/lib/rack/media_type.rb
-+++ b/lib/rack/media_type.rb
-@@ -4,7 +4,7 @@ module Rack
- # Rack::MediaType parse media type and parameters out of content_type string
-
- class MediaType
-- SPLIT_PATTERN = %r{\s*[;,]\s*}
-+ SPLIT_PATTERN = /[;,]/
-
- class << self
- # The media type (type/subtype) portion of the CONTENT_TYPE header
-@@ -15,7 +15,11 @@ module Rack
- # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
- def type(content_type)
- return nil unless content_type
-- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
-+ if type = content_type.split(SPLIT_PATTERN, 2).first
-+ type.rstrip!
-+ type.downcase!
-+ type
-+ end
- end
-
- # The media type parameters provided in CONTENT_TYPE as a Hash, or
-@@ -27,9 +31,10 @@ module Rack
- return {} if content_type.nil?
-
- content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
-+ s.strip!
- k, v = s.split('=', 2)
--
-- hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
-+ k.downcase!
-+ hsh[k] = strip_doublequotes(v)
- end
- end
-
---
-2.30.2
-
diff -Nru ruby-rack-2.2.6.4/debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch ruby-rack-2.2.13/debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch
--- ruby-rack-2.2.6.4/debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch 2023-03-23 20:02:43.000000000 +0000
+++ ruby-rack-2.2.13/debian/patches/0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch 2025-03-20 03:57:37.000000000 +0000
@@ -47,7 +47,7 @@
@server = server
end
end
-@@ -41,7 +41,7 @@
+@@ -43,7 +43,7 @@
response["HTTP_VERSION"].must_equal "HTTP/1.1"
response["SERVER_PROTOCOL"].must_equal "HTTP/1.1"
response["SERVER_PORT"].must_equal "9204"
diff -Nru ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch ruby-rack-2.2.13/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch
--- ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 2024-05-02 20:11:55.000000000 +0000
+++ ruby-rack-2.2.13/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 1970-01-01 00:00:00.000000000 +0000
@@ -1,46 +0,0 @@
-From ca18315cb37dffb378b56a64a6e0cefcb1df8fc0 Mon Sep 17 00:00:00 2001
-From: Aaron Patterson
-Date: Tue, 13 Feb 2024 13:34:34 -0800
-Subject: Return an empty array when ranges are too large
-
-If the sum of the requested ranges is larger than the file itself,
-return an empty array. In other words, refuse to respond with any bytes.
-
-[CVE-2024-26141]
----
- lib/rack/utils.rb | 3 +++
- test/spec_utils.rb | 4 ++++
- 2 files changed, 7 insertions(+)
-
-diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
-index c8e61ea1..72700503 100644
---- a/lib/rack/utils.rb
-+++ b/lib/rack/utils.rb
-@@ -380,6 +380,9 @@ module Rack
- end
- ranges << (r0..r1) if r0 <= r1
- end
-+
-+ return [] if ranges.map(&:size).sum > size
-+
- ranges
- end
-
-diff --git a/test/spec_utils.rb b/test/spec_utils.rb
-index 90676258..6b069914 100644
---- a/test/spec_utils.rb
-+++ b/test/spec_utils.rb
-@@ -590,6 +590,10 @@ describe Rack::Utils, "cookies" do
- end
-
- describe Rack::Utils, "byte_range" do
-+ it "returns an empty list if the sum of the ranges is too large" do
-+ assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500)
-+ end
-+
- it "ignore missing or syntactically invalid byte ranges" do
- Rack::Utils.byte_ranges({}, 500).must_be_nil
- Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil
---
-2.30.2
-
diff -Nru ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch ruby-rack-2.2.13/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch
--- ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 2024-05-02 20:11:55.000000000 +0000
+++ ruby-rack-2.2.13/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 1970-01-01 00:00:00.000000000 +0000
@@ -1,30 +0,0 @@
-From 3f0a5391ed7118f10bae56b369b2c525942f26c6 Mon Sep 17 00:00:00 2001
-From: Aaron Patterson
-Date: Wed, 21 Feb 2024 11:05:06 -0800
-Subject: Fixing ReDoS in header parsing
-
-Thanks svalkanov
-
-[CVE-2024-26146]
----
- lib/rack/utils.rb | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
-index 72700503..ccf39e30 100644
---- a/lib/rack/utils.rb
-+++ b/lib/rack/utils.rb
-@@ -142,8 +142,8 @@ module Rack
- end
-
- def q_values(q_value_header)
-- q_value_header.to_s.split(/\s*,\s*/).map do |part|
-- value, parameters = part.split(/\s*;\s*/, 2)
-+ q_value_header.to_s.split(',').map do |part|
-+ value, parameters = part.split(';', 2).map(&:strip)
- quality = 1.0
- if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
- quality = md[1].to_f
---
-2.30.2
-
diff -Nru ruby-rack-2.2.6.4/debian/patches/series ruby-rack-2.2.13/debian/patches/series
--- ruby-rack-2.2.6.4/debian/patches/series 2024-05-02 20:39:36.000000000 +0000
+++ ruby-rack-2.2.13/debian/patches/series 2025-03-20 03:57:37.000000000 +0000
@@ -1,6 +1,3 @@
skip-random-failure.patch
0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch
skip-unreadable-dir-test.patch
-0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch
-0002-Return-an-empty-array-when-ranges-are-too-large.patch
-0003-Fixing-ReDoS-in-header-parsing.patch
diff -Nru ruby-rack-2.2.6.4/debian/patches/skip-unreadable-dir-test.patch ruby-rack-2.2.13/debian/patches/skip-unreadable-dir-test.patch
--- ruby-rack-2.2.6.4/debian/patches/skip-unreadable-dir-test.patch 2023-03-23 20:02:43.000000000 +0000
+++ ruby-rack-2.2.13/debian/patches/skip-unreadable-dir-test.patch 2025-03-20 03:57:37.000000000 +0000
@@ -4,11 +4,9 @@
Author: HIGUCHI Daisuke (VDR dai)
Forwarded: not-needed
-Index: ruby-rack/test/spec_directory.rb
-===================================================================
---- ruby-rack.orig/test/spec_directory.rb
-+++ ruby-rack/test/spec_directory.rb
-@@ -54,6 +54,7 @@ describe Rack::Directory do
+--- a/test/spec_directory.rb
++++ b/test/spec_directory.rb
+@@ -54,6 +54,7 @@
end
it "return 404 for unreadable directories" do
diff -Nru ruby-rack-2.2.6.4/lib/rack/auth/basic.rb ruby-rack-2.2.13/lib/rack/auth/basic.rb
--- ruby-rack-2.2.6.4/lib/rack/auth/basic.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/auth/basic.rb 2025-03-10 21:18:07.000000000 +0000
@@ -2,7 +2,6 @@
require_relative 'abstract/handler'
require_relative 'abstract/request'
-require 'base64'
module Rack
module Auth
@@ -48,7 +47,7 @@
end
def credentials
- @credentials ||= Base64.decode64(params).split(':', 2)
+ @credentials ||= params.unpack("m").first.split(':', 2)
end
def username
diff -Nru ruby-rack-2.2.6.4/lib/rack/auth/digest/nonce.rb ruby-rack-2.2.13/lib/rack/auth/digest/nonce.rb
--- ruby-rack-2.2.6.4/lib/rack/auth/digest/nonce.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/auth/digest/nonce.rb 2025-03-10 21:18:07.000000000 +0000
@@ -1,7 +1,6 @@
# frozen_string_literal: true
require 'digest/md5'
-require 'base64'
module Rack
module Auth
@@ -21,7 +20,7 @@
end
def self.parse(string)
- new(*Base64.decode64(string).split(' ', 2))
+ new(*string.unpack("m").first.split(' ', 2))
end
def initialize(timestamp = Time.now, given_digest = nil)
@@ -29,7 +28,7 @@
end
def to_s
- Base64.encode64("#{@timestamp} #{digest}").strip
+ ["#{@timestamp} #{digest}"].pack("m").strip
end
def digest
diff -Nru ruby-rack-2.2.6.4/lib/rack/common_logger.rb ruby-rack-2.2.13/lib/rack/common_logger.rb
--- ruby-rack-2.2.6.4/lib/rack/common_logger.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/common_logger.rb 2025-03-10 21:18:07.000000000 +0000
@@ -15,7 +15,7 @@
# The actual format is slightly different than the above due to the
# separation of SCRIPT_NAME and PATH_INFO, and because the elapsed
# time in seconds is included at the end.
- FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n}
+ FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f }
# +logger+ can be any object that supports the +write+ or +<<+ methods,
# which includes the standard library Logger. These methods are called
@@ -60,7 +60,8 @@
length,
Utils.clock_time - began_at ]
- msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" }
+ msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) }
+ msg[-1] = "\n"
logger = @logger || env[RACK_ERRORS]
diff -Nru ruby-rack-2.2.6.4/lib/rack/lint.rb ruby-rack-2.2.13/lib/rack/lint.rb
--- ruby-rack-2.2.6.4/lib/rack/lint.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/lint.rb 2025-03-10 21:18:07.000000000 +0000
@@ -40,7 +40,7 @@
def _call(env)
## It takes exactly one argument, the *environment*
- assert("No env given") { env }
+ raise LintError, "No env given" unless env
check_env env
env[RACK_INPUT] = InputWrapper.new(env[RACK_INPUT])
@@ -48,12 +48,8 @@
## and returns an Array of exactly three values:
ary = @app.call(env)
- assert("response is not an Array, but #{ary.class}") {
- ary.kind_of? Array
- }
- assert("response array has #{ary.size} elements instead of 3") {
- ary.size == 3
- }
+ raise LintError, "response is not an Array, but #{ary.class}" unless ary.kind_of? Array
+ raise LintError, "response array has #{ary.size} elements instead of 3" unless ary.size == 3
status, headers, @body = ary
## The *status*,
@@ -78,12 +74,8 @@
## The environment must be an unfrozen instance of Hash that includes
## CGI-like headers. The application is free to modify the
## environment.
- assert("env #{env.inspect} is not a Hash, but #{env.class}") {
- env.kind_of? Hash
- }
- assert("env should not be frozen, but is") {
- !env.frozen?
- }
+ raise LintError, "env #{env.inspect} is not a Hash, but #{env.class}" unless env.kind_of? Hash
+ raise LintError, "env should not be frozen, but is" if env.frozen?
##
## The environment is required to include these variables
@@ -195,73 +187,73 @@
## The store must implement:
if session = env[RACK_SESSION]
## store(key, value) (aliased as []=);
- assert("session #{session.inspect} must respond to store and []=") {
- session.respond_to?(:store) && session.respond_to?(:[]=)
- }
+ unless session.respond_to?(:store) && session.respond_to?(:[]=)
+ raise LintError, "session #{session.inspect} must respond to store and []="
+ end
## fetch(key, default = nil) (aliased as []);
- assert("session #{session.inspect} must respond to fetch and []") {
- session.respond_to?(:fetch) && session.respond_to?(:[])
- }
+ unless session.respond_to?(:fetch) && session.respond_to?(:[])
+ raise LintError, "session #{session.inspect} must respond to fetch and []"
+ end
## delete(key);
- assert("session #{session.inspect} must respond to delete") {
- session.respond_to?(:delete)
- }
+ unless session.respond_to?(:delete)
+ raise LintError, "session #{session.inspect} must respond to delete"
+ end
## clear;
- assert("session #{session.inspect} must respond to clear") {
- session.respond_to?(:clear)
- }
+ unless session.respond_to?(:clear)
+ raise LintError, "session #{session.inspect} must respond to clear"
+ end
## to_hash (returning unfrozen Hash instance);
- assert("session #{session.inspect} must respond to to_hash and return unfrozen Hash instance") {
- session.respond_to?(:to_hash) && session.to_hash.kind_of?(Hash) && !session.to_hash.frozen?
- }
+ unless session.respond_to?(:to_hash) && session.to_hash.kind_of?(Hash) && !session.to_hash.frozen?
+ raise LintError, "session #{session.inspect} must respond to to_hash and return unfrozen Hash instance"
+ end
end
## rack.logger:: A common object interface for logging messages.
## The object must implement:
if logger = env[RACK_LOGGER]
## info(message, &block)
- assert("logger #{logger.inspect} must respond to info") {
- logger.respond_to?(:info)
- }
+ unless logger.respond_to?(:info)
+ raise LintError, "logger #{logger.inspect} must respond to info"
+ end
## debug(message, &block)
- assert("logger #{logger.inspect} must respond to debug") {
- logger.respond_to?(:debug)
- }
+ unless logger.respond_to?(:debug)
+ raise LintError, "logger #{logger.inspect} must respond to debug"
+ end
## warn(message, &block)
- assert("logger #{logger.inspect} must respond to warn") {
- logger.respond_to?(:warn)
- }
+ unless logger.respond_to?(:warn)
+ raise LintError, "logger #{logger.inspect} must respond to warn"
+ end
## error(message, &block)
- assert("logger #{logger.inspect} must respond to error") {
- logger.respond_to?(:error)
- }
+ unless logger.respond_to?(:error)
+ raise LintError, "logger #{logger.inspect} must respond to error"
+ end
## fatal(message, &block)
- assert("logger #{logger.inspect} must respond to fatal") {
- logger.respond_to?(:fatal)
- }
+ unless logger.respond_to?(:fatal)
+ raise LintError, "logger #{logger.inspect} must respond to fatal"
+ end
end
## rack.multipart.buffer_size:: An Integer hint to the multipart parser as to what chunk size to use for reads and writes.
if bufsize = env[RACK_MULTIPART_BUFFER_SIZE]
- assert("rack.multipart.buffer_size must be an Integer > 0 if specified") {
- bufsize.is_a?(Integer) && bufsize > 0
- }
+ unless bufsize.is_a?(Integer) && bufsize > 0
+ raise LintError, "rack.multipart.buffer_size must be an Integer > 0 if specified"
+ end
end
## rack.multipart.tempfile_factory:: An object responding to #call with two arguments, the filename and content_type given for the multipart form field, and returning an IO-like object that responds to #<< and optionally #rewind. This factory will be used to instantiate the tempfile for each multipart form file upload field, rather than the default class of Tempfile.
if tempfile_factory = env[RACK_MULTIPART_TEMPFILE_FACTORY]
- assert("rack.multipart.tempfile_factory must respond to #call") { tempfile_factory.respond_to?(:call) }
+ raise LintError, "rack.multipart.tempfile_factory must respond to #call" unless tempfile_factory.respond_to?(:call)
env[RACK_MULTIPART_TEMPFILE_FACTORY] = lambda do |filename, content_type|
io = tempfile_factory.call(filename, content_type)
- assert("rack.multipart.tempfile_factory return value must respond to #<<") { io.respond_to?(:<<) }
+ raise LintError, "rack.multipart.tempfile_factory return value must respond to #<<" unless io.respond_to?(:<<)
io
end
end
@@ -276,32 +268,32 @@
%w[REQUEST_METHOD SERVER_NAME QUERY_STRING
rack.version rack.input rack.errors
rack.multithread rack.multiprocess rack.run_once].each { |header|
- assert("env missing required key #{header}") { env.include? header }
+ raise LintError, "env missing required key #{header}" unless env.include? header
}
## The SERVER_PORT must be an Integer if set.
- assert("env[SERVER_PORT] is not an Integer") do
- server_port = env["SERVER_PORT"]
- server_port.nil? || (Integer(server_port) rescue false)
+ server_port = env["SERVER_PORT"]
+ unless server_port.nil? || (Integer(server_port) rescue false)
+ raise LintError, "env[SERVER_PORT] is not an Integer"
end
## The SERVER_NAME must be a valid authority as defined by RFC7540.
- assert("#{env[SERVER_NAME]} must be a valid authority") do
- URI.parse("http://#{env[SERVER_NAME]}/") rescue false
+ unless (URI.parse("http://#{env[SERVER_NAME]}/") rescue false)
+ raise LintError, "#{env[SERVER_NAME]} must be a valid authority"
end
## The HTTP_HOST must be a valid authority as defined by RFC7540.
- assert("#{env[HTTP_HOST]} must be a valid authority") do
- URI.parse("http://#{env[HTTP_HOST]}/") rescue false
+ unless (URI.parse("http://#{env[HTTP_HOST]}/") rescue false)
+ raise LintError, "#{env[HTTP_HOST]} must be a valid authority"
end
## The environment must not contain the keys
## HTTP_CONTENT_TYPE or HTTP_CONTENT_LENGTH
## (use the versions without HTTP_).
%w[HTTP_CONTENT_TYPE HTTP_CONTENT_LENGTH].each { |header|
- assert("env contains #{header}, must use #{header[5, -1]}") {
- not env.include? header
- }
+ if env.include? header
+ raise LintError, "env contains #{header}, must use #{header[5, -1]}"
+ end
}
## The CGI keys (named without a period) must have String values.
@@ -309,25 +301,25 @@
## they should use ASCII-8BIT encoding.
env.each { |key, value|
next if key.include? "." # Skip extensions
- assert("env variable #{key} has non-string value #{value.inspect}") {
- value.kind_of? String
- }
+ unless value.kind_of? String
+ raise LintError, "env variable #{key} has non-string value #{value.inspect}"
+ end
next if value.encoding == Encoding::ASCII_8BIT
- assert("env variable #{key} has value containing non-ASCII characters and has non-ASCII-8BIT encoding #{value.inspect} encoding: #{value.encoding}") {
- value.b !~ /[\x80-\xff]/n
- }
+ unless value.b !~ /[\x80-\xff]/n
+ raise LintError, "env variable #{key} has value containing non-ASCII characters and has non-ASCII-8BIT encoding #{value.inspect} encoding: #{value.encoding}"
+ end
}
## There are the following restrictions:
## * rack.version must be an array of Integers.
- assert("rack.version must be an Array, was #{env[RACK_VERSION].class}") {
- env[RACK_VERSION].kind_of? Array
- }
+ unless env[RACK_VERSION].kind_of? Array
+ raise LintError, "rack.version must be an Array, was #{env[RACK_VERSION].class}"
+ end
## * rack.url_scheme must either be +http+ or +https+.
- assert("rack.url_scheme unknown: #{env[RACK_URL_SCHEME].inspect}") {
- %w[http https].include?(env[RACK_URL_SCHEME])
- }
+ unless %w[http https].include?(env[RACK_URL_SCHEME])
+ raise LintError, "rack.url_scheme unknown: #{env[RACK_URL_SCHEME].inspect}"
+ end
## * There must be a valid input stream in rack.input.
check_input env[RACK_INPUT]
@@ -337,37 +329,33 @@
check_hijack env
## * The REQUEST_METHOD must be a valid token.
- assert("REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}") {
- env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
- }
+ unless env[REQUEST_METHOD] =~ /\A[0-9A-Za-z!\#$%&'*+.^_`|~-]+\z/
+ raise LintError, "REQUEST_METHOD unknown: #{env[REQUEST_METHOD].dump}"
+ end
## * The SCRIPT_NAME, if non-empty, must start with /
- assert("SCRIPT_NAME must start with /") {
- !env.include?(SCRIPT_NAME) ||
- env[SCRIPT_NAME] == "" ||
- env[SCRIPT_NAME] =~ /\A\//
- }
+ if env.include?(SCRIPT_NAME) && env[SCRIPT_NAME] != "" && env[SCRIPT_NAME] !~ /\A\//
+ raise LintError, "SCRIPT_NAME must start with /"
+ end
## * The PATH_INFO, if non-empty, must start with /
- assert("PATH_INFO must start with /") {
- !env.include?(PATH_INFO) ||
- env[PATH_INFO] == "" ||
- env[PATH_INFO] =~ /\A\//
- }
+ if env.include?(PATH_INFO) && env[PATH_INFO] != "" && env[PATH_INFO] !~ /\A\//
+ raise LintError, "PATH_INFO must start with /"
+ end
## * The CONTENT_LENGTH, if given, must consist of digits only.
- assert("Invalid CONTENT_LENGTH: #{env["CONTENT_LENGTH"]}") {
- !env.include?("CONTENT_LENGTH") || env["CONTENT_LENGTH"] =~ /\A\d+\z/
- }
+ if env.include?("CONTENT_LENGTH") && env["CONTENT_LENGTH"] !~ /\A\d+\z/
+ raise LintError, "Invalid CONTENT_LENGTH: #{env["CONTENT_LENGTH"]}"
+ end
## * One of SCRIPT_NAME or PATH_INFO must be
## set. PATH_INFO should be / if
## SCRIPT_NAME is empty.
- assert("One of SCRIPT_NAME or PATH_INFO must be set (make PATH_INFO '/' if SCRIPT_NAME is empty)") {
- env[SCRIPT_NAME] || env[PATH_INFO]
- }
+ unless env[SCRIPT_NAME] || env[PATH_INFO]
+ raise LintError, "One of SCRIPT_NAME or PATH_INFO must be set (make PATH_INFO '/' if SCRIPT_NAME is empty)"
+ end
## SCRIPT_NAME never should be /, but instead be empty.
- assert("SCRIPT_NAME cannot be '/', make it '' and PATH_INFO '/'") {
- env[SCRIPT_NAME] != "/"
- }
+ unless env[SCRIPT_NAME] != "/"
+ raise LintError, "SCRIPT_NAME cannot be '/', make it '' and PATH_INFO '/'"
+ end
end
## === The Input Stream
@@ -377,18 +365,18 @@
def check_input(input)
## When applicable, its external encoding must be "ASCII-8BIT" and it
## must be opened in binary mode, for Ruby 1.9 compatibility.
- assert("rack.input #{input} does not have ASCII-8BIT as its external encoding") {
- input.external_encoding == Encoding::ASCII_8BIT
- } if input.respond_to?(:external_encoding)
- assert("rack.input #{input} is not opened in binary mode") {
- input.binmode?
- } if input.respond_to?(:binmode?)
+ if input.respond_to?(:external_encoding) && input.external_encoding != Encoding::ASCII_8BIT
+ raise LintError, "rack.input #{input} does not have ASCII-8BIT as its external encoding"
+ end
+ if input.respond_to?(:binmode?) && !input.binmode?
+ raise LintError, "rack.input #{input} is not opened in binary mode"
+ end
## The input stream must respond to +gets+, +each+, +read+ and +rewind+.
[:gets, :each, :read, :rewind].each { |method|
- assert("rack.input #{input} does not respond to ##{method}") {
- input.respond_to? method
- }
+ unless input.respond_to? method
+ raise LintError, "rack.input #{input} does not respond to ##{method}"
+ end
}
end
@@ -402,11 +390,11 @@
## * +gets+ must be called without arguments and return a string,
## or +nil+ on EOF.
def gets(*args)
- assert("rack.input#gets called with arguments") { args.size == 0 }
+ raise LintError, "rack.input#gets called with arguments" unless args.size == 0
v = @input.gets
- assert("rack.input#gets didn't return a String") {
- v.nil? or v.kind_of? String
- }
+ unless v.nil? or v.kind_of? String
+ raise LintError, "rack.input#gets didn't return a String"
+ end
v
end
@@ -428,32 +416,32 @@
## If +buffer+ is given, then the read data will be placed
## into +buffer+ instead of a newly created String object.
def read(*args)
- assert("rack.input#read called with too many arguments") {
- args.size <= 2
- }
+ unless args.size <= 2
+ raise LintError, "rack.input#read called with too many arguments"
+ end
if args.size >= 1
- assert("rack.input#read called with non-integer and non-nil length") {
- args.first.kind_of?(Integer) || args.first.nil?
- }
- assert("rack.input#read called with a negative length") {
- args.first.nil? || args.first >= 0
- }
+ unless args.first.kind_of?(Integer) || args.first.nil?
+ raise LintError, "rack.input#read called with non-integer and non-nil length"
+ end
+ unless args.first.nil? || args.first >= 0
+ raise LintError, "rack.input#read called with a negative length"
+ end
end
if args.size >= 2
- assert("rack.input#read called with non-String buffer") {
- args[1].kind_of?(String)
- }
+ unless args[1].kind_of?(String)
+ raise LintError, "rack.input#read called with non-String buffer"
+ end
end
v = @input.read(*args)
- assert("rack.input#read didn't return nil or a String") {
- v.nil? or v.kind_of? String
- }
+ unless v.nil? or v.kind_of? String
+ raise LintError, "rack.input#read didn't return nil or a String"
+ end
if args[0].nil?
- assert("rack.input#read(nil) returned nil on EOF") {
- !v.nil?
- }
+ unless !v.nil?
+ raise LintError, "rack.input#read(nil) returned nil on EOF"
+ end
end
v
@@ -461,11 +449,11 @@
## * +each+ must be called without arguments and only yield Strings.
def each(*args)
- assert("rack.input#each called with arguments") { args.size == 0 }
+ raise LintError, "rack.input#each called with arguments" unless args.size == 0
@input.each { |line|
- assert("rack.input#each didn't yield a String") {
- line.kind_of? String
- }
+ unless line.kind_of? String
+ raise LintError, "rack.input#each didn't yield a String"
+ end
yield line
}
end
@@ -476,20 +464,18 @@
## developers must buffer the input data into some rewindable object
## if the underlying input stream is not rewindable.
def rewind(*args)
- assert("rack.input#rewind called with arguments") { args.size == 0 }
- assert("rack.input#rewind raised Errno::ESPIPE") {
- begin
- @input.rewind
- true
- rescue Errno::ESPIPE
- false
- end
- }
+ raise LintError, "rack.input#rewind called with arguments" unless args.size == 0
+ begin
+ @input.rewind
+ true
+ rescue Errno::ESPIPE
+ raise LintError, "rack.input#rewind raised Errno::ESPIPE"
+ end
end
## * +close+ must never be called on the input stream.
def close(*args)
- assert("rack.input#close must not be called") { false }
+ raise LintError, "rack.input#close must not be called"
end
end
@@ -497,9 +483,9 @@
def check_error(error)
## The error stream must respond to +puts+, +write+ and +flush+.
[:puts, :write, :flush].each { |method|
- assert("rack.error #{error} does not respond to ##{method}") {
- error.respond_to? method
- }
+ unless error.respond_to? method
+ raise LintError, "rack.error #{error} does not respond to ##{method}"
+ end
}
end
@@ -517,7 +503,7 @@
## * +write+ must be called with a single argument that is a String.
def write(str)
- assert("rack.errors#write not called with a String") { str.kind_of? String }
+ raise LintError, "rack.errors#write not called with a String" unless str.kind_of? String
@error.write str
end
@@ -529,7 +515,7 @@
## * +close+ must never be called on the error stream.
def close(*args)
- assert("rack.errors#close must not be called") { false }
+ raise LintError, "rack.errors#close must not be called"
end
end
@@ -547,7 +533,7 @@
def initialize(io)
@io = io
REQUIRED_METHODS.each do |meth|
- assert("rack.hijack_io must respond to #{meth}") { io.respond_to? meth }
+ raise LintError, "rack.hijack_io must respond to #{meth}" unless io.respond_to? meth
end
end
end
@@ -563,7 +549,7 @@
if env[RACK_IS_HIJACK]
## If rack.hijack? is true then rack.hijack must respond to #call.
original_hijack = env[RACK_HIJACK]
- assert("rack.hijack must respond to call") { original_hijack.respond_to?(:call) }
+ raise LintError, "rack.hijack must respond to call" unless original_hijack.respond_to?(:call)
env[RACK_HIJACK] = proc do
## rack.hijack must return the io that will also be assigned (or is
## already present, in rack.hijack_io.
@@ -596,10 +582,10 @@
else
##
## If rack.hijack? is false, then rack.hijack should not be set.
- assert("rack.hijack? is false, but rack.hijack is present") { env[RACK_HIJACK].nil? }
+ raise LintError, "rack.hijack? is false, but rack.hijack is present" unless env[RACK_HIJACK].nil?
##
## If rack.hijack? is false, then rack.hijack_io should not be set.
- assert("rack.hijack? is false, but rack.hijack_io is present") { env[RACK_HIJACK_IO].nil? }
+ raise LintError, "rack.hijack? is false, but rack.hijack_io is present" unless env[RACK_HIJACK_IO].nil?
end
end
@@ -630,9 +616,9 @@
## the rack.hijack response API is in use.
if env[RACK_IS_HIJACK] && headers[RACK_HIJACK]
- assert('rack.hijack header must respond to #call') {
- headers[RACK_HIJACK].respond_to? :call
- }
+ unless headers[RACK_HIJACK].respond_to? :call
+ raise LintError, 'rack.hijack header must respond to #call'
+ end
original_hijack = headers[RACK_HIJACK]
proc do |io|
original_hijack.call HijackWrapper.new(io)
@@ -641,9 +627,9 @@
##
## The special response header rack.hijack must only be set
## if the request env has rack.hijack? true.
- assert('rack.hijack header must not be present if server does not support hijacking') {
- headers[RACK_HIJACK].nil?
- }
+ unless headers[RACK_HIJACK].nil?
+ raise LintError, 'rack.hijack header must not be present if server does not support hijacking'
+ end
nil
end
@@ -661,42 +647,45 @@
def check_status(status)
## This is an HTTP status. When parsed as integer (+to_i+), it must be
## greater than or equal to 100.
- assert("Status must be >=100 seen as integer") { status.to_i >= 100 }
+ unless status.to_i >= 100
+ raise LintError, "Status must be >=100 seen as integer"
+ end
end
## === The Headers
def check_headers(header)
## The header must respond to +each+, and yield values of key and value.
- assert("headers object should respond to #each, but doesn't (got #{header.class} as headers)") {
- header.respond_to? :each
- }
+ unless header.respond_to? :each
+ raise LintError, "headers object should respond to #each, but doesn't (got #{header.class} as headers)"
+ end
header.each { |key, value|
## The header keys must be Strings.
- assert("header key must be a string, was #{key.class}") {
- key.kind_of? String
- }
+ unless key.kind_of? String
+ raise LintError, "header key must be a string, was #{key.class}"
+ end
## Special headers starting "rack." are for communicating with the
## server, and must not be sent back to the client.
next if key =~ /^rack\..+$/
## The header must not contain a +Status+ key.
- assert("header must not contain Status") { key.downcase != "status" }
+ raise LintError, "header must not contain Status" if key.downcase == "status"
## The header must conform to RFC7230 token specification, i.e. cannot
## contain non-printable ASCII, DQUOTE or "(),/:;<=>?@[\]{}".
- assert("invalid header name: #{key}") { key !~ /[\(\),\/:;<=>\?@\[\\\]{}[:cntrl:]]/ }
+ raise LintError, "invalid header name: #{key}" if key =~ /[\(\),\/:;<=>\?@\[\\\]{}[:cntrl:]]/
## The values of the header must be Strings,
- assert("a header value must be a String, but the value of " +
- "'#{key}' is a #{value.class}") { value.kind_of? String }
+ unless value.kind_of? String
+ raise LintError, "a header value must be a String, but the value of '#{key}' is a #{value.class}"
+ end
## consisting of lines (for multiple header values, e.g. multiple
## Set-Cookie values) separated by "\\n".
value.split("\n").each { |item|
## The lines must not contain characters below 037.
- assert("invalid header value #{key}: #{item.inspect}") {
- item !~ /[\000-\037]/
- }
+ if item =~ /[\000-\037]/
+ raise LintError, "invalid header value #{key}: #{item.inspect}"
+ end
}
}
end
@@ -707,9 +696,9 @@
## There must not be a Content-Type, when the +Status+ is 1xx,
## 204 or 304.
if key.downcase == "content-type"
- assert("Content-Type header found in #{status} response, not allowed") {
- not Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i
- }
+ if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i
+ raise LintError, "Content-Type header found in #{status} response, not allowed"
+ end
return
end
}
@@ -721,9 +710,9 @@
if key.downcase == 'content-length'
## There must not be a Content-Length header when the
## +Status+ is 1xx, 204 or 304.
- assert("Content-Length header found in #{status} response, not allowed") {
- not Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i
- }
+ if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.key? status.to_i
+ raise LintError, "Content-Length header found in #{status} response, not allowed"
+ end
@content_length = value
end
}
@@ -731,13 +720,13 @@
def verify_content_length(bytes)
if @head_request
- assert("Response body was given for HEAD request, but should be empty") {
- bytes == 0
- }
+ unless bytes == 0
+ raise LintError, "Response body was given for HEAD request, but should be empty"
+ end
elsif @content_length
- assert("Content-Length header was #{@content_length}, but should be #{bytes}") {
- @content_length == bytes.to_s
- }
+ unless @content_length == bytes.to_s
+ raise LintError, "Content-Length header was #{@content_length}, but should be #{bytes}"
+ end
end
end
@@ -747,15 +736,15 @@
bytes = 0
## The Body must respond to +each+
- assert("Response body must respond to each") do
- @body.respond_to?(:each)
+ unless @body.respond_to?(:each)
+ raise LintError, "Response body must respond to each"
end
@body.each { |part|
## and must only yield String values.
- assert("Body yielded non-string value #{part.inspect}") {
- part.kind_of? String
- }
+ unless part.kind_of? String
+ raise LintError, "Body yielded non-string value #{part.inspect}"
+ end
bytes += part.bytesize
yield part
}
@@ -768,7 +757,7 @@
## If the Body responds to +close+, it will be called after iteration. If
## the body is replaced by a middleware after action, the original body
## must be closed first, if it responds to close.
- # XXX howto: assert("Body has not been closed") { @closed }
+ # XXX howto: raise LintError, "Body has not been closed" unless @closed
##
@@ -779,9 +768,9 @@
## transport the response.
if @body.respond_to?(:to_path)
- assert("The file identified by body.to_path does not exist") {
- ::File.exist? @body.to_path
- }
+ unless ::File.exist? @body.to_path
+ raise LintError, "The file identified by body.to_path does not exist"
+ end
end
##
diff -Nru ruby-rack-2.2.6.4/lib/rack/media_type.rb ruby-rack-2.2.13/lib/rack/media_type.rb
--- ruby-rack-2.2.6.4/lib/rack/media_type.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/media_type.rb 2025-03-10 21:18:07.000000000 +0000
@@ -4,7 +4,7 @@
# Rack::MediaType parse media type and parameters out of content_type string
class MediaType
- SPLIT_PATTERN = %r{\s*[;,]\s*}
+ SPLIT_PATTERN = /[;,]/
class << self
# The media type (type/subtype) portion of the CONTENT_TYPE header
@@ -15,7 +15,11 @@
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
def type(content_type)
return nil unless content_type
- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
+ if type = content_type.split(SPLIT_PATTERN, 2).first
+ type.rstrip!
+ type.downcase!
+ type
+ end
end
# The media type parameters provided in CONTENT_TYPE as a Hash, or
@@ -27,9 +31,10 @@
return {} if content_type.nil?
content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
+ s.strip!
k, v = s.split('=', 2)
-
- hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
+ k.downcase!
+ hsh[k] = strip_doublequotes(v)
end
end
diff -Nru ruby-rack-2.2.6.4/lib/rack/multipart/parser.rb ruby-rack-2.2.13/lib/rack/multipart/parser.rb
--- ruby-rack-2.2.6.4/lib/rack/multipart/parser.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/multipart/parser.rb 2025-03-10 21:18:07.000000000 +0000
@@ -13,7 +13,9 @@
BUFSIZE = 1_048_576
TEXT_PLAIN = "text/plain"
TEMPFILE_FACTORY = lambda { |filename, content_type|
- Tempfile.new(["RackMultipart", ::File.extname(filename.gsub("\0", '%00'))])
+ extension = ::File.extname(filename.gsub("\0", '%00'))[0, 129]
+
+ Tempfile.new(["RackMultipart", extension])
}
BOUNDARY_REGEX = /\A([^\n]*(?:\n|\Z))/
@@ -189,6 +191,7 @@
@sbuf = StringScanner.new("".dup)
@body_regex = /(?:#{EOL})?#{Regexp.quote(@boundary)}(?:#{EOL}|--)/m
+ @end_boundary_size = boundary.bytesize + 6 # (-- at start, -- at finish, EOL at end)
@rx_max_size = EOL.size + @boundary.bytesize + [EOL.size, '--'.size].max
@head_regex = /(.*?#{EOL})#{EOL}/m
end
@@ -229,7 +232,12 @@
end
def handle_fast_forward
- if consume_boundary
+ tok = consume_boundary
+
+ if tok == :END_BOUNDARY && @sbuf.pos == @end_boundary_size && @sbuf.eos?
+ # stop parsing a buffer if a buffer is only an end boundary.
+ @state = :DONE
+ elsif tok
@state = :MIME_HEAD
else
raise EOFError, "bad content body" if @sbuf.rest_size >= @bufsize
diff -Nru ruby-rack-2.2.6.4/lib/rack/request.rb ruby-rack-2.2.13/lib/rack/request.rb
--- ruby-rack-2.2.6.4/lib/rack/request.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/request.rb 2025-03-10 21:18:07.000000000 +0000
@@ -608,7 +608,7 @@
(?[\d\.]+)
|
# A hostname:
- (?[a-zA-Z0-9\.\-]+)
+ (?[a-zA-Z0-9\.\-_]+)
)
# The optional port:
(:(?\d+))?
diff -Nru ruby-rack-2.2.6.4/lib/rack/sendfile.rb ruby-rack-2.2.13/lib/rack/sendfile.rb
--- ruby-rack-2.2.6.4/lib/rack/sendfile.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/sendfile.rb 2025-03-10 21:18:07.000000000 +0000
@@ -133,7 +133,7 @@
end
when '', nil
else
- env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n"
+ env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
end
end
[status, headers, body]
diff -Nru ruby-rack-2.2.6.4/lib/rack/session/cookie.rb ruby-rack-2.2.13/lib/rack/session/cookie.rb
--- ruby-rack-2.2.6.4/lib/rack/session/cookie.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/session/cookie.rb 2025-03-10 21:18:07.000000000 +0000
@@ -4,7 +4,7 @@
require 'zlib'
require_relative 'abstract/id'
require 'json'
-require 'base64'
+require 'delegate'
module Rack
@@ -50,11 +50,11 @@
# Encode session cookies as Base64
class Base64
def encode(str)
- ::Base64.strict_encode64(str)
+ [str].pack("m0")
end
def decode(str)
- ::Base64.decode64(str)
+ str.unpack("m").first
end
# Encode session cookies as Marshaled Base64 data
diff -Nru ruby-rack-2.2.6.4/lib/rack/static.rb ruby-rack-2.2.13/lib/rack/static.rb
--- ruby-rack-2.2.6.4/lib/rack/static.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/static.rb 2025-03-10 21:18:07.000000000 +0000
@@ -122,8 +122,9 @@
def call(env)
path = env[PATH_INFO]
+ actual_path = Utils.clean_path_info(Utils.unescape_path(path))
- if can_serve(path)
+ if can_serve(actual_path)
if overwrite_file_path(path)
env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
diff -Nru ruby-rack-2.2.6.4/lib/rack/utils.rb ruby-rack-2.2.13/lib/rack/utils.rb
--- ruby-rack-2.2.6.4/lib/rack/utils.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/utils.rb 2025-03-10 21:18:07.000000000 +0000
@@ -24,6 +24,7 @@
RFC2822_DAY_NAME = [ 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' ]
RFC2822_MONTH_NAME = [ 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
+ RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
class << self
attr_accessor :default_query_parser
@@ -42,13 +43,13 @@
# Like URI escaping, but with %20 instead of +. Strictly speaking this is
# true URI escaping.
def escape_path(s)
- ::URI::DEFAULT_PARSER.escape s
+ RFC2396_PARSER.escape s
end
# Unescapes the **path** component of a URI. See Rack::Utils.unescape for
# unescaping query parameters or form components.
def unescape_path(s)
- ::URI::DEFAULT_PARSER.unescape s
+ RFC2396_PARSER.unescape s
end
# Unescapes a URI escaped string with +encoding+. +encoding+ will be the
@@ -142,8 +143,8 @@
end
def q_values(q_value_header)
- q_value_header.to_s.split(/\s*,\s*/).map do |part|
- value, parameters = part.split(/\s*;\s*/, 2)
+ q_value_header.to_s.split(',').map do |part|
+ value, parameters = part.split(';', 2).map(&:strip)
quality = 1.0
if parameters && (md = /\Aq=([\d.]+)/.match(parameters))
quality = md[1].to_f
@@ -380,6 +381,9 @@
end
ranges << (r0..r1) if r0 <= r1
end
+
+ return [] if ranges.map(&:size).inject(0, :+) > size
+
ranges
end
diff -Nru ruby-rack-2.2.6.4/lib/rack/version.rb ruby-rack-2.2.13/lib/rack/version.rb
--- ruby-rack-2.2.6.4/lib/rack/version.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/lib/rack/version.rb 2025-03-10 21:18:07.000000000 +0000
@@ -20,7 +20,7 @@
VERSION.join(".")
end
- RELEASE = "2.2.6.4"
+ RELEASE = "2.2.13"
# Return the Rack release as a dotted string.
def self.release
diff -Nru ruby-rack-2.2.6.4/test/spec_common_logger.rb ruby-rack-2.2.13/test/spec_common_logger.rb
--- ruby-rack-2.2.6.4/test/spec_common_logger.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/test/spec_common_logger.rb 2025-03-10 21:18:07.000000000 +0000
@@ -87,12 +87,17 @@
(0..1).must_include duration.to_f
end
- it "escapes non printable characters except newline" do
+ it "escapes non printable characters including newline" do
logdev = StringIO.new
log = Logger.new(logdev)
Rack::MockRequest.new(Rack::CommonLogger.new(app_without_lint, log)).request("GET\b", "/hello")
logdev.string.must_match(/GET\\x8 \/hello/)
+
+ Rack::MockRequest.new(Rack::CommonLogger.new(app, log)).get("/", 'REMOTE_USER' => "foo\nbar", "QUERY_STRING" => "bar\nbaz")
+ logdev.string[-1].must_equal "\n"
+ logdev.string.must_include("foo\\xabar")
+ logdev.string.must_include("bar\\xabaz")
end
it "log path with PATH_INFO" do
diff -Nru ruby-rack-2.2.6.4/test/spec_multipart.rb ruby-rack-2.2.13/test/spec_multipart.rb
--- ruby-rack-2.2.6.4/test/spec_multipart.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/test/spec_multipart.rb 2025-03-10 21:18:07.000000000 +0000
@@ -704,6 +704,28 @@
params["file"][:filename].must_equal 'long' * 100
end
+ it "limits very long file name extensions in multipart tempfiles" do
+ data = <<-EOF
+--AaB03x\r
+content-type: text/plain\r
+content-disposition: attachment; name=file; filename=foo.#{'a' * 1000}\r
+\r
+contents\r
+--AaB03x--\r
+ EOF
+
+ options = {
+ "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+ "CONTENT_LENGTH" => data.length.to_s,
+ :input => StringIO.new(data)
+ }
+ env = Rack::MockRequest.env_for("/", options)
+ params = Rack::Multipart.parse_multipart(env)
+
+ params["file"][:filename].must_equal "foo.#{'a' * 1000}"
+ File.extname(env["rack.tempfiles"][0]).must_equal ".#{'a' * 128}"
+ end
+
it "parse unquoted parameter values at end of line" do
data = <<-EOF
--AaB03x\r
diff -Nru ruby-rack-2.2.6.4/test/spec_request.rb ruby-rack-2.2.13/test/spec_request.rb
--- ruby-rack-2.2.6.4/test/spec_request.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/test/spec_request.rb 2025-03-10 21:18:07.000000000 +0000
@@ -122,6 +122,11 @@
req.hostname.must_equal "123foo.example.com"
req = make_request \
+ Rack::MockRequest.env_for("/", "HTTP_HOST" => "some_service:3001")
+ req.host.must_equal "some_service"
+ req.hostname.must_equal "some_service"
+
+ req = make_request \
Rack::MockRequest.env_for("/", "SERVER_NAME" => "example.org", "SERVER_PORT" => "9292")
req.host.must_equal "example.org"
req.hostname.must_equal "example.org"
@@ -157,6 +162,10 @@
req.port.must_equal 81
req = make_request \
+ Rack::MockRequest.env_for("/", "HTTP_HOST" => "some_service:3001")
+ req.port.must_equal 3001
+
+ req = make_request \
Rack::MockRequest.env_for("/", "SERVER_NAME" => "example.org", "SERVER_PORT" => "9292")
req.port.must_equal 9292
@@ -1000,6 +1009,24 @@
f[:tempfile].size.must_equal 76
end
+ it "parse multipart delimiter-only boundary" do
+ input = < "multipart/form-data, boundary=AaB03x",
+ "CONTENT_LENGTH" => input.size,
+ :input => input
+ )
+
+ req = make_request mr
+ req.query_string.must_equal ""
+ req.GET.must_be :empty?
+ req.POST.must_be :empty?
+ req.params.must_equal({})
+ end
+
it "MultipartPartLimitError when request has too many multipart file parts if limit set" do
begin
data = 10000.times.map { "--AaB03x\r\nContent-Type: text/plain\r\nContent-Disposition: attachment; name=#{SecureRandom.hex(10)}; filename=#{SecureRandom.hex(10)}\r\n\r\ncontents\r\n" }.join("\r\n")
diff -Nru ruby-rack-2.2.6.4/test/spec_sendfile.rb ruby-rack-2.2.13/test/spec_sendfile.rb
--- ruby-rack-2.2.6.4/test/spec_sendfile.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/test/spec_sendfile.rb 2025-03-10 21:18:07.000000000 +0000
@@ -48,7 +48,7 @@
response.headers.wont_include 'X-Sendfile'
io.rewind
- io.read.must_equal "Unknown x-sendfile variation: 'X-Banana'.\n"
+ io.read.must_equal "Unknown x-sendfile variation: \"X-Banana\"\n"
end
end
diff -Nru ruby-rack-2.2.6.4/test/spec_static.rb ruby-rack-2.2.13/test/spec_static.rb
--- ruby-rack-2.2.6.4/test/spec_static.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/test/spec_static.rb 2025-03-10 21:18:07.000000000 +0000
@@ -43,6 +43,12 @@
res.body.must_match(/ruby/)
end
+ it "does not serve files outside :urls" do
+ res = @request.get("/cgi/../#{File.basename(__FILE__)}")
+ res.must_be :ok?
+ res.body.must_equal "Hello World"
+ end
+
it "404s if url root is known but it can't find the file" do
res = @request.get("/cgi/foo")
res.must_be :not_found?
diff -Nru ruby-rack-2.2.6.4/test/spec_utils.rb ruby-rack-2.2.13/test/spec_utils.rb
--- ruby-rack-2.2.6.4/test/spec_utils.rb 2023-03-13 18:07:51.000000000 +0000
+++ ruby-rack-2.2.13/test/spec_utils.rb 2025-03-10 21:18:07.000000000 +0000
@@ -590,6 +590,10 @@
end
describe Rack::Utils, "byte_range" do
+ it "returns an empty list if the sum of the ranges is too large" do
+ assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500)
+ end
+
it "ignore missing or syntactically invalid byte ranges" do
Rack::Utils.byte_ranges({}, 500).must_be_nil
Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil