summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* bump versionv2.0.9.32-0-stableAaron Patterson2023-03-022-1/+5
|
* Limit all multipart parts, not just filesJohn Hawthorn2023-03-025-12/+77
| | | | | | | | Previously we would limit the number of multipart parts which were files, but not other parts. In some cases this could cause parsing of maliciously crafted inputs to take longer than expected. [CVE-2023-27530]
* bumping versionv2.0.9.2Aaron Patterson2023-01-171-1/+1
|
* Update changelogAaron Patterson2023-01-171-0/+6
|
* Fix ReDoS vulnerability in multipart parserAaron Patterson2023-01-171-1/+1
| | | | | | | | | This commit fixes a ReDoS vulnerability when parsing the Content-Disposition field in multipart attachments Thanks to @ooooooo_q for the patch! [CVE-2022-44571]
* Fix ReDoS in Rack::Utils.get_byte_rangesAaron Patterson2023-01-171-5/+6
| | | | | | | This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks @ooooooo_q for the patch! [CVE-2022-44570]
* Forbid control characters in attributesJohn Hawthorn2023-01-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | This commit restricts the characters accepted in ATTRIBUTE_CHAR, forbidding control characters and fixing a ReDOS vulnerability. This also now should fully follow the RFCs. RFC 2231, Section 7 specifies: attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs, "*", "'", "%", or tspecials> RFC 2045, Appendix A specifies: tspecials := "(" / ")" / "<" / ">" / "@" / "," / ";" / ":" / "\" / <"> "/" / "[" / "]" / "?" / "=" RFC 822, Section 3.3 specifies: CTL = <any ASCII control ; ( 0- 37, 0.- 31.) character and DEL> ; ( 177, 127.) SPACE = <ASCII SP, space> ; ( 40, 32.) [CVE-2022-44572]
* update changelog2.0.9.1Aaron Patterson2022-05-271-0/+5
|
* bump versionAaron Patterson2022-05-261-1/+1
|
* Escape untrusted text when loggingAaron Patterson2022-05-264-1/+21
| | | | | | This fixes a shell escape issue [CVE-2022-30123]
* Restrict broken mime parsingAaron Patterson2022-05-264-18/+5
| | | | | | | This commit restricts broken mime parsing to deal with a ReDOS vulnerability. [CVE-2022-30122]
* bump version2.0.9Aaron Patterson2020-02-081-1/+1
|
* Handle case where session id key is requested but it is missingJeremy Evans2020-01-132-1/+74
| | | | | | | | | Use historical behavior of returning nil in this case. Add tests for Rack::Session::Abstract::PersistedSecure::SecureSessionHash, mostly based on the existing ones for Rack::Session::Abstract::SessionHash. Fixes #1433. Needs backport to 1.6 and 2.0.
* Merge pull request #1455 from trainline-eu/2-0-stableRafael França2020-01-102-0/+20
|\ | | | | Backport support for SameSite=None cookie flag to 2-0-stable branch
| * Added support for SameSite=None cookie value, added in revision 3 of rfc6265bisHenning Kulander2020-01-072-0/+20
| | | | | | | | | | - https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#appendix-A.4 - Indicates that cookie is used as a third party cookie.
* | Merge pull request #1462 from jeremyevans/sessionid-to_sAaron Patterson2020-01-101-1/+1
|/ | | Make SessionId#to_s be an alias of #public_id
* Bumping version2.0.8Aaron Patterson2019-12-181-1/+1
|
* Introduce a new base class to avoid breaking when upgradingRafael Mendonça França2019-12-175-22/+54
| | | | | Third-party session store would still need to be chaged to be more secure but only upgrading rack will not break any application.
* Add a version prefix to the private id to make easier to migrate old valuesRafael Mendonça França2019-12-172-3/+3
|
* Fallback to the public id when reading the session in the pool adapterRafael Mendonça França2019-12-173-4/+49
|
* Also drop the session with the public id when destroying sessionsRafael Mendonça França2019-12-172-0/+22
|
* Fallback to the legacy id when the new id is not foundRafael Mendonça França2019-12-172-1/+24
| | | | This will avoid all session to be invalidated.
* Add the private idAaron Patterson2019-12-171-1/+1
|
* revert conditionals to masterAaron Patterson2019-12-173-3/+3
|
* remove NullSessionAaron Patterson2019-12-173-18/+5
|
* remove || raise and get closer to masterAaron Patterson2019-12-172-7/+4
|
* store hashed id, send public idAaron Patterson2019-12-174-12/+22
|
* use session id objectsAaron Patterson2019-12-175-15/+44
|
* remove more nilsAaron Patterson2019-12-173-7/+16
|
* try to ensure we always have some kind of objectAaron Patterson2019-12-172-4/+11
|
* Bumping to 2.0.7 for release2.0.7eileencodes2019-04-021-1/+1
|
* Merge pull request #1343 from larsxschneider/ls/forward-fixEileen M. Uchitelle2019-02-192-2/+11
|\ | | | | Backport: Preserve forwarded IP address for trusted proxy chains
| * Preserve forwarded IP address for trusted proxy chainsSam2019-02-192-2/+11
|/ | | | | | | | Sometimes proxies make requests to Rack applications, for example HAProxy health checks and so on. Previously the forwarded IP implementation ate up these IP addresses, making it hard to tell in Rack applications who made the request
* Merge pull request #1201 from ↵Rafael França2018-12-201-9/+6
| | | | | janko-m/make-multipart-parsing-work-for-chunked-requests Don't use #eof? when parsing multipart
* Bumping version for release2.0.6Aaron Patterson2018-11-051-1/+1
|
* Whitelist http/https schemesPatrick Tulskie2018-11-052-4/+22
| | | | [CVE-2018-16471]
* Reduce buffer size to avoid pathological parsingAaron Patterson2018-11-051-1/+1
| | | | | | | | [CVE-2018-16470] Revert "Merge pull request #1192 from jkowens/master" This reverts commit c43217a81917de03aa6ceb1aa485ae69b8bb4598.
* Merge tag '2.0.5' into 2-0-stableAaron Patterson2018-11-051-1/+1
|\ | | | | | | | | * tag '2.0.5': Bump version for release
| * Bump version for release2.0.5eileencodes2018-04-231-1/+1
| |
* | Merge pull request #1296 from tomelm/fix-prefers-plaintextRafael França2018-09-122-1/+14
|/ | | | Call the correct accepts_html? method for prefer_plaintext
* Merge pull request #1268 from eileencodes/forwardport-pr-1249-to-2-0-stableEileen M. Uchitelle2018-04-232-1/+19
|\ | | | | Merge pull request #1249 from mclark/handle-invalid-method-parameters
| * Merge pull request #1249 from mclark/handle-invalid-method-parametersEileen M. Uchitelle2018-04-232-1/+19
|/ | | | handle failure to upcase invalid UTF8 strings for `_method` values
* Stick with a passing version of Rubygems and bundlerRafael Mendonça França2018-04-231-1/+1
| | | | | | Rubygems 2.7.5 has a bug with JRuby and Bundler is being unstable latelly so it is better to stick with a version we know tests are going to pass.
* LeahizeLeah Neukirchen2018-04-112-5/+3
| | | | Keeping original copyright lines so far.
* Bumping version2.0.4Aaron Patterson2018-01-311-1/+1
|
* webrick: remove concurrent-ruby dev dependencyEric Wong2018-01-312-9/+5
| | | | | | | | | Using the Queue class in stdlib is sufficient for this test, so there's no need for a new development dependency. And one big reason I like webrick is it's bundled with Ruby and has no 3rd-party C ext dependencies; so having to download and install one is a bummer.
* Merge pull request #1190 from hugoabonizio/masterRafael França2018-01-312-3/+3
| | | Update homepage links to be HTTPS
* Merge pull request #1193 from tompng/multipart_less_memoryRafael França2018-01-311-6/+6
| | | Reduce memory usage when uploading large file
* Merge pull request #1192 from jkowens/masterJeremy Daer2018-01-311-1/+1
| | | Boost multipart parsing perf by increasing buffer size from 16 KiB to 1 MiB
* Merge pull request #1179 from tompng/masterJeremy Daer2018-01-311-5/+7
| | | Large file upload performance fix
View Lorry Controller Status