Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | bump versionv2.0.9.32-0-stable | Aaron Patterson | 2023-03-02 | 2 | -1/+5 |
| | |||||
* | Limit all multipart parts, not just files | John Hawthorn | 2023-03-02 | 5 | -12/+77 |
| | | | | | | | | Previously we would limit the number of multipart parts which were files, but not other parts. In some cases this could cause parsing of maliciously crafted inputs to take longer than expected. [CVE-2023-27530] | ||||
* | bumping versionv2.0.9.2 | Aaron Patterson | 2023-01-17 | 1 | -1/+1 |
| | |||||
* | Update changelog | Aaron Patterson | 2023-01-17 | 1 | -0/+6 |
| | |||||
* | Fix ReDoS vulnerability in multipart parser | Aaron Patterson | 2023-01-17 | 1 | -1/+1 |
| | | | | | | | | | This commit fixes a ReDoS vulnerability when parsing the Content-Disposition field in multipart attachments Thanks to @ooooooo_q for the patch! [CVE-2022-44571] | ||||
* | Fix ReDoS in Rack::Utils.get_byte_ranges | Aaron Patterson | 2023-01-17 | 1 | -5/+6 |
| | | | | | | | This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks @ooooooo_q for the patch! [CVE-2022-44570] | ||||
* | Forbid control characters in attributes | John Hawthorn | 2023-01-17 | 1 | -1/+1 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | This commit restricts the characters accepted in ATTRIBUTE_CHAR, forbidding control characters and fixing a ReDOS vulnerability. This also now should fully follow the RFCs. RFC 2231, Section 7 specifies: attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs, "*", "'", "%", or tspecials> RFC 2045, Appendix A specifies: tspecials := "(" / ")" / "<" / ">" / "@" / "," / ";" / ":" / "\" / <"> "/" / "[" / "]" / "?" / "=" RFC 822, Section 3.3 specifies: CTL = <any ASCII control ; ( 0- 37, 0.- 31.) character and DEL> ; ( 177, 127.) SPACE = <ASCII SP, space> ; ( 40, 32.) [CVE-2022-44572] | ||||
* | update changelog2.0.9.1 | Aaron Patterson | 2022-05-27 | 1 | -0/+5 |
| | |||||
* | bump version | Aaron Patterson | 2022-05-26 | 1 | -1/+1 |
| | |||||
* | Escape untrusted text when logging | Aaron Patterson | 2022-05-26 | 4 | -1/+21 |
| | | | | | | This fixes a shell escape issue [CVE-2022-30123] | ||||
* | Restrict broken mime parsing | Aaron Patterson | 2022-05-26 | 4 | -18/+5 |
| | | | | | | | This commit restricts broken mime parsing to deal with a ReDOS vulnerability. [CVE-2022-30122] | ||||
* | bump version2.0.9 | Aaron Patterson | 2020-02-08 | 1 | -1/+1 |
| | |||||
* | Handle case where session id key is requested but it is missing | Jeremy Evans | 2020-01-13 | 2 | -1/+74 |
| | | | | | | | | | Use historical behavior of returning nil in this case. Add tests for Rack::Session::Abstract::PersistedSecure::SecureSessionHash, mostly based on the existing ones for Rack::Session::Abstract::SessionHash. Fixes #1433. Needs backport to 1.6 and 2.0. | ||||
* | Merge pull request #1455 from trainline-eu/2-0-stable | Rafael França | 2020-01-10 | 2 | -0/+20 |
|\ | | | | | Backport support for SameSite=None cookie flag to 2-0-stable branch | ||||
| * | Added support for SameSite=None cookie value, added in revision 3 of rfc6265bis | Henning Kulander | 2020-01-07 | 2 | -0/+20 |
| | | | | | | | | | | - https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#appendix-A.4 - Indicates that cookie is used as a third party cookie. | ||||
* | | Merge pull request #1462 from jeremyevans/sessionid-to_s | Aaron Patterson | 2020-01-10 | 1 | -1/+1 |
|/ | | | Make SessionId#to_s be an alias of #public_id | ||||
* | Bumping version2.0.8 | Aaron Patterson | 2019-12-18 | 1 | -1/+1 |
| | |||||
* | Introduce a new base class to avoid breaking when upgrading | Rafael Mendonça França | 2019-12-17 | 5 | -22/+54 |
| | | | | | Third-party session store would still need to be chaged to be more secure but only upgrading rack will not break any application. | ||||
* | Add a version prefix to the private id to make easier to migrate old values | Rafael Mendonça França | 2019-12-17 | 2 | -3/+3 |
| | |||||
* | Fallback to the public id when reading the session in the pool adapter | Rafael Mendonça França | 2019-12-17 | 3 | -4/+49 |
| | |||||
* | Also drop the session with the public id when destroying sessions | Rafael Mendonça França | 2019-12-17 | 2 | -0/+22 |
| | |||||
* | Fallback to the legacy id when the new id is not found | Rafael Mendonça França | 2019-12-17 | 2 | -1/+24 |
| | | | | This will avoid all session to be invalidated. | ||||
* | Add the private id | Aaron Patterson | 2019-12-17 | 1 | -1/+1 |
| | |||||
* | revert conditionals to master | Aaron Patterson | 2019-12-17 | 3 | -3/+3 |
| | |||||
* | remove NullSession | Aaron Patterson | 2019-12-17 | 3 | -18/+5 |
| | |||||
* | remove || raise and get closer to master | Aaron Patterson | 2019-12-17 | 2 | -7/+4 |
| | |||||
* | store hashed id, send public id | Aaron Patterson | 2019-12-17 | 4 | -12/+22 |
| | |||||
* | use session id objects | Aaron Patterson | 2019-12-17 | 5 | -15/+44 |
| | |||||
* | remove more nils | Aaron Patterson | 2019-12-17 | 3 | -7/+16 |
| | |||||
* | try to ensure we always have some kind of object | Aaron Patterson | 2019-12-17 | 2 | -4/+11 |
| | |||||
* | Bumping to 2.0.7 for release2.0.7 | eileencodes | 2019-04-02 | 1 | -1/+1 |
| | |||||
* | Merge pull request #1343 from larsxschneider/ls/forward-fix | Eileen M. Uchitelle | 2019-02-19 | 2 | -2/+11 |
|\ | | | | | Backport: Preserve forwarded IP address for trusted proxy chains | ||||
| * | Preserve forwarded IP address for trusted proxy chains | Sam | 2019-02-19 | 2 | -2/+11 |
|/ | | | | | | | | Sometimes proxies make requests to Rack applications, for example HAProxy health checks and so on. Previously the forwarded IP implementation ate up these IP addresses, making it hard to tell in Rack applications who made the request | ||||
* | Merge pull request #1201 from ↵ | Rafael França | 2018-12-20 | 1 | -9/+6 |
| | | | | | janko-m/make-multipart-parsing-work-for-chunked-requests Don't use #eof? when parsing multipart | ||||
* | Bumping version for release2.0.6 | Aaron Patterson | 2018-11-05 | 1 | -1/+1 |
| | |||||
* | Whitelist http/https schemes | Patrick Tulskie | 2018-11-05 | 2 | -4/+22 |
| | | | | [CVE-2018-16471] | ||||
* | Reduce buffer size to avoid pathological parsing | Aaron Patterson | 2018-11-05 | 1 | -1/+1 |
| | | | | | | | | [CVE-2018-16470] Revert "Merge pull request #1192 from jkowens/master" This reverts commit c43217a81917de03aa6ceb1aa485ae69b8bb4598. | ||||
* | Merge tag '2.0.5' into 2-0-stable | Aaron Patterson | 2018-11-05 | 1 | -1/+1 |
|\ | | | | | | | | | * tag '2.0.5': Bump version for release | ||||
| * | Bump version for release2.0.5 | eileencodes | 2018-04-23 | 1 | -1/+1 |
| | | |||||
* | | Merge pull request #1296 from tomelm/fix-prefers-plaintext | Rafael França | 2018-09-12 | 2 | -1/+14 |
|/ | | | | Call the correct accepts_html? method for prefer_plaintext | ||||
* | Merge pull request #1268 from eileencodes/forwardport-pr-1249-to-2-0-stable | Eileen M. Uchitelle | 2018-04-23 | 2 | -1/+19 |
|\ | | | | | Merge pull request #1249 from mclark/handle-invalid-method-parameters | ||||
| * | Merge pull request #1249 from mclark/handle-invalid-method-parameters | Eileen M. Uchitelle | 2018-04-23 | 2 | -1/+19 |
|/ | | | | handle failure to upcase invalid UTF8 strings for `_method` values | ||||
* | Stick with a passing version of Rubygems and bundler | Rafael Mendonça França | 2018-04-23 | 1 | -1/+1 |
| | | | | | | Rubygems 2.7.5 has a bug with JRuby and Bundler is being unstable latelly so it is better to stick with a version we know tests are going to pass. | ||||
* | Leahize | Leah Neukirchen | 2018-04-11 | 2 | -5/+3 |
| | | | | Keeping original copyright lines so far. | ||||
* | Bumping version2.0.4 | Aaron Patterson | 2018-01-31 | 1 | -1/+1 |
| | |||||
* | webrick: remove concurrent-ruby dev dependency | Eric Wong | 2018-01-31 | 2 | -9/+5 |
| | | | | | | | | | Using the Queue class in stdlib is sufficient for this test, so there's no need for a new development dependency. And one big reason I like webrick is it's bundled with Ruby and has no 3rd-party C ext dependencies; so having to download and install one is a bummer. | ||||
* | Merge pull request #1190 from hugoabonizio/master | Rafael França | 2018-01-31 | 2 | -3/+3 |
| | | | Update homepage links to be HTTPS | ||||
* | Merge pull request #1193 from tompng/multipart_less_memory | Rafael França | 2018-01-31 | 1 | -6/+6 |
| | | | Reduce memory usage when uploading large file | ||||
* | Merge pull request #1192 from jkowens/master | Jeremy Daer | 2018-01-31 | 1 | -1/+1 |
| | | | Boost multipart parsing perf by increasing buffer size from 16 KiB to 1 MiB | ||||
* | Merge pull request #1179 from tompng/master | Jeremy Daer | 2018-01-31 | 1 | -5/+7 |
| | | | Large file upload performance fix |