| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
| |
Not strictly necessary, but this limits the damage in pathological
cases. These limits are probably already too generous, we could
probably get by with 8 params and 1024 bytes. One of tests uses
more than 1024 bytes, though. Still, it seems unlikely any
legitimate requests would exceed these limits. We could make the
limits configurable via an accessor method, if desired.
|
|
|
|
|
| |
Use BINARY for this, as we do for multipart encodings. Extract a
find_encoding method for this.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ReDoS fix in ee25ab9a7ee981d7578f559701085b0cf39bde77 breaks valid
requests, because colons are valid inside parameter values. You cannot
use a regexp scan and ensure correct behavior, since values inside
parameters can be escaped. Issues like this are the reason for the
famous "now they have two problems" quote regarding regexps.
Add a basic parser for parameters in Content-Disposition. This parser
is based purely on String#{index,slice!,[],==}, usually with string
arguments for #index (though one case uses a simple regexp). There
are two loops (one nested in the other), but the use of slice! ensures
that forward progress is always made on each loop iteration.
In addition to fixing the bug introduced by the security fix, this
removes multiple separate passes over the mime head, one pass to get
the parameter name for Content-Disposition, and a separate pass to get
the filename. It removes the get_filename method, though some of the
code is kept in a smaller normalize_filename method.
This removes 18 separate regexp contents that were previously used
just for the separate parse to find the filename for the content
disposition.
Fixes #2076
|
| |
|
|
|
| |
- Fixes #1968
|
|
|
|
| |
and `.otf` (#2065)
|
|
|
|
|
|
|
| |
An alternative approach would be using a single string inside an array
and appending to that. This approach is more backwards compatible,
but results in more memory usage.
Fixes #1957
|
| |
|
|
|
|
|
| |
https://rubygems.org/gems/rack/versions says 3.0.4.2 was released March 02, 2023
[ci skip]
|
|
|
|
|
|
|
|
| |
See https://github.com/rack/rack-test/issues/335 for an example
where allowing BodyProxy to respond to to_str (when provided an
invalid rack body) complicated debugging.
Call BodyProxy#close if BodyProxy#to_ary is called, as not doing so
violates SPEC.
|
|
|
|
|
| |
# Conflicts:
# CHANGELOG.md
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Revert "Prefer to use `query_parser` itself as the cache key. (#2058)"
This reverts commit 5f90c33e4ccee827cb5df3d8854dc72791345c51.
* Revert "Fix handling of cached values in `Rack::Request`. (#2054)"
This reverts commit d25feddcbe634d95ec693bfbd710167a11c74069.
* Revert "Add `QueryParser#missing_value` for handling missing values + tests. (#2052)"
This reverts commit 59d9ba903fdb50cf8db708c8263a7b2a79de83fb.
* Revert "Split form/query parsing into two steps (#2038)"
This reverts commit 9f059d19647aeaef5c2cc683a333c06120caf939.
* Make query parameters without = have nil values
This was Rack's historical behavior. While it doesn't match
URL spec section 5.1.3.3, keeping the historical behavior avoids
all of the complexity required to support the URL spec standard
by default, but also support frameworks that want to be backwards
compatible.
This keeps as much of the specs added by the recently reverted
commits that make sense.
|
|
|
|
| |
Change the cache hash table to use `compare_by_identity` for improved
semantics/performance.
|
|
|
|
| |
mjs is a JavaScript module and has the same MIME type as JavaScript.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types.
|
|
|
|
|
| |
* Per-class cache keys for cached query/body parameters.
* Use the query parser class as the default cache key.
|
|
|
| |
so we need not to downcase all headers per each request
|
|
|
|
| |
Previously we would rebuild this regex once per-part. We can instead
compile it once per-request.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Split form/query parsing into two steps
First we parse the raw input into a stream of [key, value] pairs, and
only after that do we expand that into the deep params hash.
This allows a user to operate directly on the pair stream if they need
to apply different semantics, without needing to rewind the input, and
without creating a conflict with anything else (like a middleware) that
wants to use Rack's standard GET / POST hash format.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Previously we would limit the number of multipart parts which were
files, but not other parts. In some cases this could cause parsing of
maliciously crafted inputs to take longer than expected.
[CVE-2023-27530]
|
| |
|
| |
|
|
|
|
| |
JavaScript files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because of the to_params_hash method, this cannot be Hash itself.
We should consider deprecating that method and maybe the Params
constant as well.
Most of the spec changes are just changing overrides of
Params#initialize.
This tweaks the "not create infinite loops with cycle structures"
spec, because it wasn't actually testing for loops, it was
checking the string representation was the same between Hash
and Params. This spec could probably be eliminated, but the
tweak allows it to pass by checking that the level 1 hash string
representation is the same as the level 2 hash string representation.
|
| |
|
|
|
|
|
|
| |
There hasn't been an "extras" group in the Gemfile since 2020-05-25 so
the step that mentions it hasn't been needed for almost two years. Also,
since Bundler is deprecating the "without" behavior, modern Rubies issue
a warning with their default version of Bundler.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When studying the code for how Rack handles parsing query strings, I was
confused as to why there were character classes of a single character.
Looking through the Git history this seemed to be because the original
splitter split on both ampersands and semicolons and the style was kept
around so they all _looked_ the same even though some of the others were
single-character classes.
After checking that all of the tests passed, I was curious if there was
any performance difference. There isn't, likely because there's no
capture involved.
This change drops the redundant character classes to make it so no one
else is confused by the presence of the character classes.
|
| |
|
|
|
|
| |
Used to communicate a class of exceptions that represent 400 Bad Request
semantics.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Try to fix CI issue on Ruby 2.5
* Add CI environment variable in CI
Don't install rdoc in CI (should fix ruby 2.5 CI issue due to pysch).
Don't install bake-test-external in CI tests not using it.
Move webrick to the test group in the Gemfile.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ruby 3.2 includes a cache-based regexp optimization, which is detailed
in https://bugs.ruby-lang.org/issues/19104. Which can speed up the regex
engine on many cases which would previously have resulted in a ReDoS.
One caveat of the implmentation is (quoting the issue):
> A bounded or fixed times repetition nesting in another repetition
> (e.g. /(a{2,3})*/). It is an implementation issue entirely, but we
> believe it is hard to support this case correctly.
Because of that limitation the RFC2183 regex was not previously able to
use that optimization and was not able to mitigate two recent ReDoS
CVEs.
This commit manually expands a `{2}` fixed repetition, which allows Ruby
3.2's optimization to take effect.
Before:
> Regexp.linear_time?(/([0-9]{2})*/)
=> false
> Regexp.linear_time?(Rack::Multipart::RFC2183)
=> false
After:
> Regexp.linear_time?(/([0-9][0-9])*/)
=> true
> Regexp.linear_time?(Rack::Multipart::RFC2183)
=> true
I want to make this change as additional hardening against possible
ReDoS attacks in this regex. At the moment I don't know of any which
are unpatched.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-0-sec: (24 commits)
bump version
Update changelog
Fix ReDoS vulnerability in multipart parser
Fix ReDoS in Rack::Utils.get_byte_ranges
Forbid control characters in attributes
Bump patch version.
`Rack::Request#POST` should consistently raise errors. (#2010)
Fix Rack::Lint error message for HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH (#2007)
Rack::MethodOverride handle QueryParser::ParamsTooDeepError (#2006)
Bump patch version.
Fix Regexp deprecated third argument with Regexp::NOENCODING (#1998)
Update tests to work on latest Rubies. (#1999)
Bump patch version.
Allow passing through streaming bodies. (#1993)
Remove unnecessary executable bit from test files (#1992)
Fix Utils.build_nested_query to URL-encode all query string fields (#1989)
Trim trailing white space throughout the project (#1990)
Fix some typos (#1991)
Remove leading dot to fix compatibility with latest cgi gem. (#1988)
Fix outdated Rack::Builder rdocs and remove Lobster references (#1986)
...
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit fixes a ReDoS vulnerability when parsing the
Content-Disposition field in multipart attachments
Thanks to @ooooooo_q for the patch!
[CVE-2022-44571]
|
| |
| |
| |
| |
| |
| |
| | |
This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks
@ooooooo_q for the patch!
[CVE-2022-44570]
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.
This also now should fully follow the RFCs.
RFC 2231, Section 7 specifies:
attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
"*", "'", "%", or tspecials>
RFC 2045, Appendix A specifies:
tspecials := "(" / ")" / "<" / ">" / "@" /
"," / ";" / ":" / "\" / <">
"/" / "[" / "]" / "?" / "="
RFC 822, Section 3.3 specifies:
CTL = <any ASCII control ; ( 0- 37, 0.- 31.)
character and DEL> ; ( 177, 127.)
SPACE = <ASCII SP, space> ; ( 40, 32.)
[CVE-2022-44572]
|
| | |
|
| |
| |
| |
| |
| |
| | |
Cache errors that occur when invoking `Rack::Request#POST` so they can be
raised again later.
* Don't throw exactly the same error - so we have the correct backtrace.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(#2007)
Currently it's printing:
```
Rack::Lint::LintError: env contains HTTP_CONTENT_TYPE, must use
```
Which had me puzzled for quite a while.
Co-authored-by: Jean Boussier <jean.boussier@gmail.com>
|