summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Fix comment about max Content-Disposition parametersHEADmainJeremy Evans2023-04-281-1/+1
|
* Limit max size and number of parameters parsed for Content-DispositionJeremy Evans2023-04-282-1/+36
| | | | | | | | | Not strictly necessary, but this limits the damage in pathological cases. These limits are probably already too generous, we could probably get by with 8 params and 1024 bytes. One of tests uses more than 1024 bytes, though. Still, it seems unlikely any legitimate requests would exceed these limits. We could make the limits configurable via an accessor method, if desired.
* Handle invalid Content-Disposition filename encodingsJeremy Evans2023-04-281-6/+11
| | | | | Use BINARY for this, as we do for multipart encodings. Extract a find_encoding method for this.
* Add Content-Disposition parameter parserJeremy Evans2023-04-282-50/+162
| | | | | | | | | | | | | | | | | | | | | | | | | | The ReDoS fix in ee25ab9a7ee981d7578f559701085b0cf39bde77 breaks valid requests, because colons are valid inside parameter values. You cannot use a regexp scan and ensure correct behavior, since values inside parameters can be escaped. Issues like this are the reason for the famous "now they have two problems" quote regarding regexps. Add a basic parser for parameters in Content-Disposition. This parser is based purely on String#{index,slice!,[],==}, usually with string arguments for #index (though one case uses a simple regexp). There are two loops (one nested in the other), but the use of slice! ensures that forward progress is always made on each loop iteration. In addition to fixing the bug introduced by the security fix, this removes multiple separate passes over the mime head, one pass to get the parameter name for Content-Disposition, and a separate pass to get the filename. It removes the get_filename method, though some of the code is kept in a smaller normalize_filename method. This removes 18 separate regexp contents that were previously used just for the separate parse to find the filename for the content disposition. Fixes #2076
* Add specs for underscore in host (#2072)Jeremy Evans2023-04-251-0/+9
|
* Limit file extension length of multipart tempfiles (#2069)Patrik Ragnarsson2023-04-252-1/+25
| | | - Fixes #1968
* Update MIME types associated to font extensions `.ttf`, `.woff`, `.woff2`, ↵David Stosik2023-04-032-4/+6
| | | | and `.otf` (#2065)
* Handle string reuse by body.each when buffering bodies in Rack::Response (#2044)Jeremy Evans2023-03-242-0/+21
| | | | | | | An alternative approach would be using a single string inside an array and appending to that. This approach is more backwards compatible, but results in more memory usage. Fixes #1957
* Fix borked changelog.Samuel Williams2023-03-231-10/+14
|
* Changelog: fix typo in version number (#2063)Patrik Ragnarsson2023-03-231-1/+1
| | | | | https://rubygems.org/gems/rack/versions says 3.0.4.2 was released March 02, 2023 [ci skip]
* Do not allow BodyProxy to respond to to_str, make to_ary call closeJeremy Evans2023-03-202-8/+48
| | | | | | | | See https://github.com/rack/rack-test/issues/335 for an example where allowing BodyProxy to respond to to_str (when provided an invalid rack body) complicated debugging. Call BodyProxy#close if BodyProxy#to_ary is called, as not doing so violates SPEC.
* Update changelog.Samuel Williams2023-03-161-1/+17
| | | | | # Conflicts: # CHANGELOG.md
* Make query parameters without = have nil values (#2059)Jeremy Evans2023-03-167-297/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * Revert "Prefer to use `query_parser` itself as the cache key. (#2058)" This reverts commit 5f90c33e4ccee827cb5df3d8854dc72791345c51. * Revert "Fix handling of cached values in `Rack::Request`. (#2054)" This reverts commit d25feddcbe634d95ec693bfbd710167a11c74069. * Revert "Add `QueryParser#missing_value` for handling missing values + tests. (#2052)" This reverts commit 59d9ba903fdb50cf8db708c8263a7b2a79de83fb. * Revert "Split form/query parsing into two steps (#2038)" This reverts commit 9f059d19647aeaef5c2cc683a333c06120caf939. * Make query parameters without = have nil values This was Rack's historical behavior. While it doesn't match URL spec section 5.1.3.3, keeping the historical behavior avoids all of the complexity required to support the URL spec standard by default, but also support frameworks that want to be backwards compatible. This keeps as much of the specs added by the recently reverted commits that make sense.
* Prefer to use `query_parser` itself as the cache key. (#2058)Samuel Williams2023-03-161-2/+3
| | | | Change the cache hash table to use `compare_by_identity` for improved semantics/performance.
* Add mjs MIME type (#2057)Achilleas Pipinellis2023-03-162-0/+2
| | | | mjs is a JavaScript module and has the same MIME type as JavaScript. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types.
* Fix handling of cached values in `Rack::Request`. (#2054)Samuel Williams2023-03-152-49/+171
| | | | | * Per-class cache keys for cached query/body parameters. * Use the query parser class as the default cache key.
* Store downcased common headers at class level (#2046)Akira Matsuda2023-03-131-2/+85
| | | so we need not to downcase all headers per each request
* Avoid rebuilding regex (#2042)John Hawthorn2023-03-131-1/+2
| | | | Previously we would rebuild this regex once per-part. We can instead compile it once per-request.
* Add `QueryParser#missing_value` for handling missing values + tests. (#2052)Samuel Williams2023-03-133-3/+46
|
* Simplify security policy.Samuel Williams2023-03-121-47/+4
|
* Split form/query parsing into two steps (#2038)Matthew Draper2023-03-125-41/+129
| | | | | | | | | | | * Split form/query parsing into two steps First we parse the raw input into a stream of [key, value] pairs, and only after that do we expand that into the deep params hash. This allows a user to operate directly on the pair stream if they need to apply different semantics, without needing to rewind the input, and without creating a conflict with anything else (like a middleware) that wants to use Rack's standard GET / POST hash format.
* test-external.yaml - use ruby/setup-ruby-pkgs (#2048)MSP-Greg2023-03-091-11/+3
|
* `apt-get update` before `apt-get install`.Samuel Williams2023-03-091-1/+3
|
* Add frozen_string_literal magic comment to all .rb files (#2045)Akira Matsuda2023-03-083-0/+6
|
* Limit all multipart parts, not just filesJohn Hawthorn2023-03-025-15/+84
| | | | | | | | Previously we would limit the number of multipart parts which were files, but not other parts. In some cases this could cause parsing of maliciously crafted inputs to take longer than expected. [CVE-2023-27530]
* Enhance documentation (contains -> is a) (#2041)Younes Serraj2023-03-011-2/+2
|
* Add JS MIME type change to CHANGELOG (#2040)Patrik Ragnarsson2023-02-261-0/+1
|
* Prefer `text/javascript` as that's the current recommended mime type for ↵Samuel Williams2023-02-181-1/+1
| | | | JavaScript files.
* Remove `autoload :Chunked, "rack/chunked"` (#2031)MSP-Greg2023-01-291-1/+0
|
* Make QueryParser::Params a Hash subclassJeremy Evans2023-01-234-65/+7
| | | | | | | | | | | | | | | | Because of the to_params_hash method, this cannot be Hash itself. We should consider deprecating that method and maybe the Params constant as well. Most of the spec changes are just changing overrides of Params#initialize. This tweaks the "not create infinite loops with cycle structures" spec, because it wasn't actually testing for loops, it was checking the string representation was the same between Hash and Params. This spec could probably be eliminated, but the tweak allows it to pass by checking that the level 1 hash string representation is the same as the level 2 hash string representation.
* Fix some unused variable verbose warningsJeremy Evans2023-01-222-2/+2
|
* Remove outdated contributing guideline (#2025)Michael Herold2023-01-221-9/+0
| | | | | | There hasn't been an "extras" group in the Gemfile since 2020-05-25 so the step that mentions it hasn't been needed for almost two years. Also, since Bundler is deprecating the "without" behavior, modern Rubies issue a warning with their default version of Bundler.
* Remove single-character classes from query parser (#2024)Michael Herold2023-01-221-2/+2
| | | | | | | | | | | | | | | When studying the code for how Rack handles parsing query strings, I was confused as to why there were character classes of a single character. Looking through the Git history this seemed to be because the original splitter split on both ampersands and semicolons and the style was kept around so they all _looked_ the same even though some of the others were single-character classes. After checking that all of the tests passed, I was curious if there was any performance difference. There isn't, likely because there's no capture involved. This change drops the redundant character classes to make it so no one else is confused by the presence of the character classes.
* Update CHANGELOG.Samuel Williams2023-01-201-2/+15
|
* Add general `Rack::BadRequest`. (#2019)Samuel Williams2023-01-207-8/+40
| | | | Used to communicate a class of exceptions that represent 400 Bad Request semantics.
* Make `env['rack.input']` optional. (#2018)Samuel Williams2023-01-1911-43/+79
|
* Ignore CI failures for Ruby 2.4 and 2.5Jeremy Evans2023-01-191-0/+2
|
* Try to fix CI issue on Ruby 2.5 (#2021)Jeremy Evans2023-01-193-6/+13
| | | | | | | | | | | * Try to fix CI issue on Ruby 2.5 * Add CI environment variable in CI Don't install rdoc in CI (should fix ruby 2.5 CI issue due to pysch). Don't install bake-test-external in CI tests not using it. Move webrick to the test group in the Gemfile.
* Update Richard Schneeman in mailmap.Samuel Williams2023-01-191-0/+1
|
* Introduce mailmap for accurate git log and other commands. (#2017)Samuel Williams2023-01-181-0/+16
|
* Make RFC2183 work with Ruby 3.2's caching Regexp (#2014)John Hawthorn2023-01-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ruby 3.2 includes a cache-based regexp optimization, which is detailed in https://bugs.ruby-lang.org/issues/19104. Which can speed up the regex engine on many cases which would previously have resulted in a ReDoS. One caveat of the implmentation is (quoting the issue): > A bounded or fixed times repetition nesting in another repetition > (e.g. /(a{2,3})*/). It is an implementation issue entirely, but we > believe it is hard to support this case correctly. Because of that limitation the RFC2183 regex was not previously able to use that optimization and was not able to mitigate two recent ReDoS CVEs. This commit manually expands a `{2}` fixed repetition, which allows Ruby 3.2's optimization to take effect. Before: > Regexp.linear_time?(/([0-9]{2})*/) => false > Regexp.linear_time?(Rack::Multipart::RFC2183) => false After: > Regexp.linear_time?(/([0-9][0-9])*/) => true > Regexp.linear_time?(Rack::Multipart::RFC2183) => true I want to make this change as additional hardening against possible ReDoS attacks in this regex. At the moment I don't know of any which are unpatched.
* Merge branch '3-0-sec'Aaron Patterson2023-01-172-7/+8
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 3-0-sec: (24 commits) bump version Update changelog Fix ReDoS vulnerability in multipart parser Fix ReDoS in Rack::Utils.get_byte_ranges Forbid control characters in attributes Bump patch version. `Rack::Request#POST` should consistently raise errors. (#2010) Fix Rack::Lint error message for HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH (#2007) Rack::MethodOverride handle QueryParser::ParamsTooDeepError (#2006) Bump patch version. Fix Regexp deprecated third argument with Regexp::NOENCODING (#1998) Update tests to work on latest Rubies. (#1999) Bump patch version. Allow passing through streaming bodies. (#1993) Remove unnecessary executable bit from test files (#1992) Fix Utils.build_nested_query to URL-encode all query string fields (#1989) Trim trailing white space throughout the project (#1990) Fix some typos (#1991) Remove leading dot to fix compatibility with latest cgi gem. (#1988) Fix outdated Rack::Builder rdocs and remove Lobster references (#1986) ...
| * bump versionv3.0.4.1Aaron Patterson2023-01-171-1/+1
| |
| * Update changelogAaron Patterson2023-01-171-0/+6
| |
| * Fix ReDoS vulnerability in multipart parserAaron Patterson2023-01-171-1/+1
| | | | | | | | | | | | | | | | | | This commit fixes a ReDoS vulnerability when parsing the Content-Disposition field in multipart attachments Thanks to @ooooooo_q for the patch! [CVE-2022-44571]
| * Fix ReDoS in Rack::Utils.get_byte_rangesAaron Patterson2023-01-171-5/+6
| | | | | | | | | | | | | | This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks @ooooooo_q for the patch! [CVE-2022-44570]
| * Forbid control characters in attributesJohn Hawthorn2023-01-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit restricts the characters accepted in ATTRIBUTE_CHAR, forbidding control characters and fixing a ReDOS vulnerability. This also now should fully follow the RFCs. RFC 2231, Section 7 specifies: attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs, "*", "'", "%", or tspecials> RFC 2045, Appendix A specifies: tspecials := "(" / ")" / "<" / ">" / "@" / "," / ";" / ":" / "\" / <"> "/" / "[" / "]" / "?" / "=" RFC 822, Section 3.3 specifies: CTL = <any ASCII control ; ( 0- 37, 0.- 31.) character and DEL> ; ( 177, 127.) SPACE = <ASCII SP, space> ; ( 40, 32.) [CVE-2022-44572]
| * Bump patch version.v3.0.4Samuel Williams2023-01-172-1/+7
| |
| * `Rack::Request#POST` should consistently raise errors. (#2010)Samuel Williams2023-01-173-19/+45
| | | | | | | | | | | | Cache errors that occur when invoking `Rack::Request#POST` so they can be raised again later. * Don't throw exactly the same error - so we have the correct backtrace.
| * Fix Rack::Lint error message for HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH ↵Jean byroot Boussier2023-01-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | (#2007) Currently it's printing: ``` Rack::Lint::LintError: env contains HTTP_CONTENT_TYPE, must use ``` Which had me puzzled for quite a while. Co-authored-by: Jean Boussier <jean.boussier@gmail.com>
View Lorry Controller Status