diff --git a/2-2-header-redos.patch b/2-2-header-redos.patch deleted file mode 100644 index 37f7078cab93e1b70367e0832e309ee3c7330cf0..0000000000000000000000000000000000000000 --- a/2-2-header-redos.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ee7919ea04303717858be1c3f16b406adc6d8cff Mon Sep 17 00:00:00 2001 -From: Aaron Patterson -Date: Mon, 13 Mar 2023 10:58:13 -0700 -Subject: [PATCH] Avoid ReDoS problem - -Split headers on commas, then strip the strings in order to avoid ReDoS -issues. - -[CVE-2023-27539] ---- - lib/rack/request.rb | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/rack/request.rb b/lib/rack/request.rb -index 750a0dc4..fea98459 100644 ---- a/lib/rack/request.rb -+++ b/lib/rack/request.rb -@@ -572,8 +572,8 @@ module Rack - end - - def parse_http_accept_header(header) -- header.to_s.split(/\s*,\s*/).map do |part| -- attribute, parameters = part.split(/\s*;\s*/, 2) -+ header.to_s.split(",").each(&:strip!).map do |part| -+ attribute, parameters = part.split(";", 2).each(&:strip!) - quality = 1.0 - if parameters and /\Aq=([\d.]+)/ =~ parameters - quality = $1.to_f --- -2.37.1 - diff --git a/2-2-multipart-dos.patch b/2-2-multipart-dos.patch deleted file mode 100644 index 53c68a37224238ffb1bff96ec8ec0f92e3ea3329..0000000000000000000000000000000000000000 --- a/2-2-multipart-dos.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 9aac3757fe19cdb0476504c9245170115bec9668 Mon Sep 17 00:00:00 2001 -From: John Hawthorn -Date: Thu, 8 Dec 2022 15:54:28 -0800 -Subject: [PATCH] Limit all multipart parts, not just files - -Previously we would limit the number of multipart parts which were -files, but not other parts. In some cases this could cause parsing of -maliciously crafted inputs to take longer than expected. - -[CVE-2023-27530] ---- - README.rdoc | 20 +++++++++++++++++--- - lib/rack/multipart/parser.rb | 19 +++++++++++++++---- - lib/rack/utils.rb | 19 +++++++++++++++---- - 3 files changed, 76 insertions(+), 12 deletions(-) - -diff --git a/README.rdoc b/README.rdoc -index 8533846f..cbb25723 100644 ---- a/README.rdoc -+++ b/README.rdoc -@@ -202,16 +202,30 @@ Limiting the depth prevents a possible stack overflow when parsing parameters. - - Defaults to 100. - --=== multipart_part_limit -+=== multipart_file_limit - --The maximum number of parts a request can contain. -+The maximum number of parts with a filename a request can contain. - Accepting too many part can lead to the server running out of file handles. - - The default is 128, which means that a single request can't upload more than 128 files at once. - - Set to 0 for no limit. - --Can also be set via the +RACK_MULTIPART_PART_LIMIT+ environment variable. -+Can also be set via the +RACK_MULTIPART_FILE_LIMIT+ environment variable. -+ -+(This is also aliased as +multipart_part_limit+ and +RACK_MULTIPART_PART_LIMIT+ for compatibility) -+ -+=== multipart_total_part_limit -+ -+The maximum total number of parts a request can contain of any type, including -+both file and non-file form fields. -+ -+The default is 4096, which means that a single request can't contain more than -+4096 parts. -+ -+Set to 0 for no limit. -+ -+Can also be set via the +RACK_MULTIPART_TOTAL_PART_LIMIT+ environment variable. - - == Changelog - -diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb -index e8ed3e97..0fc18560 100644 ---- a/lib/rack/multipart/parser.rb -+++ b/lib/rack/multipart/parser.rb -@@ -5,6 +5,7 @@ require 'strscan' - module Rack - module Multipart - class MultipartPartLimitError < Errno::EMFILE; end -+ class MultipartTotalPartLimitError < StandardError; end - - class Parser - (require_relative '../core_ext/regexp'; using ::Rack::RegexpExtensions) if RUBY_VERSION < '2.4' -@@ -140,7 +141,7 @@ module Rack - - @mime_parts[mime_index] = klass.new(body, head, filename, content_type, name) - -- check_open_files -+ check_part_limits - end - - def on_mime_body(mime_index, content) -@@ -152,13 +153,23 @@ module Rack - - private - -- def check_open_files -- if Utils.multipart_part_limit > 0 -- if @open_files >= Utils.multipart_part_limit -+ def check_part_limits -+ file_limit = Utils.multipart_file_limit -+ part_limit = Utils.multipart_total_part_limit -+ -+ if file_limit && file_limit > 0 -+ if @open_files >= file_limit - @mime_parts.each(&:close) - raise MultipartPartLimitError, 'Maximum file multiparts in content reached' - end - end -+ -+ if part_limit && part_limit > 0 -+ if @mime_parts.size >= part_limit -+ @mime_parts.each(&:close) -+ raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached' -+ end -+ end - end - end - -diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb -index 14d9e17d..c8e61ea1 100644 ---- a/lib/rack/utils.rb -+++ b/lib/rack/utils.rb -@@ -58,13 +58,24 @@ module Rack - end - - class << self -- attr_accessor :multipart_part_limit -+ attr_accessor :multipart_total_part_limit -+ -+ attr_accessor :multipart_file_limit -+ -+ # multipart_part_limit is the original name of multipart_file_limit, but -+ # the limit only counts parts with filenames. -+ alias multipart_part_limit multipart_file_limit -+ alias multipart_part_limit= multipart_file_limit= - end - -- # The maximum number of parts a request can contain. Accepting too many part -- # can lead to the server running out of file handles. -+ # The maximum number of file parts a request can contain. Accepting too -+ # many parts can lead to the server running out of file handles. - # Set to `0` for no limit. -- self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i -+ self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i -+ -+ # The maximum total number of parts a request can contain. Accepting too -+ # many can lead to excessive memory use and parsing time. -+ self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i - - def self.param_depth_limit - default_query_parser.param_depth_limit --- -2.37.1 - diff --git a/Fix-CVE-2022-44570.patch b/Fix-CVE-2022-44570.patch deleted file mode 100644 index f05f1cfd9374da258028e63895dad74211d5e932..0000000000000000000000000000000000000000 --- a/Fix-CVE-2022-44570.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f6d4f528f2df1318a6612845db0b59adc7fe8fc1 Mon Sep 17 00:00:00 2001 -From: Aaron Patterson -Date: Tue, 17 Jan 2023 12:04:37 -0800 -Subject: [PATCH] Fix ReDoS in Rack::Utils.get_byte_ranges - -This commit fixes a ReDoS problem in `get_byte_ranges`. Thanks -@ooooooo_q for the patch! - -[CVE-2022-44570] ---- - lib/rack/utils.rb | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb -index 34849ded..14d9e17d 100644 ---- a/lib/rack/utils.rb -+++ b/lib/rack/utils.rb -@@ -348,17 +348,18 @@ module Rack - return nil unless http_range && http_range =~ /bytes=([^;]+)/ - ranges = [] - $1.split(/,\s*/).each do |range_spec| -- return nil unless range_spec =~ /(\d*)-(\d*)/ -- r0, r1 = $1, $2 -- if r0.empty? -- return nil if r1.empty? -+ return nil unless range_spec.include?('-') -+ range = range_spec.split('-') -+ r0, r1 = range[0], range[1] -+ if r0.nil? || r0.empty? -+ return nil if r1.nil? - # suffix-byte-range-spec, represents trailing suffix of file - r0 = size - r1.to_i - r0 = 0 if r0 < 0 - r1 = size - 1 - else - r0 = r0.to_i -- if r1.empty? -+ if r1.nil? - r1 = size - 1 - else - r1 = r1.to_i --- -2.25.1 - diff --git a/Fix-CVE-2022-44571.patch b/Fix-CVE-2022-44571.patch deleted file mode 100644 index a68eddbd8efd9516bde4b1ccf77ca47dc0346304..0000000000000000000000000000000000000000 --- a/Fix-CVE-2022-44571.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ee25ab9a7ee981d7578f559701085b0cf39bde77 Mon Sep 17 00:00:00 2001 -From: Aaron Patterson -Date: Tue, 17 Jan 2023 12:14:29 -0800 -Subject: [PATCH] Fix ReDoS vulnerability in multipart parser - -This commit fixes a ReDoS vulnerability when parsing the -Content-Disposition field in multipart attachments - -Thanks to @ooooooo_q for the patch! - -[CVE-2022-44571] ---- - lib/rack/multipart.rb | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb -index 7695fe76..fdae808a 100644 ---- a/lib/rack/multipart.rb -+++ b/lib/rack/multipart.rb -@@ -18,7 +18,7 @@ module Rack - VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/ - BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i - MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni -- MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni -+ MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni - MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni - # Updated definitions from RFC 2231 - ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]} --- -2.25.1 - diff --git a/Fix-CVE-2022-44572.patch b/Fix-CVE-2022-44572.patch deleted file mode 100644 index 03ea363441db350a96f753a43a48ecd5b75c7505..0000000000000000000000000000000000000000 --- a/Fix-CVE-2022-44572.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 19e49f0f185d7e42ed5b402baec6c897a8c48029 Mon Sep 17 00:00:00 2001 -From: John Hawthorn -Date: Wed, 3 Aug 2022 00:19:56 -0700 -Subject: [PATCH] Forbid control characters in attributes - -This commit restricts the characters accepted in ATTRIBUTE_CHAR, -forbidding control characters and fixing a ReDOS vulnerability. - -This also now should fully follow the RFCs. - -RFC 2231, Section 7 specifies: - - attribute-char := - -RFC 2045, Appendix A specifies: - - tspecials := "(" / ")" / "<" / ">" / "@" / - "," / ";" / ":" / "\" / <"> - "/" / "[" / "]" / "?" / "=" - -RFC 822, Section 3.3 specifies: - - CTL = ; ( 177, 127.) - SPACE = ; ( 40, 32.) - -[CVE-2022-44572] ---- - lib/rack/multipart.rb | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb -index 10f8e5fa..7695fe76 100644 ---- a/lib/rack/multipart.rb -+++ b/lib/rack/multipart.rb -@@ -21,7 +21,7 @@ module Rack - MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni - MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni - # Updated definitions from RFC 2231 -- ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]} -+ ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]} - ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/ - SECTION = /\*[0-9]+/ - REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/ --- -2.25.1 - diff --git a/Fix-CVE-2024-25126.patch b/Fix-CVE-2024-25126.patch deleted file mode 100644 index 4acac33533ada62535fb8048a3e42b6e21df6de5..0000000000000000000000000000000000000000 --- a/Fix-CVE-2024-25126.patch +++ /dev/null @@ -1,51 +0,0 @@ -From d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 Mon Sep 17 00:00:00 2001 -From: Jean Boussier -Date: Wed, 6 Dec 2023 18:32:19 +0100 -Subject: [PATCH] Avoid 2nd degree polynomial regexp in MediaType - ---- - lib/rack/media_type.rb | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb -index 41937c99..7fc1e39d 100644 ---- a/lib/rack/media_type.rb -+++ b/lib/rack/media_type.rb -@@ -4,7 +4,7 @@ module Rack - # Rack::MediaType parse media type and parameters out of content_type string - - class MediaType -- SPLIT_PATTERN = %r{\s*[;,]\s*} -+ SPLIT_PATTERN = /[;,]/ - - class << self - # The media type (type/subtype) portion of the CONTENT_TYPE header -@@ -15,7 +15,11 @@ module Rack - # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 - def type(content_type) - return nil unless content_type -- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase! -+ if type = content_type.split(SPLIT_PATTERN, 2).first -+ type.rstrip! -+ type.downcase! -+ type -+ end - end - - # The media type parameters provided in CONTENT_TYPE as a Hash, or -@@ -27,9 +31,10 @@ module Rack - return {} if content_type.nil? - - content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh| -+ s.strip! - k, v = s.split('=', 2) -- -- hsh[k.tap(&:downcase!)] = strip_doublequotes(v) -+ k.downcase! -+ hsh[k] = strip_doublequotes(v) - end - end - --- -2.25.1 - diff --git a/Fix-CVE-2024-26141.patch b/Fix-CVE-2024-26141.patch deleted file mode 100644 index c388ec35d2bf3b2626f39c9912df10cff5b90f0c..0000000000000000000000000000000000000000 --- a/Fix-CVE-2024-26141.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 72ecb3f4e05b2fc0a5073d23fd178686818eb958 Mon Sep 17 00:00:00 2001 -From: Aaron Patterson -Date: Tue, 13 Feb 2024 13:34:34 -0800 -Subject: [PATCH] Return an empty array when ranges are too large - -If the sum of the requested ranges is larger than the file itself, -return an empty array. In other words, refuse to respond with any bytes. - -[CVE-2024-26141] ---- - lib/rack/utils.rb | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb -index ca6182c..199312f 100644 ---- a/lib/rack/utils.rb -+++ b/lib/rack/utils.rb -@@ -379,6 +379,9 @@ module Rack - end - ranges << (r0..r1) if r0 <= r1 - end -+ -+ return [] if ranges.map(&:size).sum > size -+ - ranges - end - --- -2.43.0 - diff --git a/Fix-CVE-2024-26146.patch b/Fix-CVE-2024-26146.patch deleted file mode 100644 index c1775b4e1e122f54a6b15f5ea874e20cb885540f..0000000000000000000000000000000000000000 --- a/Fix-CVE-2024-26146.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e4c117749ba24a66f8ec5a08eddf68deeb425ccd Mon Sep 17 00:00:00 2001 -From: Aaron Patterson -Date: Wed, 21 Feb 2024 11:05:06 -0800 -Subject: [PATCH] Fixing ReDoS in header parsing - -Thanks svalkanov - -[CVE-2024-26146] ---- - lib/rack/utils.rb | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb -index c8e61ea1..0ed64b7a 100644 ---- a/lib/rack/utils.rb -+++ b/lib/rack/utils.rb -@@ -142,8 +142,8 @@ module Rack - end - - def q_values(q_value_header) -- q_value_header.to_s.split(/\s*,\s*/).map do |part| -- value, parameters = part.split(/\s*;\s*/, 2) -+ q_value_header.to_s.split(',').map do |part| -+ value, parameters = part.split(';', 2).map(&:strip) - quality = 1.0 - if parameters && (md = /\Aq=([\d.]+)/.match(parameters)) - quality = md[1].to_f --- -2.25.1 - diff --git a/Fix-CVE-2025-25184.patch b/Fix-CVE-2025-25184.patch deleted file mode 100644 index 34e30ff9f39311a8ee0dd06c0298d0fd55c3faca..0000000000000000000000000000000000000000 --- a/Fix-CVE-2025-25184.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 074ae244430cda05c27ca91cda699709cfb3ad8e Mon Sep 17 00:00:00 2001 -From: Jeremy Evans -Date: Tue, 11 Feb 2025 19:10:05 -0800 -Subject: [PATCH] Escape non-printable characters when logging. ---- - lib/rack/common_logger.rb | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/rack/common_logger.rb b/lib/rack/common_logger.rb -index 9c6f921..68399c7 100644 ---- a/lib/rack/common_logger.rb -+++ b/lib/rack/common_logger.rb -@@ -15,7 +15,7 @@ module Rack - # The actual format is slightly different than the above due to the - # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed - # time in seconds is included at the end. -- FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n} -+ FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f } - - # +logger+ can be any object that supports the +write+ or +<<+ methods, - # which includes the standard library Logger. These methods are called -@@ -60,7 +60,8 @@ module Rack - length, - Utils.clock_time - began_at ] - -- msg.gsub!(/[^[:print:]\n]/) { |c| "\\x#{c.ord}" } -+ msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) } -+ msg[-1] = "\n" - - logger = @logger || env[RACK_ERRORS] - --- -2.46.0 - diff --git a/Fix-CVE-2025-27111.patch b/Fix-CVE-2025-27111.patch deleted file mode 100644 index 06a91f09592cef03d28e6b500b7ccc148cfc52ef..0000000000000000000000000000000000000000 --- a/Fix-CVE-2025-27111.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 803aa221e8302719715e224f4476e438f2531a53 Mon Sep 17 00:00:00 2001 -From: Samuel Williams -Date: Sat, 22 Feb 2025 16:37:33 +1300 -Subject: [PATCH] Use `#inspect` to prevent log injection. ---- - lib/rack/sendfile.rb | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/rack/sendfile.rb b/lib/rack/sendfile.rb -index 3d5e786..0b7b2f2 100644 ---- a/lib/rack/sendfile.rb -+++ b/lib/rack/sendfile.rb -@@ -133,7 +133,7 @@ module Rack - end - when '', nil - else -- env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n" -+ env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}" - end - end - [status, headers, body] --- -2.46.0 - diff --git a/Fix-CVE-2025-27610.patch b/Fix-CVE-2025-27610.patch deleted file mode 100644 index bc1a3e1b932f8f577b0e8a3633deea56607bf599..0000000000000000000000000000000000000000 --- a/Fix-CVE-2025-27610.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 50caab74fa01ee8f5dbdee7bb2782126d20c6583 Mon Sep 17 00:00:00 2001 -From: Samuel Williams -Date: Sat, 8 Mar 2025 11:13:39 +1300 -Subject: [PATCH] Use a fully resolved file path when confirming if a file can - be served by `Rack::Static`. - ---- - lib/rack/static.rb | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/rack/static.rb b/lib/rack/static.rb -index 8cb58b2..0ea78a1 100644 ---- a/lib/rack/static.rb -+++ b/lib/rack/static.rb -@@ -122,8 +122,9 @@ module Rack - - def call(env) - path = env[PATH_INFO] -+ actual_path = Utils.clean_path_info(Utils.unescape_path(path)) - -- if can_serve(path) -+ if can_serve(actual_path) - if overwrite_file_path(path) - env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path]) - elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING']) --- -2.46.0 - diff --git a/Fix-CVE-2025-46727.patch b/Fix-CVE-2025-46727.patch deleted file mode 100644 index 3177541dec23435e41038dd62c46829b7e4aca48..0000000000000000000000000000000000000000 --- a/Fix-CVE-2025-46727.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 3f5a4249118d09d199fe480466c8c6717e43b6e3 Mon Sep 17 00:00:00 2001 -From: Jeremy Evans -Date: Tue, 6 May 2025 19:08:08 +0900 -Subject: [PATCH] Merge commit from fork - -* Apply bytesize and number of param limits in QueryParser - -The param limit is 4096, chosen because it matches the existing -multipart limit. The bytesize limit is 4MB. These limits should -substantially exceed what almost all applications need, though -there will likely be applications that require higher limits. -Allow overriding the limits on a per-QueryParser basis via the -constructors, and allow overriding the default limits with -environment variables RACK_QUERY_PARSER_BYTESIZE_LIMIT and -RACK_QUERY_PARSER_PARAMS_LIMIT. - -Add new Rack::QueryParser::QueryLimitError to raise in case one -of the limits are exceeded, and make ParamsTooDeepError an -alias to, since that is also a case where a limit is exceeded. -This allows code that already rescues ParamsTooDeepError to -automatically handle these other limits as well. - -* Update CHANGELOG. - ---------- - -Co-authored-by: Samuel Williams ---- - README.rdoc | 27 +++++++++++++++++ - lib/rack/query_parser.rb | 63 ++++++++++++++++++++++++++++++++------- - 2 files changed, 80 insertions(+), 10 deletions(-) - -diff --git a/README.rdoc b/README.rdoc -index cbb25723..6f678ea6 100644 ---- a/README.rdoc -+++ b/README.rdoc -@@ -179,6 +179,33 @@ e.g: - - Rack::Utils.key_space_limit = 128 - -+=== `RACK_QUERY_PARSER_BYTESIZE_LIMIT` -+ -+This environment variable sets the default for the maximum query string bytesize -+that `Rack::QueryParser` will attempt to parse. Attempts to use a query string -+that exceeds this number of bytes will result in a -+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is -+provided, it must be an integer, or `Rack::QueryParser` will raise an exception. -+ -+The default limit can be overridden on a per-`Rack::QueryParser` basis using -+the `bytesize_limit` keyword argument when creating the `Rack::QueryParser`. -+ -+=== `RACK_QUERY_PARSER_PARAMS_LIMIT` -+ -+This environment variable sets the default for the maximum number of query -+parameters that `Rack::QueryParser` will attempt to parse. Attempts to use a -+query string with more than this many query parameters will result in a -+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is -+provided, it must be an integer, or `Rack::QueryParser` will raise an exception. -+ -+The default limit can be overridden on a per-`Rack::QueryParser` basis using -+the `params_limit` keyword argument when creating the `Rack::QueryParser`. -+ -+This is implemented by counting the number of parameter separators in the -+query string, before attempting parsing, so if the same parameter key is -+used multiple times in the query, each counts as a separate parameter for -+this check. -+ - === key_space_limit - - The default number of bytes to allow all parameters keys in a given parameter hash to take up. -diff --git a/lib/rack/query_parser.rb b/lib/rack/query_parser.rb -index 1c3923c3..a6f6d68c 100644 ---- a/lib/rack/query_parser.rb -+++ b/lib/rack/query_parser.rb -@@ -16,20 +16,47 @@ module Rack - # sequence. - class InvalidParameterError < ArgumentError; end - -- # ParamsTooDeepError is the error that is raised when params are recursively -- # nested over the specified limit. -- class ParamsTooDeepError < RangeError; end -+ # QueryLimitError is for errors raised when the query provided exceeds one -+ # of the query parser limits. -+ class QueryLimitError < RangeError -+ end -+ -+ # ParamsTooDeepError is the old name for the error that is raised when params -+ # are recursively nested over the specified limit. Make it the same as -+ # as QueryLimitError, so that code that rescues ParamsTooDeepError error -+ # to handle bad query strings also now handles other limits. -+ ParamsTooDeepError = QueryLimitError - -- def self.make_default(key_space_limit, param_depth_limit) -- new Params, key_space_limit, param_depth_limit -+ def self.make_default(key_space_limit, param_depth_limit, **options) -+ new(Params, key_space_limit, param_depth_limit, **options) - end - - attr_reader :key_space_limit, :param_depth_limit - -- def initialize(params_class, key_space_limit, param_depth_limit) -+ env_int = lambda do |key, val| -+ if str_val = ENV[key] -+ begin -+ val = Integer(str_val, 10) -+ rescue ArgumentError -+ raise ArgumentError, "non-integer value provided for environment variable #{key}" -+ end -+ end -+ -+ val -+ end -+ -+ BYTESIZE_LIMIT = env_int.call("RACK_QUERY_PARSER_BYTESIZE_LIMIT", 4194304) -+ private_constant :BYTESIZE_LIMIT -+ -+ PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096) -+ private_constant :PARAMS_LIMIT -+ -+ def initialize(params_class, key_space_limit, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT) - @params_class = params_class - @key_space_limit = key_space_limit - @param_depth_limit = param_depth_limit -+ @bytesize_limit = bytesize_limit -+ @params_limit = params_limit - end - - # Stolen from Mongrel, with some small modifications: -@@ -42,7 +69,7 @@ module Rack - - params = make_params - -- (qs || '').split(d ? (COMMON_SEP[d] || /[#{d}] */n) : DEFAULT_SEP).each do |p| -+ check_query_string(qs, d).split(d ? (COMMON_SEP[d] || /[#{d}] */n) : DEFAULT_SEP).each do |p| - next if p.empty? - k, v = p.split('=', 2).map!(&unescaper) - -@@ -69,7 +96,7 @@ module Rack - params = make_params - - unless qs.nil? || qs.empty? -- (qs || '').split(d ? (COMMON_SEP[d] || /[#{d}] */n) : DEFAULT_SEP).each do |p| -+ check_query_string(qs, d).split(d ? (COMMON_SEP[d] || /[#{d}] */n) : DEFAULT_SEP).each do |p| - k, v = p.split('=', 2).map! { |s| unescape(s) } - - normalize_params(params, k, v, param_depth_limit) -@@ -155,8 +182,24 @@ module Rack - true - end - -- def unescape(s) -- Utils.unescape(s) -+ def check_query_string(qs, sep) -+ if qs -+ if qs.bytesize > @bytesize_limit -+ raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})" -+ end -+ -+ if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit -+ raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})" -+ end -+ -+ qs -+ else -+ '' -+ end -+ end -+ -+ def unescape(string, encoding = Encoding::UTF_8) -+ Utils.unescape(string, encoding) - end - - class Params --- -2.25.1 - diff --git a/rack-2.2.4.gem b/rack-2.2.4.gem deleted file mode 100644 index cff677e7af08f6bee300a355ac460a0432cb0562..0000000000000000000000000000000000000000 Binary files a/rack-2.2.4.gem and /dev/null differ diff --git a/rack-3.2.1-tests.tar.gz b/rack-3.2.1-tests.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..643bc9dd770c6ec0c4ca6ffb39caf15645cb575c Binary files /dev/null and b/rack-3.2.1-tests.tar.gz differ diff --git a/rack-3.2.1.gem b/rack-3.2.1.gem new file mode 100644 index 0000000000000000000000000000000000000000..7b9078c3742383887495364a78434d7ac9dbe16a Binary files /dev/null and b/rack-3.2.1.gem differ diff --git a/rubygem-rack.spec b/rubygem-rack.spec index 76e6592051622c409b1d2ecad5b7a8a9f0f023b5..bb52c42aeaae62c9bd3a90e282ce13b91f359e0e 100644 --- a/rubygem-rack.spec +++ b/rubygem-rack.spec @@ -2,28 +2,24 @@ %bcond_with bootstrap Name: rubygem-%{gem_name} -Version: 2.2.4 +Version: 3.2.1 Epoch: 1 -Release: 12 +Release: 1 Summary: A modular Ruby webserver interface -License: MIT and BSD +License: MIT AND BSD-3-Clause URL: https://rack.github.io/ Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem -Patch0: 2-2-multipart-dos.patch -Patch1: 2-2-header-redos.patch -Patch2: Fix-CVE-2024-26141.patch -Patch3: Fix-CVE-2024-26146.patch -Patch4: Fix-CVE-2024-25126.patch -Patch5: Fix-CVE-2022-44570.patch -Patch6: Fix-CVE-2022-44571.patch -Patch7: Fix-CVE-2022-44572.patch -Patch8: Fix-CVE-2025-27610.patch -Patch9: Fix-CVE-2025-27111.patch -Patch10: Fix-CVE-2025-25184.patch -Patch11: Fix-CVE-2025-46727.patch -BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git -BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) -BuildRequires: rubygem(memcache-client) + +# git clone https://github.com/rack/rack.git && cd rack/ +# git archive -v -o rack-3.1.16-tests.tar.gz v3.1.16 test/ +Source1: rack-%{version}-tests.tar.gz + +BuildRequires: ruby(release) +BuildRequires: rubygems-devel +BuildRequires: ruby >= 2.4.0 +#BuildRequires: git +#BuildRequires: memcached +#BuildRequires: rubygem(memcache-client) BuildRequires: rubygem(minitest) %if ! %{with bootstrap} BuildRequires: rubygem(thin) @@ -51,7 +47,7 @@ BuildArch: noarch Documentation for %{name}. %prep -%autosetup -n %{gem_name}-%{version} -p1 -S git +%autosetup -n %{gem_name}-%{version} -p1 -b 1 %build gem build ../%{gem_name}-%{version}.gemspec @@ -63,34 +59,22 @@ cp -a .%{gem_dir}/* \ %{buildroot}%{gem_dir}/ -mkdir -p %{buildroot}%{_bindir} -cp -a .%{_bindir}/* \ - %{buildroot}%{_bindir}/ +%check +( cd .%{gem_instdir} -find %{buildroot}%{gem_instdir}/bin -type f | xargs chmod a+x -find %{buildroot}%{gem_instdir}/{bin,test/cgi} -type f | \ - xargs sed -i 's|^#!/usr/bin/env ruby$|#!/usr/bin/ruby|' +cp -a %{_builddir}/test . -for file in `find %{buildroot}/%{gem_instdir} -type f -perm /a+x`; do - [ -z "`head -n 1 $file | grep \"^#!/\"`" ] && chmod -v 644 $file -done +# Avoid minitest-global_expectations in exchange of lot of deprecation warnings. +# https://github.com/rack/rack/pull/1394 +mkdir -p test/minitest/global_expectations +echo 'require "minitest/autorun"' > test/minitest/global_expectations/autorun.rb -for file in `find %{buildroot}%{gem_instdir} -type f`; do - [ ! -z "`head -n 1 $file | grep \"^#!\"`" ] && chmod -v 755 $file -done +ruby -Itest -e 'Dir.glob "./test/spec_*.rb", &method(:require)' +) -%check -pushd .%{gem_instdir} -PID=%(mktemp) -memcached -d -P "$PID" -LC_ALL=C.UTF-8 \ -ruby -Ilib:test -e 'Dir.glob "./test/spec_*.rb", &method(:require)' -kill -TERM $(< "$PID") -popd %files %dir %{gem_instdir} -%{_bindir}/rackup %license %{gem_instdir}/MIT-LICENSE %{gem_libdir} %{gem_instdir}/bin @@ -109,6 +93,12 @@ popd %doc %{gem_instdir}/contrib %changelog +* Sun Sep 28 2025 liweigang - 1:3.2.1-1 +- Type: update +- ID: NA +- SUG: NA +- DESC: update to version 3.2.1 + * Wed Aug 20 2025 zouzhimin - 1:2.2.4-12 - Type:CVES - ID:CVE-2025-46727 diff --git a/rubygem-rack.yaml b/rubygem-rack.yaml index 666da997903436717c8fb92dba96ee1689f4699f..d63fb9fc59fded3962f0de32baf3b1eedb2b58b8 100644 --- a/rubygem-rack.yaml +++ b/rubygem-rack.yaml @@ -1,4 +1,4 @@ version_control: github src_repo: rack/rack tag_prefix: ^v -seperator: . +separator: .