diff options
author | Aaron Patterson <tenderlove@ruby-lang.org> | 2023-01-17 12:53:39 -0800 |
---|---|---|
committer | Aaron Patterson <tenderlove@ruby-lang.org> | 2023-01-17 12:53:39 -0800 |
commit | becbf4b11245918cd3d91b9ac390a8ea8cd58f3c (patch) | |
tree | cae3c38a2fdf9db6181dff122050661399ff14fa | |
parent | 514e9005760f5f39625b22baf7a5b79f275e6c31 (diff) | |
parent | d1b4c2d82ac5444228d30e66f38156f7046b4296 (diff) | |
download | rack-becbf4b11245918cd3d91b9ac390a8ea8cd58f3c.tar.gz |
Merge branch '3-0-sec'
* 3-0-sec: (24 commits)
bump version
Update changelog
Fix ReDoS vulnerability in multipart parser
Fix ReDoS in Rack::Utils.get_byte_ranges
Forbid control characters in attributes
Bump patch version.
`Rack::Request#POST` should consistently raise errors. (#2010)
Fix Rack::Lint error message for HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH (#2007)
Rack::MethodOverride handle QueryParser::ParamsTooDeepError (#2006)
Bump patch version.
Fix Regexp deprecated third argument with Regexp::NOENCODING (#1998)
Update tests to work on latest Rubies. (#1999)
Bump patch version.
Allow passing through streaming bodies. (#1993)
Remove unnecessary executable bit from test files (#1992)
Fix Utils.build_nested_query to URL-encode all query string fields (#1989)
Trim trailing white space throughout the project (#1990)
Fix some typos (#1991)
Remove leading dot to fix compatibility with latest cgi gem. (#1988)
Fix outdated Rack::Builder rdocs and remove Lobster references (#1986)
...
-rw-r--r-- | lib/rack/multipart/parser.rb | 4 | ||||
-rw-r--r-- | lib/rack/utils.rb | 11 |
2 files changed, 8 insertions, 7 deletions
diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb index 480badaf..d5a3c8dd 100644 --- a/lib/rack/multipart/parser.rb +++ b/lib/rack/multipart/parser.rb @@ -23,10 +23,10 @@ module Rack VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/ BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni - MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni + MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni # Updated definitions from RFC 2231 - ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]} + ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]} ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/ SECTION = /\*[0-9]+/ REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/ diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb index 08ed1a19..1796c992 100644 --- a/lib/rack/utils.rb +++ b/lib/rack/utils.rb @@ -390,17 +390,18 @@ module Rack return nil unless http_range && http_range =~ /bytes=([^;]+)/ ranges = [] $1.split(/,\s*/).each do |range_spec| - return nil unless range_spec =~ /(\d*)-(\d*)/ - r0, r1 = $1, $2 - if r0.empty? - return nil if r1.empty? + return nil unless range_spec.include?('-') + range = range_spec.split('-') + r0, r1 = range[0], range[1] + if r0.nil? || r0.empty? + return nil if r1.nil? # suffix-byte-range-spec, represents trailing suffix of file r0 = size - r1.to_i r0 = 0 if r0 < 0 r1 = size - 1 else r0 = r0.to_i - if r1.empty? + if r1.nil? r1 = size - 1 else r1 = r1.to_i |