Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: rack/rack
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.2.5
Choose a base ref
...
head repository: rack/rack
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.2.6.2
Choose a head ref
  • 8 commits
  • 6 files changed
  • 5 contributors

Commits on Jan 16, 2023

  1. Rack::MethodOverride handle QueryParser::ParamsTooDeepError (#2011) 

    This middleware already handle two types of parsing issues
but somehow not this one.

Co-authored-by: Jean Boussier <[email protected]>
    @casperisfine @byroot
    casperisfine and byroot authored Jan 16, 2023
    Configuration menu
    Copy the full SHA
    c0f9de4 View commit details
    Browse the repository at this point in the history

  2. Bump patch version.

    @ioquatix
    ioquatix committed Jan 16, 2023
    Configuration menu
    Copy the full SHA
    ea39e49 View commit details
    Browse the repository at this point in the history

Commits on Jan 17, 2023

  1. Forbid control characters in attributes 

    This commit restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.

This also now should fully follow the RFCs.

RFC 2231, Section 7 specifies:

    attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
                         "*", "'", "%", or tspecials>

RFC 2045, Appendix A specifies:

    tspecials :=  "(" / ")" / "<" / ">" / "@" /
                  "," / ";" / ":" / "\" / <">
                  "/" / "[" / "]" / "?" / "="

RFC 822, Section 3.3 specifies:

    CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
                    character and DEL>          ; (    177,     127.)
    SPACE       =  <ASCII SP, space>            ; (     40,      32.)

[CVE-2022-44572]
    @jhawthorn @tenderlove
    jhawthorn authored and tenderlove committed Jan 17, 2023
    Configuration menu
    Copy the full SHA
    19e49f0 View commit details
    Browse the repository at this point in the history

  2. Fix ReDoS vulnerability in multipart parser 

    This commit fixes a ReDoS vulnerability when parsing the
Content-Disposition field in multipart attachments

Thanks to @ooooooo_q for the patch!

[CVE-2022-44571]
    @tenderlove
    tenderlove committed Jan 17, 2023
    Configuration menu
    Copy the full SHA
    ee25ab9 View commit details
    Browse the repository at this point in the history

  3. Update changelog

    @tenderlove
    tenderlove committed Jan 17, 2023
    Configuration menu
    Copy the full SHA
    3677f17 View commit details
    Browse the repository at this point in the history

  4. bump version

    @tenderlove
    tenderlove committed Jan 17, 2023
    Configuration menu
    Copy the full SHA
    20bc90c View commit details
    Browse the repository at this point in the history

  5. Fix ReDoS in Rack::Utils.get_byte_ranges 

    This commit fixes a ReDoS problem in `get_byte_ranges`.  Thanks
@ooooooo_q for the patch!

[CVE-2022-44570]
    @tenderlove
    tenderlove committed Jan 17, 2023
    Configuration menu
    Copy the full SHA
    f6d4f52 View commit details
    Browse the repository at this point in the history

  6. bumping version

    @tenderlove
    tenderlove committed Jan 17, 2023
    Configuration menu
    Copy the full SHA
    2606ac5 View commit details
    Browse the repository at this point in the history
Loading