Commits on Oct 7, 2025

1. Fix denial of service vulnerbilties in multipart parsing …

   Two separate vulnerabilities:
   
   1. Unbounded buffering of uploaded data waiting for a boundary.
   
   2. Unbounded buffering of uploaded data waiting for complete
      mime part header.
   
   The respective limits are 16KB for (1) and 64KB for (2), but those
   limits only apply for non-default buffer sizes. If left at the
   default configuration, 1MB (default buffer size) will be the limit
   for both.
   
   This changes one EmptyContentError exception to an Error exception,
   but EmptyContentError is probably the wrong error to raise for a
   very long boundary.

   

   jeremyevans authored and ioquatix committed Oct 7, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for 589127f
   • Browse repository at this point

   Copy the full SHA

   589127f View commit details

   Browse the repository at this point in the history

2. Limit amount of retained data when parsing multipart requests …

   The limit is 16MB by default, and it can be adjusted with the
   RACK_MULTIPART_MAX_BUFFERED_UPLOAD_SIZE environment variable.
   
   Data stored in temporary files is not counted against this limit.
   However data for other parameters, as well as the data for the
   mime headers for each parameter (which is retained during parsing)
   is counted against the limit.

   

   jeremyevans authored and ioquatix committed Oct 7, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for 3beacfc
   • Browse repository at this point

   Copy the full SHA

   3beacfc View commit details

   Browse the repository at this point in the history

3. Bump patch version.

   

   ioquatix committed Oct 7, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for bce149b
   • Browse repository at this point

   Copy the full SHA

   bce149b View commit details

   Browse the repository at this point in the history