test/spec_builder.rb | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 skip random failure.

test/spec_server.rb | 8 4 + 4 - 0 !
test/spec_thin.rb | 4 2 + 2 - 0 !
test/spec_webrick.rb | 6 3 + 3 - 0 !
3 files changed, 9 insertions(+), 9 deletions(-)

 make tests pass on hosts that have no ipv4 connectivity

This is a backport of the patch sent upstream.

lib/rack/multipart.rb | 3 1 + 2 - 0 !
lib/rack/multipart/parser.rb | 3 2 + 1 - 0 !
test/multipart/filename_with_escaped_quotes_and_modification_param | 2 1 + 1 - 0 !
test/spec_multipart.rb | 15 1 + 14 - 0 !
4 files changed, 5 insertions(+), 18 deletions(-)

 [patch 1/3] restrict broken mime parsing

This commit restricts broken mime parsing to deal with a ReDOS
vulnerability.

[CVE-2022-30122]

lib/rack/common_logger.rb | 3 3 + 0 - 0 !
lib/rack/lint.rb | 2 1 + 1 - 0 !
test/spec_common_logger.rb | 12 12 + 0 - 0 !
test/spec_lint.rb | 5 5 + 0 - 0 !
4 files changed, 21 insertions(+), 1 deletion(-)

 [patch 2/3] escape untrusted text when logging

This fixes a shell escape issue

[CVE-2022-30123]

lib/rack/utils.rb | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 [patch] fix redos in rack::utils.get_byte_ranges

This commit fixes a ReDoS problem in `get_byte_ranges`.  Thanks
@ooooooo_q for the patch!

[CVE-2022-44570]

lib/rack/multipart.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix redos vulnerability in multipart parser

This commit fixes a ReDoS vulnerability when parsing the
Content-Disposition field in multipart attachments

Thanks to @ooooooo_q for the patch!

[CVE-2022-44571]

lib/rack/multipart.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] forbid control characters in attributes

This commit restricts the characters accepted in ATTRIBUTE_CHAR,
forbidding control characters and fixing a ReDOS vulnerability.

This also now should fully follow the RFCs.

RFC 2231, Section 7 specifies:

    attribute-char := <any (US-ASCII) CHAR except SPACE, CTLs,
                         "*", "'", "%", or tspecials>

RFC 2045, Appendix A specifies:

    tspecials :=  "(" / ")" / "<" / ">" / "@" /
                  "," / ";" / ":" / "\" / <">
                  "/" / "[" / "]" / "?" / "="

RFC 822, Section 3.3 specifies:

    CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
                    character and DEL>          ; (    177,     127.)
    SPACE       =  <ASCII SP, space>            ; (     40,      32.)

[CVE-2022-44572]

README.rdoc | 20 17 + 3 - 0 !
lib/rack/multipart/parser.rb | 19 15 + 4 - 0 !
lib/rack/utils.rb | 19 15 + 4 - 0 !
test/spec_multipart.rb | 12 12 + 0 - 0 !
test/spec_request.rb | 18 17 + 1 - 0 !
5 files changed, 76 insertions(+), 12 deletions(-)

 [patch] limit all multipart parts, not just files

Previously we would limit the number of multipart parts which were
files, but not other parts. In some cases this could cause parsing of
maliciously crafted inputs to take longer than expected.

[CVE-2023-27530]

lib/rack/request.rb | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] avoid redos problem

Split headers on commas, then strip the strings in order to avoid ReDoS
issues.

[CVE-2023-27539]

lib/rack/media_type.rb | 13 9 + 4 - 0 !
1 file changed, 9 insertions(+), 4 deletions(-)

 avoid 2nd degree polynomial regexp in mediatype

lib/rack/utils.rb | 3 3 + 0 - 0 !
test/spec_utils.rb | 4 4 + 0 - 0 !
2 files changed, 7 insertions(+)

 return an empty array when ranges are too large

If the sum of the requested ranges is larger than the file itself,
return an empty array. In other words, refuse to respond with any bytes.

[CVE-2024-26141]

lib/rack/utils.rb | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fixing redos in header parsing

Thanks svalkanov

[CVE-2024-26146]