Merge branch '3-0-sec'

* 3-0-sec: (24 commits) bump version Update changelog Fix ReDoS vulnerability in multipart parser Fix ReDoS in Rack::Utils.get_byte_ranges Forbid control characters in attributes Bump patch version. `Rack::Request#POST` should consistently raise errors. (#2010) Fix Rack::Lint error message for HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH (#2007) Rack::MethodOverride handle QueryParser::ParamsTooDeepError (#2006) Bump patch version. Fix Regexp deprecated third argument with Regexp::NOENCODING (#1998) Update tests to work on latest Rubies. (#1999) Bump patch version. Allow passing through streaming bodies. (#1993) Remove unnecessary executable bit from test files (#1992) Fix Utils.build_nested_query to URL-encode all query string fields (#1989) Trim trailing white space throughout the project (#1990) Fix some typos (#1991) Remove leading dot to fix compatibility with latest cgi gem. (#1988) Fix outdated Rack::Builder rdocs and remove Lobster references (#1986) ...
rack · Jan 17, 2023 · becbf4b · becbf4b
2 parents 514e900 + d1b4c2d
commit becbf4b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb
@@ -23,10 +23,10 @@ class Error < StandardError; end
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
     BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*;\s*name=(#{VALUE})/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s*name=(#{VALUE})/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
     # Updated definitions from RFC 2231
-    ATTRIBUTE_CHAR = %r{[^ \t\v\n\r)(><@,;:\\"/\[\]?='*%]}
+    ATTRIBUTE_CHAR = %r{[^ \x00-\x1f\x7f)(><@,;:\\"/\[\]?='*%]}
     ATTRIBUTE = /#{ATTRIBUTE_CHAR}+/
     SECTION = /\*[0-9]+/
     REGULAR_PARAMETER_NAME = /#{ATTRIBUTE}#{SECTION}?/

diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
@@ -390,17 +390,18 @@ def get_byte_ranges(http_range, size)
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
       $1.split(/,\s*/).each do |range_spec|
-        return nil  unless range_spec =~ /(\d*)-(\d*)/
-        r0, r1 = $1, $2
-        if r0.empty?
-          return nil  if r1.empty?
+        return nil unless range_spec.include?('-')
+        range = range_spec.split('-')
+        r0, r1 = range[0], range[1]
+        if r0.nil? || r0.empty?
+          return nil if r1.nil?
           # suffix-byte-range-spec, represents trailing suffix of file
           r0 = size - r1.to_i
           r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i
-          if r1.empty?
+          if r1.nil?
             r1 = size - 1
           else
             r1 = r1.to_i