🚨 [security] Update sidekiq 6.0.3 → 6.5.12 (minor)
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳ ️ sidekiq (6.0.3 → 6.5.12) · Repo · Changelog
Security Advisories 🚨
🚨 Denial of service in sidekiq
In api.rb in Sidekiq before 6.4.0, there is no limit on the number of
days when requesting stats for the graph. This overloads the system, affecting the
Web UI, and makes it unavailable to users.
🚨 Cross-site Scripting in Sidekiq
Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue
name of the live-poll feature when Internet Explorer is used.
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗ ️ connection_pool (indirect, 2.2.2 → 2.4.1) · Repo · Changelog
Release Notes
2.4.1 (from changelog)
- New
auto_reload_after_fork
config option to disable auto-drop [#177, shayonj]
2.4.0 (from changelog)
- Automatically drop all connections after fork [#166]
2.3.0 (from changelog)
- Minimum Ruby version is now 2.5.0
- Add pool size to TimeoutError message
2.2.5 (from changelog)
- Fix argument forwarding on Ruby 2.7 [#149]
2.2.4 (from changelog)
2.2.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 74 commits:
changes, bump
Ability to optionally drop all connections after fork (#177)
Set "changelog_uri" in gemspec to point to Changes.md (#176)
Opt-in for MFA requirement (#171)
release
Add Ruby 3.2 to the CI matrix. (#169)
Automatically drop all connections after fork (#166)
Update readme: non critical -> non-critical (#164)
release
Add more context to timeout error
simplify flaky test
fix jruby?
remove 2.4
Cleanup readme
Bump ruby to 2.5+
integrate standard
Bump actions/checkout from 2 to 3 (#163)
Add Dependabot for GitHub Actions (#162)
Add Ruby 3.1 to CI (#160)
Revert "Use prerelease aware version comparison (#157)"
Use prerelease aware version comparison (#157)
Mention new timeout-error class in README (#156)
bump
Update gemspec to avoid backticks
Drop support for Ruby 2.2 (#154)
Use explicit namespaces for `Mutex` and `ConditionVariable` (#153)
Prefer `require_relative` for internal requires (#152)
changes, bump
Fix argument forwarding in Ruby 2.7 (#149)
update build status badge to use GitHub Workflow (#146)
Mark truffleruby experimental in CI (#147)
Migrate to GitHub Workflows (#145)
Prep for release
CI: add Ruby 3.0 (#144)
Ruby 3.0: split positional/keyword args (#143)
Allow restarting pool (#140)
Add #138
Add docs for ConnectionPool#then
Implement ConnectionPool#then
Remove `@key_count` from the thread when returning the connection to the pool
Add required_ruby_version to the Gemspec
Merge branch 'master' of github.com:mperham/connection_pool
remove standard as it requires Ruby 2.4
Comments use ConnectionPool::TimeoutError
Rejigger to remove errors.rb
Integrate standard gem, code formatting fixes, no functional changes
Move wrapper into separate file
Rejigger exceptions, fixes #130
CI: Use openjdk11
CI: refer to JRuby using rvm alias
CI: Run latest JRuby release
README: Use API Redis.new in example
Removed explicitly declaration of thread library.
Add ruby 2.7 to CI
CI: Use 2.6, 2.5, 2.4, jruby-9.2.8.0
CI: Use latest patch versions of Rubies
CI: Drop unused sudo: false directive
mperham/connection_pool#113 expose pool from Wrapper (#114)
bump jruby
Interrupt timing is implementation-specific (#112)
fix jruby
doc failure
changes, cleanup
merge
freshen up ruby matrix
remove old jruby hacks, cleanup code
Remove monotonic clock hacks
Remove wrapper for monotonic time (#109)
Don't let threads die from exceptions in tests
Stricter casting of connection pool size
Ensure size is integer
polish
add stats to README
bump
↗ ️ rack (indirect, 2.0.7 → 2.2.8) · Repo · Changelog
Security Advisories 🚨
🚨 Possible Denial of Service Vulnerability in Rack’s header parsing
There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.
Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1
Impact
Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.
Workarounds
Setting Regexp.timeout in Ruby 3.2 is a possible workaround.
🚨 Possible DoS Vulnerability in Multipart MIME parsing
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.
Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3
Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.
🚨 Possible DoS Vulnerability in Multipart MIME parsing
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.
Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3
Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.
🚨 Possible DoS Vulnerability in Multipart MIME parsing
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.
Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3
Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.
🚨 Denial of Service Vulnerability in Rack Content-Disposition parsing
There is a denial of service vulnerability in the Content-Disposition parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-44571.Versions Affected: >= 2.0.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1Impact
Carefully crafted input can cause Content-Disposition header parsing in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. This header is used typically used in multipart
parsing. Any applications that parse multipart posts using Rack (virtually
all Rails applications) are impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of service via header parsing in Rack
There is a possible denial of service vulnerability in the Range header
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2022-44570.Versions Affected: >= 1.5.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1Impact
Carefully crafted input can cause the Range header parsing component in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that deal with Range requests (such
as streaming applications, or applications that serve files) may be impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of service via multipart parsing in Rack
There is a denial of service vulnerability in the multipart parsing component
of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-44572.Versions Affected: >= 2.0.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1Impact
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that parse multipart posts using
Rack (virtually all Rails applications) are impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of service via header parsing in Rack
There is a possible denial of service vulnerability in the Range header
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2022-44570.Versions Affected: >= 1.5.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1Impact
Carefully crafted input can cause the Range header parsing component in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that deal with Range requests (such
as streaming applications, or applications that serve files) may be impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of Service Vulnerability in Rack Content-Disposition parsing
There is a denial of service vulnerability in the Content-Disposition parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-44571.Versions Affected: >= 2.0.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1Impact
Carefully crafted input can cause Content-Disposition header parsing in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. This header is used typically used in multipart
parsing. Any applications that parse multipart posts using Rack (virtually
all Rails applications) are impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of service via multipart parsing in Rack
There is a denial of service vulnerability in the multipart parsing component
of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-44572.Versions Affected: >= 2.0.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1Impact
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that parse multipart posts using
Rack (virtually all Rails applications) are impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of Service Vulnerability in Rack Content-Disposition parsing
There is a denial of service vulnerability in the Content-Disposition parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-44571.Versions Affected: >= 2.0.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1Impact
Carefully crafted input can cause Content-Disposition header parsing in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. This header is used typically used in multipart
parsing. Any applications that parse multipart posts using Rack (virtually
all Rails applications) are impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of service via multipart parsing in Rack
There is a denial of service vulnerability in the multipart parsing component
of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-44572.Versions Affected: >= 2.0.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1Impact
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that parse multipart posts using
Rack (virtually all Rails applications) are impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of service via header parsing in Rack
There is a possible denial of service vulnerability in the Range header
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2022-44570.Versions Affected: >= 1.5.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1Impact
Carefully crafted input can cause the Range header parsing component in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that deal with Range requests (such
as streaming applications, or applications that serve files) may be impacted.Workarounds
There are no feasible workarounds for this issue.
🚨 Possible shell escape sequence injection vulnerability in Rack
There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1Impact
Carefully crafted requests can cause shell escape sequences to be written to
the terminal via Rack's Lint middleware and CommonLogger middleware. These
escape sequences can be leveraged to possibly execute commands in the victim's
terminal.Impacted applications will have either of these middleware installed, and
vulnerable apps may have something like this:use Rack::Lint
Or
use Rack::CommonLogger
All users running an affected release should either upgrade or use one of the
workarounds immediately.Workarounds
Remove these middleware from your application
🚨 Possible shell escape sequence injection vulnerability in Rack
There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1Impact
Carefully crafted requests can cause shell escape sequences to be written to
the terminal via Rack's Lint middleware and CommonLogger middleware. These
escape sequences can be leveraged to possibly execute commands in the victim's
terminal.Impacted applications will have either of these middleware installed, and
vulnerable apps may have something like this:use Rack::Lint
Or
use Rack::CommonLogger
All users running an affected release should either upgrade or use one of the
workarounds immediately.Workarounds
Remove these middleware from your application
🚨 Denial of Service Vulnerability in Rack Multipart Parsing
There is a possible denial of service vulnerability in the multipart parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-30122.Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1Impact
Carefully crafted multipart POST requests can cause Rack's multipart parser to
take much longer than expected, leading to a possible denial of service
vulnerability.Impacted code will use Rack's multipart parser to parse multipart posts. This
includes directly using the multipart parser like this:params = Rack::Multipart.parse_multipart(env)
But it also includes reading POST data from a Rack request object like this:
p request.POST # read POST data p request.params # reads both query params and POST data
All users running an affected release should either upgrade or use one of the
workarounds immediately.Workarounds
There are no feasible workarounds for this issue.
🚨 Denial of Service Vulnerability in Rack Multipart Parsing
There is a possible denial of service vulnerability in the multipart parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-30122.Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1Impact
Carefully crafted multipart POST requests can cause Rack's multipart parser to
take much longer than expected, leading to a possible denial of service
vulnerability.Impacted code will use Rack's multipart parser to parse multipart posts. This
includes directly using the multipart parser like this:params = Rack::Multipart.parse_multipart(env)
But it also includes reading POST data from a Rack request object like this:
p request.POST # read POST data p request.params # reads both query params and POST data
All users running an affected release should either upgrade or use one of the
workarounds immediately.Workarounds
There are no feasible workarounds for this issue.
🚨 Possible shell escape sequence injection vulnerability in Rack
There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1Impact
Carefully crafted requests can cause shell escape sequences to be written to
the terminal via Rack's Lint middleware and CommonLogger middleware. These
escape sequences can be leveraged to possibly execute commands in the victim's
terminal.Impacted applications will have either of these middleware installed, and
vulnerable apps may have something like this:use Rack::Lint
Or
use Rack::CommonLogger
All users running an affected release should either upgrade or use one of the
workarounds immediately.Workarounds
Remove these middleware from your application
🚨 Denial of Service Vulnerability in Rack Multipart Parsing
There is a possible denial of service vulnerability in the multipart parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-30122.Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1Impact
Carefully crafted multipart POST requests can cause Rack's multipart parser to
take much longer than expected, leading to a possible denial of service
vulnerability.Impacted code will use Rack's multipart parser to parse multipart posts. This
includes directly using the multipart parser like this:params = Rack::Multipart.parse_multipart(env)
But it also includes reading POST data from a Rack request object like this:
p request.POST # read POST data p request.params # reads both query params and POST data
All users running an affected release should either upgrade or use one of the
workarounds immediately.Workarounds
There are no feasible workarounds for this issue.
🚨 Percent-encoded cookies can be used to overwrite existing prefixed cookie names
It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4Impact
An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.Workarounds
If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:module Rack module Utils module_function def parse_cookies_header(header) return {} unless header header.split(/[;] */n).each_with_object({}) do |cookie, cookies| next if cookie.empty? key, value = cookie.split('=', 2) cookies[key] = (unescape(value) rescue value) unless cookies.key?(key) end end end end
🚨 Percent-encoded cookies can be used to overwrite existing prefixed cookie names
It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4Impact
An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.Workarounds
If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:module Rack module Utils module_function def parse_cookies_header(header) return {} unless header header.split(/[;] */n).each_with_object({}) do |cookie, cookies| next if cookie.empty? key, value = cookie.split('=', 2) cookies[key] = (unescape(value) rescue value) unless cookies.key?(key) end end end end
🚨 Directory traversal in Rack::Directory app bundled with Rack
There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0Impact
If certain directories exist in a director that is managed by
Rack::Directory
, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified in the
Rack::Directory initializer.Workarounds
Until such time as the patch is applied or their Rack version is upgraded,
we recommend that developers do not use Rack::Directory in their
applications.
🚨 Directory traversal in Rack::Directory app bundled with Rack
There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0Impact
If certain directories exist in a director that is managed by
Rack::Directory
, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified in the
Rack::Directory initializer.Workarounds
Until such time as the patch is applied or their Rack version is upgraded,
we recommend that developers do not use Rack::Directory in their
applications.
🚨 Possible information leak / session hijack vulnerability
There's a possible information leak / session hijack vulnerability in Rack.
Attackers may be able to find and hijack sessions by using timing attacks
targeting the session id. Session ids are usually stored and indexed in a
database that uses some kind of scheme for speeding up lookups of that
session id. By carefully measuring the amount of time it takes to look up
a session, an attacker may be able to find a valid session id and hijack
the session.The session id itself may be generated randomly, but the way the session is
indexed by the backing store does not use a secure comparison.Impact:
The session id stored in a cookie is the same id that is used when querying
the backing session storage engine. Most storage mechanisms (for example a
database) use some sort of indexing in order to speed up the lookup of that
id. By carefully timing requests and session lookup failures, an attacker
may be able to perform a timing attack to determine an existing session id
and hijack that session.
Release Notes
2.2.7
What's Changed
- Correct the year number in the changelog by @kimulab in #2015
- Support underscore in host names for Rack 2.2 (Fixes #2070) by @jeremyevans in #2071
New Contributors
Full Changelog: v2.2.6.4...v2.2.7
2.2.2 (from changelog)
Fixed
2.2.1 (from changelog)
Fixed
2.2.0 (from changelog)
SPEC Changes
rack.session
request environment entry must respond toto_hash
and return unfrozen Hash. (@jeremyevans)- Request environment cannot be frozen. (@jeremyevans)
- CGI values in the request environment with non-ASCII characters must use ASCII-8BIT encoding. (@jeremyevans)
- Improve SPEC/lint relating to SERVER_NAME, SERVER_PORT and HTTP_HOST. (#1561, @ioquatix)
Added
rackup
supports multiple-r
options and will require all arguments. (@jeremyevans)Server
supports an array of paths to require for the:require
option. (@khotta)Files
supports multipart range requests. (@fatkodima)Multipart::UploadedFile
supports an IO-like object instead of using the filesystem, using:filename
and:io
options. (@jeremyevans)Multipart::UploadedFile
supports keyword arguments:path
,:content_type
, and:binary
in addition to positional arguments. (@jeremyevans)Static
supports a:cascade
option for calling the app if there is no matching file. (@jeremyevans)Session::Abstract::SessionHash#dig
. (@jeremyevans)Response.[]
andMockResponse.[]
for creating instances using status, headers, and body. (@ioquatix)- Convenient cache and content type methods for
Rack::Response
. (#1555, @ioquatix)Changed
Request#params
no longer rescues EOFError. (@jeremyevans)Directory
uses a streaming approach, significantly improving time to first byte for large directories. (@jeremyevans)Directory
no longer includes a Parent directory link in the root directory index. (@jeremyevans)QueryParser#parse_nested_query
uses original backtrace when reraising exception with new class. (@jeremyevans)ConditionalGet
follows RFC 7232 precedence if both If-None-Match and If-Modified-Since headers are provided. (@jeremyevans).ru
files supports thefrozen-string-literal
magic comment. (@eregon)- Rely on autoload to load constants instead of requiring internal files, make sure to require 'rack' and not just 'rack/...'. (@jeremyevans)
Etag
will continue sending ETag even if the response should not be cached. (@henm)Request#host_with_port
no longer includes a colon for a missing or empty port. (@AlexWayfer)- All handlers uses keywords arguments instead of an options hash argument. (@ioquatix)
Files
handling of range requests no longer return a body that supportsto_path
, to ensure range requests are handled correctly. (@jeremyevans)Multipart::Generator
only includesContent-Length
for files with paths, andContent-Disposition
filename
if theUploadedFile
instance has one. (@jeremyevans)Request#ssl?
is true for thewss
scheme (secure websockets). (@jeremyevans)Rack::HeaderHash
is memoized by default. (#1549, @ioquatix)Rack::Directory
allow directory traversal inside root directory. (#1417, @ThomasSevestre)- Sort encodings by server preference. (#1184, @ioquatix, @wjordan)
- Rework host/hostname/authority implementation in
Rack::Request
.#host
and#host_with_port
have been changed to correctly return IPv6 addresses formatted with square brackets, as defined by RFC3986. (#1561, @ioquatix)Rack::Builder
parsing options on first#\
line is deprecated. (#1574, @ioquatix)Removed
Directory#path
as it was not used and always returned nil. (@jeremyevans)BodyProxy#each
as it was only needed to work around a bug in Ruby <1.9.3. (@jeremyevans)URLMap::INFINITY
andURLMap::NEGATIVE_INFINITY
, in favor ofFloat::INFINITY
. (@ch1c0t)- Deprecation of
Rack::File
. It will be deprecated again in rack 2.2 or 3.0. (@rafaelfranca)- Support for Ruby 2.2 as it is well past EOL. (@ioquatix)
- Remove
Rack::Files#response_body
as the implementation was broken. (#1153, @ioquatix)- Remove
SERVER_ADDR
which was never part of the original SPEC. (#1573, @ioquatix)Fixed
Directory
correctly handles root paths containing glob metacharacters. (@jeremyevans)Cascade
uses a new response object for each call if initialized with no apps. (@jeremyevans)BodyProxy
correctly delegates keyword arguments to the body object on Ruby 2.7+. (@jeremyevans)BodyProxy#method
correctly handles methods delegated to the body object. (@jeremyevans)Request#host
andRequest#host_with_port
handle IPv6 addresses correctly. (@AlexWayfer)Lint
checks when response hijacking thatrack.hijack
is called with a valid object. (@jeremyevans)Response#write
correctly updatesContent-Length
if initialized with a body. (@jeremyevans)CommonLogger
includesSCRIPT_NAME
when logging. (@Erol)Utils.parse_nested_query
correctly handles empty queries, using an empty instance of the params class instead of a hash. (@jeremyevans)Directory
correctly escapes paths in links. (@yous)Request#delete_cookie
and relatedUtils
methods handle:domain
and:path
options in same call. (@jeremyevans)Request#delete_cookie
and relatedUtils
methods do an exact match on:domain
and:path
options. (@jeremyevans)Static
no longer adds headers when a gzipped file request has a 304 response. (@chooh)ContentLength
setsContent-Length
response header even for bodies not responding toto_ary
. (@jeremyevans)- Thin handler supports options passed directly to
Thin::Controllers::Controller
. (@jeremyevans)- WEBrick handler no longer ignores
:BindAddress
option. (@jeremyevans)ShowExceptions
handles invalid POST data. (@jeremyevans)- Basic authentication requires a password, even if the password is empty. (@jeremyevans)
Lint
checks response is array with 3 elements, per SPEC. (@jeremyevans)- Support for using
:SSLEnable
option when using WEBrick handler. (Gregor Melhorn)- Close response body after buffering it when buffering. (@ioquatix)
- Only accept
;
as delimiter when parsing cookies. (@mrageh)Utils::HeaderHash#clear
clears the name mapping as well. (@raxoft)- Support for passing
nil
Rack::Files.new
, which notably fixes Rails' currentActiveStorage::FileServer
implementation. (@ioquatix)Documentation
- CHANGELOG updates. (@aupajo)
- Added CONTRIBUTING. (@dblock)
2.1.2 (from changelog)
- Fix multipart parser for some files to prevent denial of service (@aiomaster)
- Fix
Rack::Builder#use
with keyword arguments (@kamipo)- Skip deflating in Rack::Deflater if Content-Length is 0 (@jeremyevans)
- Remove
SessionHash#transform_keys
, no longer needed (@pavel)- Add to_hash to wrap Hash and Session classes (@oleh-demyanyuk)
- Handle case where session id key is requested but missing (@jeremyevans)
2.1.1 (from changelog)
- Remove
Rack::Chunked
fromRack::Server
default middleware. (#1475, @ioquatix)- Restore support for code relying on
SessionId#to_s
. (@jeremyevans)
2.1.0 (from changelog)
Added
- Add support for
SameSite=None
cookie value. (@hennikul)- Add trailer headers. (@eileencodes)
- Add MIME Types for video streaming. (@styd)
- Add MIME Type for WASM. (@buildrtech)
- Add
Early Hints(103)
to status codes. (@egtra)- Add
Too Early(425)
to status codes. (@y-yagi)- Add
Bandwidth Limit Exceeded(509)
to status codes. (@CJKinni)- Add method for custom
ip_filter
. (@svcastaneda)- Add boot-time profiling capabilities to
rackup
. (@tenderlove)- Add multi mapping support for
X-Accel-Mappings
header. (@yoshuki)- Add
sync: false
option toRack::Deflater
. (Eric Wong)- Add
Builder#freeze_app
to freeze application and all middleware instances. (@jeremyevans)- Add API to extract cookies from
Rack::MockResponse
. (@petercline)Changed
- Don't propagate nil values from middleware. (@ioquatix)
- Lazily initialize the response body and only buffer it if required. (@ioquatix)
- Fix deflater zlib buffer errors on empty body part. (@felixbuenemann)
- Set
X-Accel-Redirect
to percent-encoded path. (@diskkid)- Remove unnecessary buffer growing when parsing multipart. (@tainoe)
- Expand the root path in
Rack::Static
upon initialization. (@rosenfeld)- Make
ShowExceptions
work with binary data. (@axyjo)- Use buffer string when parsing multipart requests. (@janko-m)
- Support optional UTF-8 Byte Order Mark (BOM) in config.ru. (@mikegee)
- Handle
X-Forwarded-For
with optional port. (@dpritchett)- Use
Time#httpdate
format for Expires, as proposed by RFC 7231. (@nanaya)- Make
Utils.status_code
raise an error when the status symbol is invalid instead of500
. (@adambutler)- Rename
Request::SCHEME_WHITELIST
toRequest::ALLOWED_SCHEMES
.- Make
Multipart::Parser.get_filename
accept files with+
in their name. (@lucaskanashiro)- Add Falcon to the default handler fallbacks. (@ioquatix)
- Update codebase to avoid string mutations in preparation for
frozen_string_literals
. (@pat)- Change
MockRequest#env_for
to rely on the input optionally responding to#size
instead of#length
. (@janko)- Rename
Rack::File
->Rack::Files
and add deprecation notice. (@postmodern).- Prefer Base64 “strict encoding” for Base64 cookies. (@ioquatix)
Removed
- Remove
to_ary
from Response (@tenderlove)- Deprecate
Rack::Session::Memcache
in favor ofRack::Session::Dalli
from dalli gem (@fatkodima)Fixed
- Eliminate warnings for Ruby 2.7. (@osamtimizer)
Documentation
- Update broken example in
Session::Abstract::ID
documentation. (tonytonyjan)- Add Padrino to the list of frameworks implmenting Rack. (@wikimatze)
- Remove Mongrel from the suggested server options in the help output. (@tricknotes)
- Replace
HISTORY.md
andNEWS.md
withCHANGELOG.md
. (@twitnithegirl)- CHANGELOG updates. (@drenmi, @p8)
2.0.8 (from changelog)
- [CVE-2019-16782] Prevent timing attacks targeted at session ID lookup. (@tenderlove, @rafaelfranca)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗ ️ redis (indirect, 4.1.3 → 4.8.1) · Repo · Changelog
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
🗑 ️ rack-protection (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase
.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)