|
|
|
|
Changelog for ruby2.7-rubygem-rack-3.1.3-73.6.i586.rpm :
* Fri Jun 21 2024 Dan Čermák - New upstream release 3.1.3, see bundled CHANGELOG.md * Tue Feb 27 2024 pgajdosAATTsuse.com- version update to 3.0.9.1 * Fixed ReDoS in Accept header parsing [CVE-2024-26146][bsc#1220248] * Fixed ReDoS in Content Type header parsing [CVE-2024-25126][bsc#1220239] * Reject Range headers which are too large [CVE-2024-26141][bsc#1220242] * Fix content-length calcuation in Rack:Response#write #2150 * Tue Nov 14 2023 Dan Čermák - 3.0.8: [#]# What\'s Changed * Backport \"Fix some unused variable verbose warnings\" by AATTskipkayhil in https://github.com/rack/rack/pull/2084 [#]# New Contributors * AATTskipkayhil made their first contribution in https://github.com/rack/rack/pull/2084 * *Full Changelog * *: https://github.com/rack/rack/compare/v3.0.7...v3.0.8 * Mon Mar 20 2023 pgajdosAATTsuse.com- version update to 3.0.7 [3.0.7] - 2023-03-16 Make query parameters without = have nil values. (#2059, AATTjeremyevans) [3.0.6.1] - 2023-03-13 [CVE-2023-27539] Avoid ReDoS in header parsing [bsc#1209503] [3.0.6] - 2023-03-13 Add QueryParser#missing_value for handling missing values + tests. (#2052, AATTioquatix) [3.0.5] - 2023-03-13 Split form/query parsing into two steps. (#2038, AATTmatthewd) * Thu Mar 09 2023 pgajdosAATTsuse.com- version update to 3.0.4.2 * rack.input is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. (#2018, AATTioquatix) * Introduce module Rack::BadRequest which is included in multipart and query parser errors. (#2019, AATTioquatix) * MIME type for JavaScript files (.js) changed from application/javascript to text/javascript (1bd0f15) * fixes CVE-2023-27530 [bsc#1209095] * Fri Jan 20 2023 Hendrik Vogelsang updated to version 3.0.4.1 [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges [CVE-2022-44572] Forbid control characters in attributes (also ReDoS) For more detailed information see the installed CHANGELOG.md * Wed Dec 07 2022 Stephan Kulow updated to version 3.0.2 see installed CHANGELOG.md [#]# [3.0.2] -2022-12-05 [#]## Fixed - `Utils.build_nested_query` URL-encodes nested field names including the square brackets. - Allow `Rack::Response` to pass through streaming bodies. ([#1993](https://github.com/rack/rack/pull/1993), [AATTioquatix]) [#]# [3.0.1] - 2022-11-18 [#]## Fixed - `MethodOverride` does not look for an override if a request does not include form/parseable data. - `Rack::Lint::Wrapper` correctly handles `respond_to?` with `to_ary`, `each`, `call` and `to_path`, forwarding to the body. ([#1981](https://github.com/rack/rack/pull/1981), [AATTioquatix]) * Mon Oct 10 2022 Stephan Kulow updated to version 3.0.0 see installed CHANGELOG.md [#]# [3.0.0] - 2022-09-06 - No changes [#]# [3.0.0.rc1] - 2022-09-04 [#]## SPEC Changes - Stream argument must implement `<<` https://github.com/rack/rack/pull/1959 - `close` may be called on `rack.input` https://github.com/rack/rack/pull/1956 - `rack.response_finished` may be used for executing code after the response has been finished https://github.com/rack/rack/pull/1952 [#]# [3.0.0.beta1] - 2022-08-08 [#]## Security - Do not use semicolon as GET parameter separator. ([#1733](https://github.com/rack/rack/pull/1733), [AATTjeremyevans]) [#]## SPEC Changes - Response array must now be non-frozen. - Response `status` must now be an integer greater than or equal to 100. - Response `headers` must now be an unfrozen hash. - Response header keys can no longer include uppercase characters. - Response header values can be an `Array` to handle multiple values (and no longer supports `\ ` encoded headers). - Response body can now respond to `#call` (streaming body) instead of `#each` (enumerable body), for the equivalent of response hijacking in previous versions. - Middleware must no longer call `#each` on the body, but they can call `#to_ary` on the body if it responds to `#to_ary`. - `rack.input` is no longer required to be rewindable. - `rack.multithread`/`rack.multiprocess`/`rack.run_once`/`rack.version` are no longer required environment keys. - `SERVER_PROTOCOL` is now a required environment key, matching the HTTP protocol used in the request. - `rack.hijack?` (partial hijack) and `rack.hijack` (full hijack) are now independently optional. - `rack.hijack_io` has been removed completely. - `rack.response_finished` is an optional environment key which contains an array of callable objects that must accept `#call(env, status, headers, error)` and are invoked after the response is finished (either successfully or unsucessfully). - It is okay to call `#close` on `rack.input` to indicate that you no longer need or care about the input. - The stream argument supplied to the streaming body and hijack must support `#<<` for writing output. [#]## Removed - Remove `rack.multithread`/`rack.multiprocess`/`rack.run_once`. These variables generally come too late to be useful. ([#1720](https://github.com/rack/rack/pull/1720), [AATTioquatix], [AATTjeremyevans])) - Remove deprecated Rack::Request::SCHEME_WHITELIST. ([AATTjeremyevans]) - Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. ([#1844](https://github.com/rack/rack/pull/1844), [AATTioquatix]) - Remove `rack.version` as it comes too late to be useful. ([#1938](https://github.com/rack/rack/pull/1938), [AATTioquatix]) - Extract `rackup` command, `Rack::Server`, `Rack::Handler` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [AATTioquatix]) [#]## Added - `Rack::Headers` added to support lower-case header keys. ([AATTjeremyevans]) - `Rack::Utils#set_cookie_header` now supports `escape_key: false` to avoid key escaping. ([AATTjeremyevans]) - `Rack::RewindableInput` supports size. ([AATTahorek](https://github.com/ahorek)) - `Rack::RewindableInput::Middleware` added for making `rack.input` rewindable. ([AATTjeremyevans]) - The RFC 7239 Forwarded header is now supported and considered by default when looking for information on forwarding, falling back to the X-Forwarded- * headers. `Rack::Request.forwarded_priority` accessor has been added for configuring the priority of which header to check. ([#1423](https://github.com/rack/rack/issues/1423), [AATTjeremyevans]) - Allow response headers to contain array of values. ([#1598](https://github.com/rack/rack/issues/1598), [AATTioquatix]) - Support callable body for explicit streaming support and clarify streaming response body behaviour. ([#1745](https://github.com/rack/rack/pull/1745), [AATTioquatix], [#1748](https://github.com/rack/rack/pull/1748), [AATTwjordan]) - Allow `Rack::Builder#run` to take a block instead of an argument. ([#1942](https://github.com/rack/rack/pull/1942), [AATTioquatix]) - Add `rack.response_finished` to `Rack::Lint`. ([#1802](https://github.com/rack/rack/pull/1802), [AATTBlakeWilliams], [#1952](https://github.com/rack/rack/pull/1952), [AATTioquatix]) - The stream argument must implement `#<<`. ([#1959](https://github.com/rack/rack/pull/1959), [AATTioquatix]) [#]## Changed - BREAKING CHANGE: Require `status` to be an Integer. ([#1662](https://github.com/rack/rack/pull/1662), [AATTolleolleolle](https://github.com/olleolleolle)) - BREAKING CHANGE: Query parsing now treats parameters without `=` as having the empty string value instead of nil value, to conform to the URL spec. ([#1696](https://github.com/rack/rack/issues/1696), [AATTjeremyevans]) - Relax validations around `Rack::Request#host` and `Rack::Request#hostname`. ([#1606](https://github.com/rack/rack/issues/1606), [AATTpvande](https://github.com/pvande)) - Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. ([#1658](https://github.com/rack/rack/pull/1658), [AATTioquatix]) - Removed options from `Rack::Builder.parse_file` and `Rack::Builder.load_file`. ([#1663](https://github.com/rack/rack/pull/1663), [AATTioquatix]) - `Rack::HTTP_VERSION` has been removed and the `HTTP_VERSION` env setting is no longer set in the CGI and Webrick handlers. ([#970](https://github.com/rack/rack/issues/970), [AATTjeremyevans]) - `Rack::Request#[]` and `#[]=` now warn even in non-verbose mode. ([#1277](https://github.com/rack/rack/issues/1277), [AATTjeremyevans]) - Decrease default allowed parameter recursion level from 100 to 32. ([#1640](https://github.com/rack/rack/issues/1640), [AATTjeremyevans]) - Attempting to parse a multipart response with an empty body now raises Rack::Multipart::EmptyContentError. ([#1603](https://github.com/rack/rack/issues/1603), [AATTjeremyevans]) - `Rack::Utils.secure_compare` uses OpenSSL\'s faster implementation if available. ([#1711](https://github.com/rack/rack/pull/1711), [AATTbdewater](https://github.com/bdewater)) - `Rack::Request#POST` now caches an empty hash if input content type is not parseable. ([#749](https://github.com/rack/rack/pull/749), [AATTjeremyevans]) - BREAKING CHANGE: Updated `trusted_proxy?` to match full 127.0.0.0/8 network. ([#1781](https://github.com/rack/rack/pull/1781), [AATTsnbloch](https://github.com/snbloch)) - Explicitly deprecate `Rack::File` which was an alias for `Rack::Files`. ([#1811](https://github.com/rack/rack/pull/1720), [AATTioquatix]). - Moved `Rack::Session` into [separate gem](https://github.com/rack/rack-session). ([#1805](https://github.com/rack/rack/pull/1805), [AATTioquatix]) - `rackup -D` option to daemonizes no longer changes the working directory to the root. ([#1813](https://github.com/rack/rack/pull/1813), [AATTjeremyevans]) - The `x-forwarded-proto` header is now considered before the `x-forwarded-scheme` header for determining the forwarded protocol. `Rack::Request.x_forwarded_proto_priority` accessor has been added for configuring the priority of which header to check. ([#1809](https://github.com/rack/rack/issues/1809), [AATTjeremyevans]) - `Rack::Request.forwarded_authority` (and methods that call it, such as `host`) now returns the last authority in the forwarded header, instead of the first, as earlier forwarded authorities can be forged by clients. This restores the Rack 2.1 behavior. ([#1829](https://github.com/rack/rack/issues/1809), [AATTjeremyevans]) - Use lower case cookie attributes when creating cookies, and fold cookie attributes to lower case when reading cookies (specifically impacting `secure` and `httponly` attributes). ([#1849](https://github.com/rack/rack/pull/1849), [AATTioquatix]) - The response array must now be mutable (non-frozen) so middleware can modify it without allocating a new Array,therefore reducing object allocations. ([#1887](https://github.com/rack/rack/pull/1887), [#1927](https://github.com/rack/rack/pull/1927), [AATTamatsuda], [AATTioquatix]) - `rack.hijack?` (partial hijack) and `rack.hijack` (full hijack) are now independently optional. `rack.hijack_io` is no longer required/specified. ([#1939](https://github.com/rack/rack/pull/1939), [AATTioquatix]) - Allow calling close on `rack.input`. ([#1956](https://github.com/rack/rack/pull/1956), [AATTioquatix]) [#]## Fixed - Make Rack::MockResponse handle non-hash headers. ([#1629](https://github.com/rack/rack/issues/1629), [AATTjeremyevans]) - TempfileReaper now deletes temp files if application raises an exception. ([#1679](https://github.com/rack/rack/issues/1679), [AATTjeremyevans]) - Handle cookies with values that end in \'=\' ([#1645](https://github.com/rack/rack/pull/1645), [AATTlukaso](https://github.com/lukaso)) - Make `Rack::NullLogger` respond to `#fatal!` [AATTjeremyevans]) - Fix multipart filename generation for filenames that contain spaces. Encode spaces as \"%20\" instead of \"+\" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [AATTmuirdm](https://github.com/muirdm)) - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [AATTerwanst](https://github.com/erwanst)) * Fri Jul 08 2022 Manuel Schnitzer - updated to version 2.2.4 * Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [AATTioquatix](https://github.com/ioquatix)) * Use custom exception on params too deep error. ([#1838](https://github.com/rack/rack/pull/1838), [AATTsimi](https://github.com/simi)) * Mon May 30 2022 Hendrik Vogelsang - updated to version 2.2.3.1 [CVE-2022-30123] Fix shell escaping issue in Common Logger [CVE-2022-30122] Restrict parsing of broken MIME attachments
|
|
|