Thanks to visit codestin.com
Credit goes to github.com

Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: rack/rack
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v3.1.12
Choose a base ref
...
head repository: rack/rack
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v3.1.16
Choose a head ref
  • 11 commits
  • 14 files changed
  • 6 contributors

Commits on Apr 13, 2025

  1. Ensure Rack::ETag correctly updates response body. (#2324)

    @ioquatix
    ioquatix committed Apr 13, 2025
    Configuration menu
    Copy the full SHA
    8e3c9b1 View commit details
    Browse the repository at this point in the history

  2. Bump patch version.

    @ioquatix
    ioquatix committed Apr 13, 2025
    Configuration menu
    Copy the full SHA
    0379537 View commit details
    Browse the repository at this point in the history

Commits on May 6, 2025

  1. Merge commit from fork 

    * Apply bytesize and number of param limits in QueryParser

The param limit is 4096, chosen because it matches the existing
multipart limit.  The bytesize limit is 4MB.  These limits should
substantially exceed what almost all applications need, though
there will likely be applications that require higher limits.
Allow overriding the limits on a per-QueryParser basis via the
constructors, and allow overriding the default limits with
environment variables RACK_QUERY_PARSER_BYTESIZE_LIMIT and
RACK_QUERY_PARSER_PARAMS_LIMIT.

Add new Rack::QueryParser::QueryLimitError to raise in case one
of the limits are exceeded, and make ParamsTooDeepError an
alias to, since that is also a case where a limit is exceeded.
This allows code that already rescues ParamsTooDeepError to
automatically handle these other limits as well.

* Update CHANGELOG.

---------

Co-authored-by: Samuel Williams <[email protected]>
    @jeremyevans @ioquatix
    jeremyevans and ioquatix committed May 6, 2025
    Configuration menu
    Copy the full SHA
    cd6b70a View commit details
    Browse the repository at this point in the history

  2. Bump patch version.

    @ioquatix
    ioquatix committed May 6, 2025
    Configuration menu
    Copy the full SHA
    5440b2c View commit details
    Browse the repository at this point in the history

Commits on May 16, 2025

  1. Test on Ruby v3.4.

    @ioquatix
    ioquatix committed May 16, 2025
    Configuration menu
    Copy the full SHA
    0ac5c57 View commit details
    Browse the repository at this point in the history

Commits on May 17, 2025

  1. Replace usage of CGI::Cookie (#2328) 

    In Ruby 3.5, `cgi` will only contain functions related to escaping/unescaping.

https://bugs.ruby-lang.org/issues/21258

This is not an exact replicate of course, (`CGI::Cookie`) has some validations and coerces on setters but considering
for that purpose this is, they don't seem necessary?
During construction of the object rack already does conversions as necessary and setters don't make much sense, and aren't documented/tested for.

Although, for improved backwards compatibility, it wouldn't be much effort to make them `attr_accesor` instead.
    @Earlopain
    Earlopain authored May 17, 2025
    Configuration menu
    Copy the full SHA
    3c1a46d View commit details
    Browse the repository at this point in the history

Commits on May 18, 2025

  1. Feature detect CGI::Cookie. (#2333)

    @ioquatix
    ioquatix authored May 18, 2025
    Configuration menu
    Copy the full SHA
    bd60f6e View commit details
    Browse the repository at this point in the history

  2. Bump patch version.

    @ioquatix
    ioquatix committed May 18, 2025
    Configuration menu
    Copy the full SHA
    835e15b View commit details
    Browse the repository at this point in the history

Commits on May 22, 2025

  1. Synchronize changelog.

    @ioquatix
    ioquatix committed May 22, 2025
    Configuration menu
    Copy the full SHA
    352650a View commit details
    Browse the repository at this point in the history

Commits on Jun 4, 2025

  1. Fix ReDoS and consistency in multipart regexes 

    [CVE-2025-49007]

There is a ReDoS in multipart parsing here because it is not anchored to
the start of a line and so may match as part of its comments.

Previously in f92e056 Content-ID and
Content-Type were changed to only accept tab and space as whitespace
characters. Although that's what the various RFCs show as their BNF,
I that's supposed to be interpreted _after_ lines have been unfolded and
so we need to allow FWS "Foldable White Space".

CR is not allowed unescaped as part of quoted-string. It might be
technically valid with a leading backslash, but I don't believe that
case is worth supporting.

Co-authored-by: Matthew Draper <[email protected]>
    @jhawthorn @matthewd @tenderlove
    2 people authored and tenderlove committed Jun 4, 2025
    Configuration menu
    Copy the full SHA
    aed514d View commit details
    Browse the repository at this point in the history

  2. Bump patch version.

    @tenderlove
    tenderlove committed Jun 4, 2025
    Configuration menu
    Copy the full SHA
    df2f3f2 View commit details
    Browse the repository at this point in the history
Loading