-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Comparing changes
Open a pull request
base repository: rack/rack
base: v2.2.22
head repository: rack/rack
compare: v2.2.23
- 19 commits
- 17 files changed
- 6 contributors
Commits on Mar 30, 2026
-
Configuration menu - View commit details
-
Copy full SHA for 93e2767 - Browse repository at this point
Copy the full SHA 93e2767View commit details
Commits on Mar 31, 2026
-
Root directory disclosure via unescaped regex interpolation in `Rack:…
…:Directory`. Escape the root path before interpolating into a regular expression, preventing RegexpError when the root contains metacharacters and avoiding path disclosure when regex silently mismatches.
Configuration menu - View commit details
-
Copy full SHA for 7796548 - Browse repository at this point
Copy the full SHA 7796548View commit details -
Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding
If a wildcard has already been seen as an acceptable encoding, ignore additional wildcards. Other improvements while here: * Only process up to 16 encodings. * Improve efficiency of candidate sorting. Add tests for: * Lower but non-zero wildcard priority * Multiple wildcards with different priorities
Configuration menu - View commit details
-
Copy full SHA for 8d6a0e1 - Browse repository at this point
Copy the full SHA 8d6a0e1View commit details -
Raise error for multipart requests with multiple boundary parameters
RFC 1341 specifies there should be a single boundary parameter. Requests with multiple boundary parameters are unlikely to be legitimate, and likely are attempts to exploit parsing differences between rack and web application firewalls. * Disallow whitespace between boundary and = when parsing multipart boundaries Rack has historically not accepted these. To avoid security issues when parsing multiple boundaries, check for boundary cases that may have whitespace, but explicitly disallow the parsing if there is whitespace.
Configuration menu - View commit details
-
Copy full SHA for d380493 - Browse repository at this point
Copy the full SHA d380493View commit details -
Fix
header_rulesbypass via URL-encoded paths.Decode path once in applicable_rules before matching, fixing: - URL-encoded paths bypassing :fonts, Array, and Regexp header rules. - Path mutation across rules when String rule unescapes inside find_all. - Array rule values interpolated into regexp without Regexp.escape.
Configuration menu - View commit details
-
Copy full SHA for 4207d22 - Browse repository at this point
Copy the full SHA 4207d22View commit details -
Use
String#bytesizeforContent-Lengthin error responses.`String#size` returns character count, not byte count. For responses containing multi-byte UTF-8 characters, this produces an incorrect `Content-Length` value, violating RFC 9110 Section 8.6.
Configuration menu - View commit details
-
Copy full SHA for a758473 - Browse repository at this point
Copy the full SHA a758473View commit details
Commits on Apr 1, 2026
-
Use a default limit of 100 byte ranges
Allow exceeding this limit by passing max_ranges keyword argument. If the limit is exceeded, return nil, treating the request as not requesting ranges. This seems better than returning [], which would treat the request as requesting no ranges. We use [] when the total size exceeds the size of the file, as such case is obviously a problem. However, a request with more than the given number of ranges is not obviously a problem.
Configuration menu - View commit details
-
Copy full SHA for 94a7ca9 - Browse repository at this point
Copy the full SHA 94a7ca9View commit details -
Only do a simple substitution on the x-accel-mapping paths
Mention the substitution is case insensitive in the documentation, since if the file system is case sensitive, this would be unexpected.
Configuration menu - View commit details
-
Copy full SHA for 7f288de - Browse repository at this point
Copy the full SHA 7f288deView commit details -
Fix root prefix bug in Rack::Static
This is similar to the fix of CVE-2026-22860 for Rack::Directory.
Configuration menu - View commit details
-
Copy full SHA for 203730e - Browse repository at this point
Copy the full SHA 203730eView commit details -
Add Content-Length size check in Rack::Multipart::Parser
Compare the declared `Content-Length` against a configurable maximum (`PARSER_BYTESIZE_LIMIT`) before any parsing begins. If it exceeds the limit, raise an exception immediately.
Configuration menu - View commit details
-
Copy full SHA for c42e357 - Browse repository at this point
Copy the full SHA c42e357View commit details -
Configuration menu - View commit details
-
Copy full SHA for e6540e5 - Browse repository at this point
Copy the full SHA e6540e5View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2287a3b - Browse repository at this point
Copy the full SHA 2287a3bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8883f0d - Browse repository at this point
Copy the full SHA 8883f0dView commit details -
Configuration menu - View commit details
-
Copy full SHA for a36f48b - Browse repository at this point
Copy the full SHA a36f48bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 54261ec - Browse repository at this point
Copy the full SHA 54261ecView commit details -
Configuration menu - View commit details
-
Copy full SHA for add1a80 - Browse repository at this point
Copy the full SHA add1a80View commit details -
Configuration menu - View commit details
-
Copy full SHA for e2d8e30 - Browse repository at this point
Copy the full SHA e2d8e30View commit details -
Configuration menu - View commit details
-
Copy full SHA for 345b744 - Browse repository at this point
Copy the full SHA 345b744View commit details -
Configuration menu - View commit details
-
Copy full SHA for f2af0c8 - Browse repository at this point
Copy the full SHA f2af0c8View commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v2.2.22...v2.2.23