--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: ruby-r...@packages.debian.org
Control: affects -1 + src:ruby-rack
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package ruby-rack.
[ Reason ]
Fixes for RC bugs #1104927 and #1109027.
[ Impact ]
autopkgtests fail, CVE-2025-46727 is exploitable (DoS).
[ Tests ]
autopkgtests pass in unstable.
[ Risks ]
The minor version update also includes other changes including one other
CVE fix. I do not think they pose a significant risk as they also come
with additional unit tests.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I have fixed the bugs via a NMU.
unblock ruby-rack/3.1.16-0.1
diff -Nru ruby-rack-3.1.12/CHANGELOG.md ruby-rack-3.1.16/CHANGELOG.md
--- ruby-rack-3.1.12/CHANGELOG.md 2025-03-10 22:21:44.000000000 +0100
+++ ruby-rack-3.1.16/CHANGELOG.md 2025-06-05 00:27:50.000000000 +0200
@@ -2,6 +2,20 @@
All notable changes to this project will be documented in this file. For info
on how to format all future additions to this file please reference [Keep A
Changelog](https://keepachangelog.com/en/1.0.0/).
+## [3.1.15] - 2025-05-18
+
+- Optional support for `CGI::Cookie` if not available.
([#2327](https://github.com/rack/rack/pull/2327),
[#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
+
+## [3.1.14] - 2025-05-06
+
+### Security
+
+-
[CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx)
Unbounded parameter parsing in `Rack::QueryParser` can lead to memory
exhaustion.
+
+## [3.1.13] - 2025-04-13
+
+- Ensure `Rack::ETag` correctly updates response body.
([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
+
## [3.1.12] - 2025-03-11
### Security
@@ -129,6 +143,24 @@
- In `Rack::Files`, ignore the `Range` header if served file is 0 bytes.
([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
+## [3.0.18] - 2025-05-22
+
+- Fix incorrect backport of optional `CGI::Cookie` support.
([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
+
+## [3.0.17] - 2025-05-18
+
+- Optional support for `CGI::Cookie` if not available.
([#2327](https://github.com/rack/rack/pull/2327),
[#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
+
+## [3.0.16] - 2025-05-06
+
+### Security
+
+-
[CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx)
Unbounded parameter parsing in `Rack::QueryParser` can lead to memory
exhaustion.
+
+## [3.0.15] - 2025-04-13
+
+- Ensure `Rack::ETag` correctly updates response body.
([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
+
## [3.0.14] - 2025-03-11
### Security
@@ -141,6 +173,10 @@
-
[CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v)
Possible Log Injection in `Rack::Sendfile`.
+### Fixed
+
+- Remove autoloads for constants no longer shipped with Rack.
([#2269](https://github.com/rack/rack/pull/2269),
[@ccutrer](https://github.com/ccutrer))
+
## [3.0.12] - 2025-02-12
### Security
@@ -275,7 +311,7 @@
- Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
- Remove internal cookie deletion using pattern matching, there are very few
practical cases where it would be useful and browsers handle it correctly
without us doing anything special.
([#1844](https://github.com/rack/rack/pull/1844), [@ioquatix])
- Remove `rack.version` as it comes too late to be useful.
([#1938](https://github.com/rack/rack/pull/1938), [@ioquatix])
-- Extract `rackup` command, `Rack::Server`, `Rack::Handler`, `Rack::Lobster`
and related code into a separate gem.
([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
+- Extract `rackup` command, `Rack::Server`, `Rack::Handler` and related code
into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937),
[@ioquatix])
### Added
@@ -323,6 +359,20 @@
- Fix multipart filename generation for filenames that contain spaces. Encode
spaces as "%20" instead of "+" which will be decoded properly by the multipart
parser. ([#1736](https://github.com/rack/rack/pull/1645),
[@muirdm](https://github.com/muirdm))
- `Rack::Request#scheme` returns `ws` or `wss` when one of the
`X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`,
respectively. ([#1730](https://github.com/rack/rack/issues/1730),
[@erwanst](https://github.com/erwanst))
+## [2.2.16] - 2025-05-22
+
+- Fix incorrect backport of optional `CGI::Cookie` support.
([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
+
+## [2.2.15] - 2025-05-18
+
+- Optional support for `CGI::Cookie` if not available.
([#2327](https://github.com/rack/rack/pull/2327),
[#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
+
+## [2.2.14] - 2025-05-06
+
+### Security
+
+-
[CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx)
Unbounded parameter parsing in `Rack::QueryParser` can lead to memory
exhaustion.
+
## [2.2.13] - 2025-03-11
### Security
@@ -1104,3 +1154,4 @@
[@wjordan]: https://github.com/wjordan "Will Jordan"
[@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
[@davidstosik]: https://github.com/davidstosik "David Stosik"
+[@earlopain]: https://github.com/earlopain "Earlopain"
diff -Nru ruby-rack-3.1.12/debian/changelog ruby-rack-3.1.16/debian/changelog
--- ruby-rack-3.1.12/debian/changelog 2025-03-19 16:53:01.000000000 +0100
+++ ruby-rack-3.1.16/debian/changelog 2025-07-15 18:00:20.000000000 +0200
@@ -1,3 +1,12 @@
+ruby-rack (3.1.16-0.1) unstable; urgency=medium
+
+ * Non-maintainer upload
+ * New upstream version 3.1.16 (Closes: #1104927, #1107363),
+ fixes CVE-2025-46727, CVE-2025-49007
+ * Remove ruby-bacon from autopkgtests (Closes: #1109027)
+
+ -- Bastian Germann <b...@debian.org> Tue, 15 Jul 2025 18:00:20 +0200
+
ruby-rack (3.1.12-1) unstable; urgency=medium
* Team upload
diff -Nru ruby-rack-3.1.12/debian/tests/control
ruby-rack-3.1.16/debian/tests/control
--- ruby-rack-3.1.12/debian/tests/control 2025-03-16 18:51:46.000000000
+0100
+++ ruby-rack-3.1.16/debian/tests/control 2025-07-15 18:00:20.000000000
+0200
@@ -2,5 +2,5 @@
Depends: @, curl, ruby-rackup, ruby-webrick
Test-Command: gem2deb-test-runner
-Depends: @, gem2deb-test-runner, rake, ruby-bacon,
ruby-minitest-global-expectations, ruby-webrick
+Depends: @, gem2deb-test-runner, rake, ruby-minitest-global-expectations,
ruby-webrick
Restrictions: allow-stderr
diff -Nru ruby-rack-3.1.12/.github/workflows/test.yaml
ruby-rack-3.1.16/.github/workflows/test.yaml
--- ruby-rack-3.1.12/.github/workflows/test.yaml 2025-03-10
22:21:44.000000000 +0100
+++ ruby-rack-3.1.16/.github/workflows/test.yaml 2025-06-05
00:27:50.000000000 +0200
@@ -21,6 +21,7 @@
- '3.1'
- '3.2'
- '3.3'
+ - '3.4'
- jruby-head
- truffleruby-head
include:
diff -Nru ruby-rack-3.1.12/lib/rack/etag.rb ruby-rack-3.1.16/lib/rack/etag.rb
--- ruby-rack-3.1.12/lib/rack/etag.rb 2025-03-10 22:21:44.000000000 +0100
+++ ruby-rack-3.1.16/lib/rack/etag.rb 2025-06-05 00:27:50.000000000 +0200
@@ -32,6 +32,9 @@
body = body.to_ary
digest = digest_body(body)
headers[ETAG_STRING] = %(W/"#{digest}") if digest
+
+ # Body was modified, so we need to re-assign it:
+ response[2] = body
end
unless headers[CACHE_CONTROL]
diff -Nru ruby-rack-3.1.12/lib/rack/mock_response.rb
ruby-rack-3.1.16/lib/rack/mock_response.rb
--- ruby-rack-3.1.12/lib/rack/mock_response.rb 2025-03-10 22:21:44.000000000
+0100
+++ ruby-rack-3.1.16/lib/rack/mock_response.rb 2025-06-05 00:27:50.000000000
+0200
@@ -1,6 +1,5 @@
# frozen_string_literal: true
-require 'cgi/cookie'
require 'time'
require_relative 'response'
@@ -11,6 +10,36 @@
# MockRequest.
class MockResponse < Rack::Response
+ begin
+ # Recent versions of the CGI gem may not provide `CGI::Cookie`.
+ require 'cgi/cookie'
+ Cookie = CGI::Cookie
+ rescue LoadError
+ class Cookie
+ attr_reader :name, :value, :path, :domain, :expires, :secure
+
+ def initialize(args)
+ @name = args["name"]
+ @value = args["value"]
+ @path = args["path"]
+ @domain = args["domain"]
+ @expires = args["expires"]
+ @secure = args["secure"]
+ end
+
+ def method_missing(method_name, *args, &block)
+ @value.send(method_name, *args, &block)
+ end
+ # :nocov:
+ ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
+ # :nocov:
+
+ def respond_to_missing?(method_name, include_all = false)
+ @value.respond_to?(method_name, include_all) || super
+ end
+ end
+ end
+
class << self
alias [] new
end
@@ -83,7 +112,7 @@
Array(set_cookie_header).each do |cookie|
cookie_name, cookie_filling = cookie.split('=', 2)
cookie_attributes = identify_cookie_attributes cookie_filling
- parsed_cookie = CGI::Cookie.new(
+ parsed_cookie = Cookie.new(
'name' => cookie_name.strip,
'value' => cookie_attributes.fetch('value'),
'path' => cookie_attributes.fetch('path', nil),
@@ -100,7 +129,7 @@
def identify_cookie_attributes(cookie_filling)
cookie_bits = cookie_filling.split(';')
cookie_attributes = Hash.new
- cookie_attributes.store('value', cookie_bits[0].strip)
+ cookie_attributes.store('value', Array(cookie_bits[0].strip))
cookie_bits.drop(1).each do |bit|
if bit.include? '='
cookie_attribute, attribute_value = bit.split('=', 2)
diff -Nru ruby-rack-3.1.12/lib/rack/multipart/parser.rb
ruby-rack-3.1.16/lib/rack/multipart/parser.rb
--- ruby-rack-3.1.12/lib/rack/multipart/parser.rb 2025-03-10
22:21:44.000000000 +0100
+++ ruby-rack-3.1.16/lib/rack/multipart/parser.rb 2025-06-05
00:27:50.000000000 +0200
@@ -31,10 +31,12 @@
Error = BoundaryTooLongError
EOL = "\r\n"
+ FWS = /[ \t]+(?:\r\n[ \t]+)?/ # whitespace with optional folding
+ HEADER_VALUE = "(?:[^\r\n]|\r\n[ \t])*" # anything but a non-folding CRLF
MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|ni
- MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
- MULTIPART_CONTENT_DISPOSITION =
/Content-Disposition:(.*)(?=#{EOL}(\S|\z))/ni
- MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
+ MULTIPART_CONTENT_TYPE = /^Content-Type:#{FWS}?(#{HEADER_VALUE})/ni
+ MULTIPART_CONTENT_DISPOSITION =
/^Content-Disposition:#{FWS}?(#{HEADER_VALUE})/ni
+ MULTIPART_CONTENT_ID = /^Content-ID:#{FWS}?(#{HEADER_VALUE})/ni
class Parser
BUFSIZE = 1_048_576
diff -Nru ruby-rack-3.1.12/lib/rack/query_parser.rb
ruby-rack-3.1.16/lib/rack/query_parser.rb
--- ruby-rack-3.1.12/lib/rack/query_parser.rb 2025-03-10 22:21:44.000000000
+0100
+++ ruby-rack-3.1.16/lib/rack/query_parser.rb 2025-06-05 00:27:50.000000000
+0200
@@ -21,21 +21,47 @@
include BadRequest
end
- # ParamsTooDeepError is the error that is raised when params are
recursively
- # nested over the specified limit.
- class ParamsTooDeepError < RangeError
+ # QueryLimitError is for errors raised when the query provided exceeds one
+ # of the query parser limits.
+ class QueryLimitError < RangeError
include BadRequest
end
- def self.make_default(param_depth_limit)
- new Params, param_depth_limit
+ # ParamsTooDeepError is the old name for the error that is raised when
params
+ # are recursively nested over the specified limit. Make it the same as
+ # as QueryLimitError, so that code that rescues ParamsTooDeepError error
+ # to handle bad query strings also now handles other limits.
+ ParamsTooDeepError = QueryLimitError
+
+ def self.make_default(param_depth_limit, **options)
+ new(Params, param_depth_limit, **options)
end
attr_reader :param_depth_limit
- def initialize(params_class, param_depth_limit)
+ env_int = lambda do |key, val|
+ if str_val = ENV[key]
+ begin
+ val = Integer(str_val, 10)
+ rescue ArgumentError
+ raise ArgumentError, "non-integer value provided for environment
variable #{key}"
+ end
+ end
+
+ val
+ end
+
+ BYTESIZE_LIMIT = env_int.call("RACK_QUERY_PARSER_BYTESIZE_LIMIT", 4194304)
+ private_constant :BYTESIZE_LIMIT
+
+ PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
+ private_constant :PARAMS_LIMIT
+
+ def initialize(params_class, param_depth_limit, bytesize_limit:
BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
@params_class = params_class
@param_depth_limit = param_depth_limit
+ @bytesize_limit = bytesize_limit
+ @params_limit = params_limit
end
# Stolen from Mongrel, with some small modifications:
@@ -47,7 +73,7 @@
params = make_params
- (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}]
*/n) : DEFAULT_SEP).each do |p|
+ check_query_string(qs, separator).split(separator ?
(COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
next if p.empty?
k, v = p.split('=', 2).map!(&unescaper)
@@ -74,7 +100,7 @@
params = make_params
unless qs.nil? || qs.empty?
- (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}]
*/n) : DEFAULT_SEP).each do |p|
+ check_query_string(qs, separator).split(separator ?
(COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
k, v = p.split('=', 2).map! { |s| unescape(s) }
_normalize_params(params, k, v, 0)
@@ -189,6 +215,22 @@
true
end
+ def check_query_string(qs, sep)
+ if qs
+ if qs.bytesize > @bytesize_limit
+ raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds
limit (#{@bytesize_limit})"
+ end
+
+ if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >=
@params_limit
+ raise QueryLimitError, "total number of query parameters
(#{param_count+1}) exceeds limit (#{@params_limit})"
+ end
+
+ qs
+ else
+ ''
+ end
+ end
+
def unescape(string, encoding = Encoding::UTF_8)
URI.decode_www_form_component(string, encoding)
end
diff -Nru ruby-rack-3.1.12/lib/rack/version.rb
ruby-rack-3.1.16/lib/rack/version.rb
--- ruby-rack-3.1.12/lib/rack/version.rb 2025-03-10 22:21:44.000000000
+0100
+++ ruby-rack-3.1.16/lib/rack/version.rb 2025-06-05 00:27:50.000000000
+0200
@@ -12,7 +12,7 @@
# so it should be enough just to <tt>require 'rack'</tt> in your code.
module Rack
- RELEASE = "3.1.12"
+ RELEASE = "3.1.16"
# Return the Rack release as a dotted string.
def self.release
diff -Nru ruby-rack-3.1.12/README.md ruby-rack-3.1.16/README.md
--- ruby-rack-3.1.12/README.md 2025-03-10 22:21:44.000000000 +0100
+++ ruby-rack-3.1.16/README.md 2025-06-05 00:27:50.000000000 +0200
@@ -183,6 +183,33 @@
Rack exposes several configuration parameters to control various features of
the
implementation.
+### `RACK_QUERY_PARSER_BYTESIZE_LIMIT`
+
+This environment variable sets the default for the maximum query string
bytesize
+that `Rack::QueryParser` will attempt to parse. Attempts to use a query string
+that exceeds this number of bytes will result in a
+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
+provided, it must be an integer, or `Rack::QueryParser` will raise an
exception.
+
+The default limit can be overridden on a per-`Rack::QueryParser` basis using
+the `bytesize_limit` keyword argument when creating the `Rack::QueryParser`.
+
+### `RACK_QUERY_PARSER_PARAMS_LIMIT`
+
+This environment variable sets the default for the maximum number of query
+parameters that `Rack::QueryParser` will attempt to parse. Attempts to use a
+query string with more than this many query parameters will result in a
+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
+provided, it must be an integer, or `Rack::QueryParser` will raise an
exception.
+
+The default limit can be overridden on a per-`Rack::QueryParser` basis using
+the `params_limit` keyword argument when creating the `Rack::QueryParser`.
+
+This is implemented by counting the number of parameter separators in the
+query string, before attempting parsing, so if the same parameter key is
+used multiple times in the query, each counts as a separate parameter for
+this check.
+
### `param_depth_limit`
```ruby
diff -Nru ruby-rack-3.1.12/test/spec_etag.rb ruby-rack-3.1.16/test/spec_etag.rb
--- ruby-rack-3.1.12/test/spec_etag.rb 2025-03-10 22:21:44.000000000 +0100
+++ ruby-rack-3.1.16/test/spec_etag.rb 2025-06-05 00:27:50.000000000 +0200
@@ -28,6 +28,16 @@
response[1]['etag'].must_equal "W/\"dffd6021bb2bd5b0af676290809ec3a5\""
end
+ it "returns a valid response body when using a linted app" do
+ app = lambda { |env| [200, { 'content-type' => 'text/plain' }, ["Hello,
World!"]] }
+ response = etag(Rack::Lint.new(app)).call(request)
+ response[1]['etag'].must_equal "W/\"dffd6021bb2bd5b0af676290809ec3a5\""
+
+ response[2].each do |chunk|
+ chunk.must_equal "Hello, World!"
+ end
+ end
+
it "set etag if none is set if status is 201" do
app = lambda { |env| [201, { 'content-type' => 'text/plain' }, ["Hello,
World!"]] }
response = etag(app).call(request)
diff -Nru ruby-rack-3.1.12/test/spec_headers.rb
ruby-rack-3.1.16/test/spec_headers.rb
--- ruby-rack-3.1.12/test/spec_headers.rb 2025-03-10 22:21:44.000000000
+0100
+++ ruby-rack-3.1.16/test/spec_headers.rb 2025-06-05 00:27:50.000000000
+0200
@@ -220,8 +220,8 @@
def test_inspect
%i'inspect to_s'.each do |meth|
- assert_equal '{}', @h.send(meth)
- assert_equal '{"ab"=>"1", "cd"=>"2", "3"=>"4"}', @fh.send(meth)
+ assert_equal({}.inspect, @h.send(meth))
+ assert_equal({"ab"=>"1", "cd"=>"2", "3"=>"4"}.inspect, @fh.send(meth))
end
end
diff -Nru ruby-rack-3.1.12/test/spec_mock_response.rb
ruby-rack-3.1.16/test/spec_mock_response.rb
--- ruby-rack-3.1.12/test/spec_mock_response.rb 2025-03-10 22:21:44.000000000
+0100
+++ ruby-rack-3.1.16/test/spec_mock_response.rb 2025-06-05 00:27:50.000000000
+0200
@@ -84,6 +84,7 @@
it "provides access to session cookies" do
res = Rack::MockRequest.new(app).get("")
session_cookie = res.cookie("session_test")
+ session_cookie[0].must_equal "session_test"
session_cookie.value[0].must_equal "session_test"
session_cookie.domain.must_equal "test.com"
session_cookie.path.must_equal "/"
diff -Nru ruby-rack-3.1.12/test/spec_multipart.rb
ruby-rack-3.1.16/test/spec_multipart.rb
--- ruby-rack-3.1.12/test/spec_multipart.rb 2025-03-10 22:21:44.000000000
+0100
+++ ruby-rack-3.1.16/test/spec_multipart.rb 2025-06-05 00:27:50.000000000
+0200
@@ -334,7 +334,7 @@
it "ignores content-disposition values over to 1536 bytes" do
x = content_disposition_parse.call("a=#{'a'*1510}; filename=\"bar\";
name=\"file\"")
- x.must_equal "text/plain"=>[""]
+ x.must_equal "application/pdf"=>[""]
end
it 'raises an EOF error on content-length mismatch' do
@@ -955,7 +955,7 @@
data = <<-EOF
--AaB03x\r
content-type: text/plain\r
-content-disposition: attachment; name="quoted\\\\chars\\"in\rname"\r
+content-disposition: attachment; name="quoted\\\\chars\\"in\tname"\r
\r
true\r
--AaB03x--\r
@@ -968,7 +968,7 @@
}
env = Rack::MockRequest.env_for("/", options)
params = Rack::Multipart.parse_multipart(env)
- params["quoted\\chars\"in\rname"].must_equal 'true'
+ params["quoted\\chars\"in\tname"].must_equal 'true'
end
it "supports mixed case metadata" do
diff -Nru ruby-rack-3.1.12/test/spec_query_parser.rb
ruby-rack-3.1.16/test/spec_query_parser.rb
--- ruby-rack-3.1.12/test/spec_query_parser.rb 2025-03-10 22:21:44.000000000
+0100
+++ ruby-rack-3.1.16/test/spec_query_parser.rb 2025-06-05 00:27:50.000000000
+0200
@@ -7,11 +7,30 @@
end
describe Rack::QueryParser do
- query_parser ||= Rack::QueryParser.make_default(8)
-
it "can normalize values with missing values" do
+ query_parser = Rack::QueryParser.make_default(8)
query_parser.parse_nested_query("a=a").must_equal({"a" => "a"})
query_parser.parse_nested_query("a=").must_equal({"a" => ""})
query_parser.parse_nested_query("a").must_equal({"a" => nil})
end
+
+ it "accepts bytesize_limit to specify maximum size of query string to parse"
do
+ query_parser = Rack::QueryParser.make_default(32, bytesize_limit: 3)
+ query_parser.parse_query("a=a").must_equal({"a" => "a"})
+ query_parser.parse_nested_query("a=a").must_equal({"a" => "a"})
+ query_parser.parse_nested_query("a=a", '&').must_equal({"a" => "a"})
+ proc { query_parser.parse_query("a=aa") }.must_raise
Rack::QueryParser::QueryLimitError
+ proc { query_parser.parse_nested_query("a=aa") }.must_raise
Rack::QueryParser::QueryLimitError
+ proc { query_parser.parse_nested_query("a=aa", '&') }.must_raise
Rack::QueryParser::QueryLimitError
+ end
+
+ it "accepts params_limit to specify maximum number of query parameters to
parse" do
+ query_parser = Rack::QueryParser.make_default(32, params_limit: 2)
+ query_parser.parse_query("a=a&b=b").must_equal({"a" => "a", "b" => "b"})
+ query_parser.parse_nested_query("a=a&b=b").must_equal({"a" => "a", "b" =>
"b"})
+ query_parser.parse_nested_query("a=a&b=b", '&').must_equal({"a" => "a",
"b" => "b"})
+ proc { query_parser.parse_query("a=a&b=b&c=c") }.must_raise
Rack::QueryParser::QueryLimitError
+ proc { query_parser.parse_nested_query("a=a&b=b&c=c", '&') }.must_raise
Rack::QueryParser::QueryLimitError
+ proc { query_parser.parse_query("b[]=a&b[]=b&b[]=c") }.must_raise
Rack::QueryParser::QueryLimitError
+ end
end
diff -Nru ruby-rack-3.1.12/test/spec_request.rb
ruby-rack-3.1.16/test/spec_request.rb
--- ruby-rack-3.1.12/test/spec_request.rb 2025-03-10 22:21:44.000000000
+0100
+++ ruby-rack-3.1.16/test/spec_request.rb 2025-06-05 00:27:50.000000000
+0200
@@ -1,7 +1,7 @@
# frozen_string_literal: true
require_relative 'helper'
-require 'cgi'
+require 'cgi/escape'
require 'forwardable'
require 'securerandom'
@@ -1910,6 +1910,9 @@
class NonDelegate < Rack::Request
def delegate?; false; end
+ def query_parser
+ Rack::QueryParser.make_default(Rack::Utils.param_depth_limit,
bytesize_limit: 2**30)
+ end
end
def make_request(env)
@@ -1931,6 +1934,10 @@
end
def delegate?; true; end
+
+ def query_parser
+ Rack::QueryParser.make_default(Rack::Utils.param_depth_limit,
bytesize_limit: 2**30)
+ end
end
def make_request(env)
--- End Message ---
