From 0b284e898d28fe92a1cfd94c2e84625063ffbc70 Mon Sep 17 00:00:00 2001
From: Cody Cutrer <cody@cutrer.us>
Date: Fri, 21 Feb 2025 15:39:45 -0700
Subject: [PATCH 1/4] Remove autoloads for constants no longer shipped with
 rack (#2269)

Removes the following autoloads:

* Handler
* Server

Sort the remaining autoloads alphabetically.
---
 lib/rack.rb | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/lib/rack.rb b/lib/rack.rb
index b37c00cde..914b38921 100644
--- a/lib/rack.rb
+++ b/lib/rack.rb
@@ -15,8 +15,8 @@
 require_relative 'rack/constants'
 
 module Rack
-  autoload :Builder, "rack/builder"
   autoload :BodyProxy, "rack/body_proxy"
+  autoload :Builder, "rack/builder"
   autoload :Cascade, "rack/cascade"
   autoload :Chunked, "rack/chunked"
   autoload :CommonLogger, "rack/common_logger"
@@ -24,14 +24,13 @@ module Rack
   autoload :Config, "rack/config"
   autoload :ContentLength, "rack/content_length"
   autoload :ContentType, "rack/content_type"
+  autoload :Deflater, "rack/deflater"
+  autoload :Directory, "rack/directory"
   autoload :ETag, "rack/etag"
   autoload :Events, "rack/events"
   autoload :File, "rack/file"
   autoload :Files, "rack/files"
-  autoload :Deflater, "rack/deflater"
-  autoload :Directory, "rack/directory"
   autoload :ForwardRequest, "rack/recursive"
-  autoload :Handler, "rack/handler"
   autoload :Head, "rack/head"
   autoload :Headers, "rack/headers"
   autoload :Lint, "rack/lint"
@@ -40,32 +39,29 @@ module Rack
   autoload :MediaType, "rack/media_type"
   autoload :MethodOverride, "rack/method_override"
   autoload :Mime, "rack/mime"
+  autoload :MockRequest, "rack/mock_request"
+  autoload :MockResponse, "rack/mock_response"
+  autoload :Multipart, "rack/multipart"
   autoload :NullLogger, "rack/null_logger"
   autoload :QueryParser, "rack/query_parser"
   autoload :Recursive, "rack/recursive"
   autoload :Reloader, "rack/reloader"
+  autoload :Request, "rack/request"
+  autoload :Response, "rack/response"
   autoload :RewindableInput, "rack/rewindable_input"
   autoload :Runtime, "rack/runtime"
   autoload :Sendfile, "rack/sendfile"
-  autoload :Server, "rack/server"
   autoload :ShowExceptions, "rack/show_exceptions"
   autoload :ShowStatus, "rack/show_status"
   autoload :Static, "rack/static"
   autoload :TempfileReaper, "rack/tempfile_reaper"
   autoload :URLMap, "rack/urlmap"
   autoload :Utils, "rack/utils"
-  autoload :Multipart, "rack/multipart"
-
-  autoload :MockRequest, "rack/mock_request"
-  autoload :MockResponse, "rack/mock_response"
-
-  autoload :Request, "rack/request"
-  autoload :Response, "rack/response"
 
   module Auth
     autoload :Basic, "rack/auth/basic"
-    autoload :AbstractRequest, "rack/auth/abstract/request"
-    autoload :AbstractHandler, "rack/auth/abstract/handler"
     autoload :Digest, "rack/auth/digest"
+    autoload :AbstractHandler, "rack/auth/abstract/handler"
+    autoload :AbstractRequest, "rack/auth/abstract/request"
   end
 end

From 803aa221e8302719715e224f4476e438f2531a53 Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Sat, 22 Feb 2025 16:37:33 +1300
Subject: [PATCH 2/4] Use `#inspect` to prevent log injection.

---
 CHANGELOG.md          | 66 ++++++++++++++++++++++++++++++++++++++++++-
 lib/rack/sendfile.rb  |  2 +-
 test/spec_sendfile.rb |  2 +-
 3 files changed, 67 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index da027091a..7f352d005 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,11 +2,17 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.0.13] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
 ## [3.0.12] - 2025-02-12
 
 ### Security
 
-- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in Rack::CommonLogger.
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
 
 ## [3.0.11] - 2024-05-10
 
@@ -184,6 +190,64 @@ All notable changes to this project will be documented in this file. For info on
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.12] - 2025-03-04
+
+### Security
+
+- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+## [2.2.11] - 2025-02-12
+
+### Security
+
+- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+
+## [2.2.10] - 2024-10-14
+
+- Fix compatibility issues with Ruby v3.4.0. ([#2248](https://github.com/rack/rack/pull/2248), [@byroot](https://github.com/byroot))
+
+## [2.2.9] - 2023-03-21
+
+- Return empty when parsing a multi-part POST with only one end delimiter. ([#2104](https://github.com/rack/rack/pull/2104), [@alpaca-tc])
+
+## [2.2.8] - 2023-07-31
+
+- Regenerate SPEC ([#2102](https://github.com/rack/rack/pull/2102), [@skipkayhil](https://github.com/skipkayhil))
+- Limit file extension length of multipart tempfiles ([#2015](https://github.com/rack/rack/pull/2015), [@dentarg](https://github.com/dentarg))
+- Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" ([#2092](https://github.com/rack/rack/pull/2092), [@onigra](https://github.com/onigra) [@dchandekstark](https://github.com/dchandekstark))
+
+## [2.2.7] - 2023-03-13
+
+- Correct the year number in the changelog ([#2015](https://github.com/rack/rack/pull/2015), [@kimulab](https://github.com/kimulab))
+- Support underscore in host names for Rack 2.2 (Fixes [#2070](https://github.com/rack/rack/issues/2070)) ([#2015](https://github.com/rack/rack/pull/2071), [@jeremyevans](https://github.com/jeremyevans))
+
+## [2.2.6.4] - 2023-03-13
+
+- [CVE-2023-27539] Avoid ReDoS in header parsing
+
+## [2.2.6.3] - 2023-03-02
+
+- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
+
+## [2.2.6.2] - 2023-01-17
+
+- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+
+## [2.2.6.1] - 2023-01-17
+
+- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+## [2.2.6] - 2023-01-17
+
+- Extend `Rack::MethodOverride` to handle `QueryParser::ParamsTooDeepError` error. ([#2011](https://github.com/rack/rack/pull/2011), [@byroot](https://github.com/byroot))
+
+## [2.2.5] - 2022-12-27
+
+### Fixed
+
+- `Rack::URLMap` uses non-deprecated form of `Regexp.new`. ([#1998](https://github.com/rack/rack/pull/1998), [@weizheheng](https://github.com/weizheheng))
+
 ## [2.2.4] - 2022-06-30
 
 - Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [@ioquatix](https://github.com/ioquatix))
diff --git a/lib/rack/sendfile.rb b/lib/rack/sendfile.rb
index 9c6e0c42f..472389364 100644
--- a/lib/rack/sendfile.rb
+++ b/lib/rack/sendfile.rb
@@ -138,7 +138,7 @@ def call(env)
           end
         when '', nil
         else
-          env[RACK_ERRORS].puts "Unknown x-sendfile variation: '#{type}'.\n"
+          env[RACK_ERRORS].puts "Unknown x-sendfile variation: #{type.inspect}"
         end
       end
       response
diff --git a/test/spec_sendfile.rb b/test/spec_sendfile.rb
index 5205b671c..4c1cda324 100644
--- a/test/spec_sendfile.rb
+++ b/test/spec_sendfile.rb
@@ -54,7 +54,7 @@ def open_file(path)
       response.headers.wont_include 'x-sendfile'
 
       io.rewind
-      io.read.must_equal "Unknown x-sendfile variation: 'X-Banana'.\n"
+      io.read.must_equal "Unknown x-sendfile variation: \"X-Banana\"\n"
     end
   end
 

From 697a97e15c221b2f4118f6e7c21e8150f2bf86a6 Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Tue, 4 Mar 2025 18:34:33 +1300
Subject: [PATCH 3/4] Add changelog for previous merged PR.

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7f352d005..6cc6946aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,10 @@ All notable changes to this project will be documented in this file. For info on
 
 - [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
 
+### Fixed
+
+- Remove autoloads for constants no longer shipped with Rack. ([#2269](https://github.com/rack/rack/pull/2269), [@ccutrer](https://github.com/ccutrer))
+
 ## [3.0.12] - 2025-02-12
 
 ### Security

From ef96f4aa2f6f670233eca3e9bc780809914dd93b Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Tue, 4 Mar 2025 18:37:45 +1300
Subject: [PATCH 4/4] Bump patch version.

---
 lib/rack/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rack/version.rb b/lib/rack/version.rb
index 2889d2bc3..d18cb101b 100644
--- a/lib/rack/version.rb
+++ b/lib/rack/version.rb
@@ -25,7 +25,7 @@ def self.version
     VERSION
   end
 
-  RELEASE = "3.0.12"
+  RELEASE = "3.0.13"
 
   # Return the Rack release as a dotted string.
   def self.release