hi, > So, reassigning to rack, I guess this simple small fix can go > via stable updates. > > O. > > 2012/1/15 Jérémy Lal <je...@edagames.com>: > > Hi, > > https://github.com/chneukirchen/rack/commit/6fa19e3a268c > > > > is a simple patch that fixes the issue, and is probably > > the cause of the 1.1.1 release...
I've prepared this small patch for librack-ruby-1.1.0-4. It's assumed to be applied after fixing pending security bugs. (#698440, #700226) debdiff as follows: -- diff -u librack-ruby-1.1.0/debian/changelog librack-ruby-1.1.0/debian/changelog --- librack-ruby-1.1.0/debian/changelog +++ librack-ruby-1.1.0/debian/changelog @@ -1,3 +1,10 @@ +librack-ruby (1.1.0-4.1+squeeze2) stable; urgency=medium + + * Non Maintainer Upload. + * Remove parsing of quoted values. (Closes: 655896) + + -- KURASHIKI Satoru <lur...@gmail.com> Sat, 13 Apr 2013 20:35:25 +0000 + librack-ruby (1.1.0-4.1+squeeze1) stable-security; urgency=high * Non Maintainer Upload. only in patch2: unchanged: --- librack-ruby-1.1.0.orig/debian/patches/0003-Remove-parsing-of-quoted-values.patch +++ librack-ruby-1.1.0/debian/patches/0003-Remove-parsing-of-quoted-values.patch @@ -0,0 +1,42 @@ +--- a/lib/rack/utils.rb 2013-04-13 20:25:45.005940347 +0000 ++++ b/lib/rack/utils.rb 2013-04-13 20:26:21.696277220 +0000 +@@ -38,9 +38,6 @@ + + (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p| + k, v = p.split('=', 2).map { |x| unescape(x) } +- if v =~ /^("|')(.*)\1$/ +- v = $2.gsub('\\'+$1, $1) +- end + if cur = params[k] + if cur.class == Array + params[k] << v +@@ -69,9 +66,6 @@ + module_function :parse_nested_query + + def normalize_params(params, name, v = nil) +- if v and v =~ /^("|')(.*)\1$/ +- v = $2.gsub('\\'+$1, $1) +- end + name =~ %r(\A[\[\]]*([^\[\]]+)\]*) + k = $1 || '' + after = $' || '' +--- a/test/spec_rack_utils.rb 2013-04-13 20:27:41.540708117 +0000 ++++ b/test/spec_rack_utils.rb 2013-04-13 20:28:39.332709491 +0000 +@@ -33,7 +33,7 @@ + Rack::Utils.parse_query("foo=bar"). + should.equal "foo" => "bar" + Rack::Utils.parse_query("foo=\"bar\""). +- should.equal "foo" => "bar" ++ should.equal "foo" => "\"bar\"" + Rack::Utils.parse_query("foo=bar&foo=quux"). + should.equal "foo" => ["bar", "quux"] + Rack::Utils.parse_query("foo=1&bar=2"). +@@ -51,7 +51,7 @@ + Rack::Utils.parse_nested_query("foo=bar"). + should.equal "foo" => "bar" + Rack::Utils.parse_nested_query("foo=\"bar\""). +- should.equal "foo" => "bar" ++ should.equal "foo" => "\"bar\"" + + Rack::Utils.parse_nested_query("foo=bar&foo=quux"). + should.equal "foo" => "quux" regards, -- KURASHIKI Satoru