Fix [CVE-2025-25184]: Possible Log Injection in Rack::CommonLogger

codener · kratob · commit b192d52b69e5 · 2025-03-11T15:20:15.000+01:00
diff --git a/Gemfile.1.8.lock b/Gemfile.1.8.lock
@@ -1,7 +1,7 @@
 PATH
   remote: rack
   specs:
-    rack (1.4.7.19)
+    rack (1.4.7.20)
 
 PATH
   remote: railslts-version
diff --git a/Gemfile.2.3.lock b/Gemfile.2.3.lock
@@ -1,7 +1,7 @@
 PATH
   remote: rack
   specs:
-    rack (1.4.7.19)
+    rack (1.4.7.20)
 
 PATH
   remote: railslts-version
diff --git a/Gemfile.2.5.lock b/Gemfile.2.5.lock
@@ -8,7 +8,7 @@ GIT
 PATH
   remote: rack
   specs:
-    rack (1.4.7.19)
+    rack (1.4.7.20)
 
 PATH
   remote: railslts-version
diff --git a/Gemfile.2.7.lock b/Gemfile.2.7.lock
@@ -1,7 +1,7 @@
 PATH
   remote: rack
   specs:
-    rack (1.4.7.19)
+    rack (1.4.7.20)
 
 PATH
   remote: railslts-version
diff --git a/Gemfile.3.1.lock b/Gemfile.3.1.lock
@@ -1,7 +1,7 @@
 PATH
   remote: rack
   specs:
-    rack (1.4.7.19)
+    rack (1.4.7.20)
 
 PATH
   remote: railslts-version
diff --git a/Gemfile.3.3.lock b/Gemfile.3.3.lock
@@ -1,7 +1,7 @@
 PATH
   remote: rack
   specs:
-    rack (1.4.7.19)
+    rack (1.4.7.20)
 
 PATH
   remote: railslts-version
diff --git a/rack/lib/rack/commonlogger.rb b/rack/lib/rack/commonlogger.rb
@@ -21,7 +21,7 @@ class CommonLogger
     #   lilith.local - - [07/Aug/2006 23:58:02] "GET / HTTP/1.1" 500 -
     #
     #   %{%s - %s [%s] "%s %s%s %s" %d %s\n} %
-    FORMAT = %{%s - %s [%s] "%s %s%s %s" %d %s %0.4f\n}
+    FORMAT = %{%s - %s [%s] "%s %s%s %s" %d %s %0.4f }
 
     def initialize(app, logger=nil)
       @app = app
@@ -56,11 +56,12 @@ def log(env, status, header, began_at)
         now - began_at ]
 
       if defined?("".ord)
-        msg.gsub!(/[^[:print:]\n]/) { |c| "\\x%02x" % [c.ord] }
+        msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%02x", c.ord) }
       else
-        msg.gsub!(/[^[:print:]\n]/) { |c| "\\x%02x" % [c[0]] }
+        msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%02x", c[0]) }
       end
 
+      msg[-1] = "\n"
       logger.write(msg)
     end
 
diff --git a/rack/lib/rack/version.rb b/rack/lib/rack/version.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Rack
-  RELEASE = "1.4.7.19"
+  RELEASE = "1.4.7.20"
 
   # Return the Rack release as a dotted string.
   def self.release
diff --git a/rack/test/spec_commonlogger.rb b/rack/test/spec_commonlogger.rb
@@ -51,11 +51,16 @@
     res.errors.should =~ /"GET \/ " 200 - /
   end
 
-  should "escape non printable characters except newline" do
+  should "escape non printable characters including newline" do
     log = StringIO.new
     Rack::MockRequest.new(Rack::CommonLogger.new(app_without_lint, log)).request("GET\b\x10", "/hello")
 
     log.string.should.match(/GET\\x08\\x10 \/hello/)
+
+    Rack::MockRequest.new(Rack::CommonLogger.new(app, log)).get("/", 'REMOTE_USER' => "foo\nbar", "QUERY_STRING" => "bar\nbaz")
+    log.string.should.match(/\n\z/)
+    log.string.should.match(/foo\\x0abar/)
+    log.string.should.match(/bar\\x0abaz/)
   end
 
   def length
