From 873d39e6d673a91fbdeb2ec75d42184d35908bb4 Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Sat, 8 Mar 2025 11:13:39 +1300
Subject: [PATCH 1/3] Use a fully resolved file path when confirming if a file
 can be served by `Rack::Static`.

---
 lib/rack/static.rb  | 3 ++-
 test/spec_static.rb | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/rack/static.rb b/lib/rack/static.rb
index 8cb58b2fd..0ea78a1d9 100644
--- a/lib/rack/static.rb
+++ b/lib/rack/static.rb
@@ -122,8 +122,9 @@ def can_serve(path)
 
     def call(env)
       path = env[PATH_INFO]
+      actual_path = Utils.clean_path_info(Utils.unescape_path(path))
 
-      if can_serve(path)
+      if can_serve(actual_path)
         if overwrite_file_path(path)
           env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
         elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
diff --git a/test/spec_static.rb b/test/spec_static.rb
index 2a94d68ca..f7f67cd45 100644
--- a/test/spec_static.rb
+++ b/test/spec_static.rb
@@ -43,6 +43,12 @@ def static(app, *args)
     res.body.must_match(/ruby/)
   end
 
+  it "does not serve files outside :urls" do
+    res = @request.get("/cgi/../#{File.basename(__FILE__)}")
+    res.must_be :ok?
+    res.body.must_equal "Hello World"
+  end
+
   it "404s if url root is known but it can't find the file" do
     res = @request.get("/cgi/foo")
     res.must_be :not_found?

From cceb70c72022503115b8d4d95d1037caf8aba73c Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Sat, 8 Mar 2025 15:06:34 +1300
Subject: [PATCH 2/3] Update changelog.

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ccbb02601..fad467258 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [2.2.13] - 2025-03-11
+
+### Security
+
+- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+
 ## [2.2.12] - 2025-03-04
 
 ### Security

From df6c47357f6c6bec2d585f45f417285d813d9b3a Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Tue, 11 Mar 2025 10:18:07 +1300
Subject: [PATCH 3/3] Bump patch verison.

---
 lib/rack/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rack/version.rb b/lib/rack/version.rb
index b8c38dd19..1c8195e0b 100644
--- a/lib/rack/version.rb
+++ b/lib/rack/version.rb
@@ -20,7 +20,7 @@ def self.version
     VERSION.join(".")
   end
 
-  RELEASE = "2.2.12"
+  RELEASE = "2.2.13"
 
   # Return the Rack release as a dotted string.
   def self.release