cgi_multipart_eof_fix 2.1 → 2.2

data/CHANGELOG

@@ -0,0 +1,9 @@
+
+v2.2. don't load on Ruby > 1.8.5; copyright correction at request of Zed Shaw
+
+v2.1. license change due to no provision for use in original Ruby license (prevents installation in Florida)
+
+v2.0. updated for second cgi.rb vulnerability
+
+v1.0.0. original single-patch release by Zed Shaw, et. al.
+

data/Manifest

@@ -0,0 +1,9 @@
+test/cgi_multipart_eof_fix_test.rb
+lib/rake_task_redefine_task.rb
+lib/cgi_multipart_eof_fix.rb
+Rakefile
+RUBY-LICENSE
+README
+Manifest
+CHANGELOG
+AFL3-LICENSE

data/README

@@ -0,0 +1,41 @@
+
+cgi_multipart_eof_fix
+
+Fix an exploitable bug in CGI multipart parsing.
+
+== License
+
+Copyright 2006, 2007 Cloudburst, LLC. Portions copyright 2006 Jeremy Kemper, Jamis Buck, Zed A. Shaw, and Yukihiro Matsumoto, and used with permission. Licensed under both the AFL 3.0 and Ruby License. 
+
+== Description
+
+Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5. When multipart boundary attributes contain non-halting regular expression strings, the boundary searcher in the CGI module does not properly escape the parameter and will execute arbitrary regular expressions. This fix adds escaping for the user data.
+
+This is fix is cumulative with previous CGI multipart vulnerability fixes; see version 1.0.0 of the gem by Jamis Buck et. al.
+
+== Installation
+
+  sudo gem install cgi_multipart_eof_fix
+
+== Scope
+
+* Affected: standalone CGI, Mongrel, WEBrick
+* Unaffected: FastCGI, Ruby 1.8.6 (all servers)
+* Unknown: mod_ruby
+
+This library will not modify versions of Ruby greater than 1.8.5.
+
+== Usage
+
+Run the included test to verify that the patch works as intended. Then, <tt>require</tt> the gem in every affected application, as follows:
+
+  require 'rubygems' 
+  require 'cgi_multipart_eof_fix'
+  
+Currently Mongrel requires this gem automatically. However, Mongrel may change in the future.
+
+== Further resources
+
+* http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix
+* http://rubyforge.org/forum/forum.php?forum_id=13985
+* http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/

data/RUBY-LICENSE

@@ -0,0 +1,58 @@
+Ruby is copyrighted free software by Yukihiro Matsumoto <matz@netlab.co.jp>.
+You can redistribute it and/or modify it under either the terms of the GPL
+(see COPYING.txt file), or the conditions below:
+
+  1. You may make and give away verbatim copies of the source form of the
+     software without restriction, provided that you duplicate all of the
+     original copyright notices and associated disclaimers.
+
+  2. You may modify your copy of the software in any way, provided that
+     you do at least ONE of the following:
+
+       a) place your modifications in the Public Domain or otherwise
+          make them Freely Available, such as by posting said
+	  modifications to Usenet or an equivalent medium, or by allowing
+	  the author to include your modifications in the software.
+
+       b) use the modified software only within your corporation or
+          organization.
+
+       c) rename any non-standard executables so the names do not conflict
+	  with standard executables, which must also be provided.
+
+       d) make other distribution arrangements with the author.
+
+  3. You may distribute the software in object code or executable
+     form, provided that you do at least ONE of the following:
+
+       a) distribute the executables and library files of the software,
+	  together with instructions (in the manual page or equivalent)
+	  on where to get the original distribution.
+
+       b) accompany the distribution with the machine-readable source of
+	  the software.
+
+       c) give non-standard executables non-standard names, with
+          instructions on where to get the original software distribution.
+
+       d) make other distribution arrangements with the author.
+
+  4. You may modify and include the part of the software into any other
+     software (possibly commercial).  But some files in the distribution
+     are not written by the author, so that they are not under this terms.
+
+     They are gc.c(partly), utils.c(partly), regex.[ch], st.[ch] and some
+     files under the ./missing directory.  See each file for the copying
+     condition.
+
+  5. The scripts and library files supplied as input to or produced as 
+     output from the software do not automatically fall under the
+     copyright of the software, but belong to whomever generated them, 
+     and may be sold commercially, and may be aggregated with this
+     software.
+
+  6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+     IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+     WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+     PURPOSE.
+

data/Rakefile

@@ -1,53 +1,27 @@
+
 require 'rubygems'
 require 'rake'
-
-NAME = "cgi_multipart_eof_fix"
+require 'lib/rake_task_redefine_task.rb'
 
 begin
   require 'rake/clean'
   require 'echoe'
-  require 'fileutils'
 
-  AUTHOR = "Evan Weaver"
-  EMAIL = "evan at cloudbur dot st"
-  DESCRIPTION = "Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string."
-  RUBYFORGE_NAME = "fauna"
-  GEM_NAME = "cgi_multipart_eof_fix" 
-  HOMEPATH = "http://blog.evanweaver.com"
-  RELEASE_TYPES = ["gem"]
-  REV = nil
-  VERS = "2.1"
-  CLEAN.include ['**/.*.sw?', '*.gem', '.config']
-  RDOC_OPTS = ['--quiet', '--title', "cgi_multipart_eof_fix documentation",
-      "--opname", "index.html",
-      "--line-numbers", 
-      "--main", "README",
-      "--inline-source"]
-  
-  include FileUtils
-  require File.join(File.dirname(__FILE__), 'lib', 'cgi_multipart_eof_fix')
-    
-  echoe = Echoe.new(GEM_NAME, VERS) do |p|
-    p.author = AUTHOR 
-    p.rubyforge_name = RUBYFORGE_NAME
-    p.name = NAME
-    p.description = DESCRIPTION
-    p.email = EMAIL
-    p.summary = DESCRIPTION
-    p.url = HOMEPATH
-    p.test_globs = ["*_test.rb"]
-    p.clean_globs = CLEAN  
+  echoe = Echoe.new("cgi_multipart_eof_fix") do |p|
+    p.author = "Evan Weaver" 
+    p.rubyforge_name = "fauna"
+    p.summary = p.description = "Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string."    
+    p.url = "http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix"
+    p.docs_host = "blog.evanweaver.com:~/www/snax/public/files/doc/"
+    p.rdoc_pattern = /CHANGELOG|LICENSE|README|lib\/cgi_multipart_eof_fix/
   end
             
-rescue LoadError => boom
-  puts "You are missing a dependency required for meta-operations on this gem."
-  puts "#{boom.to_s.capitalize}."
-  
+rescue LoadError
   desc 'Run the default tasks'
-  task :default => :test
-  
-  desc 'Run the test suite.'
-  task :test do
-     system "ruby -Ibin:lib:test #{NAME}_test.rb"
-  end
+  task :default => :test  
 end
+
+Rake::Task.redefine_task("test") do
+  system "ruby -Ibin:lib:test test/cgi_multipart_eof_fix_test.rb"
+end
+

data/lib/cgi_multipart_eof_fix.rb

@@ -1,112 +1,123 @@
-require 'cgi'
 
-class CGI
-  module QueryExtension
-    def read_multipart(boundary, content_length)
-      params = Hash.new([])
-      boundary = "--" + boundary
-      quoted_boundary = Regexp.quote(boundary, "n")
-      buf = ""
-      bufsize = 10 * 1024
-      boundary_end=""
+version = RUBY_VERSION.split(".").map {|num| num.to_i }
 
-      # start multipart/form-data
-      stdinput.binmode if defined? stdinput.binmode
-      boundary_size = boundary.size + EOL.size
-      content_length -= boundary_size
-      status = stdinput.read(boundary_size)
-      if nil == status
-        raise EOFError, "no content body"
-      elsif boundary + EOL != status
-        raise EOFError, "bad content body #{status.inspect} expected, got #{(boundary + EOL).inspect}"
-      end
+if version[0] < 2 and version[1] < 9 and version[2] < 6
 
-      loop do
-        head = nil
-        if 10240 < content_length
-          require "tempfile"
-          body = Tempfile.new("CGI")
-        else
-          begin
-            require "stringio"
-            body = StringIO.new
-          rescue LoadError
+  $stderr.puts "** Ruby version is not up-to-date; loading cgi_multipart_eof_fix"  
+
+  require 'cgi'  
+  
+  class CGI
+    module QueryExtension
+      def read_multipart(boundary, content_length)
+        params = Hash.new([])
+        boundary = "--" + boundary
+        quoted_boundary = Regexp.quote(boundary, "n")
+        buf = ""
+        bufsize = 10 * 1024
+        boundary_end=""
+  
+        # start multipart/form-data
+        stdinput.binmode if defined? stdinput.binmode
+        boundary_size = boundary.size + EOL.size
+        content_length -= boundary_size
+        status = stdinput.read(boundary_size)
+        if nil == status
+          raise EOFError, "no content body"
+        elsif boundary + EOL != status
+          raise EOFError, "bad content body #{status.inspect} expected, got #{(boundary + EOL).inspect}"
+        end
+  
+        loop do
+          head = nil
+          if 10240 < content_length
             require "tempfile"
             body = Tempfile.new("CGI")
+          else
+            begin
+              require "stringio"
+              body = StringIO.new
+            rescue LoadError
+              require "tempfile"
+              body = Tempfile.new("CGI")
+            end
           end
-        end
-        body.binmode if defined? body.binmode
-
-        until head and /#{quoted_boundary}(?:#{EOL}|--)/n.match(buf)
-
-          if (not head) and /#{EOL}#{EOL}/n.match(buf)
-            buf = buf.sub(/\A((?:.|\n)*?#{EOL})#{EOL}/n) do
-              head = $1.dup
-              ""
+          body.binmode if defined? body.binmode
+  
+          until head and /#{quoted_boundary}(?:#{EOL}|--)/n.match(buf)
+  
+            if (not head) and /#{EOL}#{EOL}/n.match(buf)
+              buf = buf.sub(/\A((?:.|\n)*?#{EOL})#{EOL}/n) do
+                head = $1.dup
+                ""
+              end
+              next
+            end
+  
+            if head and ( (EOL + boundary + EOL).size < buf.size )
+              body.print buf[0 ... (buf.size - (EOL + boundary + EOL).size)]
+              buf[0 ... (buf.size - (EOL + boundary + EOL).size)] = ""
+            end
+  
+            c = if bufsize < content_length
+                  stdinput.read(bufsize)
+                else
+                  stdinput.read(content_length)
+                end
+            if c.nil? || c.empty?
+              raise EOFError, "bad content body"
             end
-            next
+            buf.concat(c)
+            content_length -= c.size
           end
-
-          if head and ( (EOL + boundary + EOL).size < buf.size )
-            body.print buf[0 ... (buf.size - (EOL + boundary + EOL).size)]
-            buf[0 ... (buf.size - (EOL + boundary + EOL).size)] = ""
+  
+          buf = buf.sub(/\A((?:.|\n)*?)(?:[\r\n]{1,2})?#{quoted_boundary}([\r\n]{1,2}|--)/n) do
+            body.print $1
+            if "--" == $2
+              content_length = -1
+            end
+           boundary_end = $2.dup
+            ""
           end
-
-          c = if bufsize < content_length
-                stdinput.read(bufsize)
-              else
-                stdinput.read(content_length)
-              end
-          if c.nil? || c.empty?
-            raise EOFError, "bad content body"
+  
+          body.rewind
+  
+          /Content-Disposition:.* filename="?([^\";]*)"?/ni.match(head)
+  	filename = ($1 or "")
+  	if /Mac/ni.match(env_table['HTTP_USER_AGENT']) and
+  	    /Mozilla/ni.match(env_table['HTTP_USER_AGENT']) and
+  	    (not /MSIE/ni.match(env_table['HTTP_USER_AGENT']))
+  	  filename = CGI::unescape(filename)
+  	end
+          
+          /Content-Type: (.*)/ni.match(head)
+          content_type = ($1 or "")
+  
+          (class << body; self; end).class_eval do
+            alias local_path path
+            define_method(:original_filename) {filename.dup.taint}
+            define_method(:content_type) {content_type.dup.taint}
           end
-          buf.concat(c)
-          content_length -= c.size
-        end
-
-        buf = buf.sub(/\A((?:.|\n)*?)(?:[\r\n]{1,2})?#{quoted_boundary}([\r\n]{1,2}|--)/n) do
-          body.print $1
-          if "--" == $2
-            content_length = -1
+  
+          /Content-Disposition:.* name="?([^\";]*)"?/ni.match(head)
+          name = $1.dup
+  
+          if params.has_key?(name)
+            params[name].push(body)
+          else
+            params[name] = [body]
           end
-         boundary_end = $2.dup
-          ""
-        end
-
-        body.rewind
-
-        /Content-Disposition:.* filename="?([^\";]*)"?/ni.match(head)
-	filename = ($1 or "")
-	if /Mac/ni.match(env_table['HTTP_USER_AGENT']) and
-	    /Mozilla/ni.match(env_table['HTTP_USER_AGENT']) and
-	    (not /MSIE/ni.match(env_table['HTTP_USER_AGENT']))
-	  filename = CGI::unescape(filename)
-	end
-        
-        /Content-Type: (.*)/ni.match(head)
-        content_type = ($1 or "")
-
-        (class << body; self; end).class_eval do
-          alias local_path path
-          define_method(:original_filename) {filename.dup.taint}
-          define_method(:content_type) {content_type.dup.taint}
-        end
-
-        /Content-Disposition:.* name="?([^\";]*)"?/ni.match(head)
-        name = $1.dup
-
-        if params.has_key?(name)
-          params[name].push(body)
-        else
-          params[name] = [body]
+          break if buf.size == 0
+          break if content_length === -1
         end
-        break if buf.size == 0
-        break if content_length === -1
-      end
-      raise EOFError, "bad boundary end of body part" unless boundary_end=~/--/
-
-      params
-    end # read_multipart
-    private :read_multipart
+        raise EOFError, "bad boundary end of body part" unless boundary_end=~/--/
+  
+        params
+      end # read_multipart
+      private :read_multipart
+    end
   end
+
+else
+  $stderr.puts "** Ruby version is up-to-date; cgi_multipart_eof_fix was not loaded"  
 end

data/lib/rake_task_redefine_task.rb

@@ -0,0 +1,25 @@
+
+# http://www.bigbold.com/snippets/posts/show/2032
+module Rake
+  module TaskManager
+    def redefine_task(task_class, args, &block)
+      task_name, deps = resolve_args(args)
+      task_name = task_class.scope_name(@scope, task_name)
+      deps = [deps] unless deps.respond_to?(:to_ary)
+      deps = deps.collect {|d| d.to_s }
+      task = @tasks[task_name.to_s] = task_class.new(task_name, self)
+      task.application = self
+      task.add_comment(@last_comment)
+      @last_comment = nil
+      task.enhance(deps, &block)
+      task
+    end
+  end
+  class Task
+    class << self
+      def redefine_task(args, &block)
+        Rake.application.redefine_task(self, args, &block)
+      end
+    end
+  end
+end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification 
-rubygems_version: 0.9.0.9
+rubygems_version: 0.9.4
 specification_version: 1
 name: cgi_multipart_eof_fix
 version: !ruby/object:Gem::Version 
-  version: "2.1"
-date: 2007-02-05 00:00:00 -05:00
+  version: "2.2"
+date: 2007-08-07 00:00:00 -04:00
 summary: Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string.
 require_paths: 
 - lib
-email: evan at cloudbur dot st
-homepage: http://blog.evanweaver.com
+email: ""
+homepage: http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix
 rubyforge_project: fauna
 description: Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string.
 autorequire: 
@@ -29,13 +29,17 @@ post_install_message:
 authors: 
 - Evan Weaver
 files: 
-- README.txt
-- LICENSE.txt
-- Rakefile
+- test/cgi_multipart_eof_fix_test.rb
+- lib/rake_task_redefine_task.rb
 - lib/cgi_multipart_eof_fix.rb
-- cgi_multipart_eof_fix_test.rb
-test_files: 
-- cgi_multipart_eof_fix_test.rb
+- Rakefile
+- RUBY-LICENSE
+- README
+- Manifest
+- CHANGELOG
+- AFL3-LICENSE
+test_files: []
+
 rdoc_options: []
 
 extra_rdoc_files: []

data/README.txt

@@ -1,45 +0,0 @@
-
-DESCRIPTION
-
-Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5
-when multipart boundary attribute contains a non-halting regular expression
-string. The boundary searcher in the CGI module does not properly escape 
-the user-supplied parameter and will execute arbitrary regular expressions. 
-The fix adds escaping for the user data.
-
-This is fix is cumulative with previous CGI multipart vulnerability fixes; see
-version 1.0.0 of the gem by Zed Shaw.
-
-SCOPE
-
-Affected: standalone CGI, Mongrel, WEBrick
-Unaffected: FastCGI
-Unknown: mod_ruby
-
-USAGE
-
-Install the hotfix gem and  run the included test to verify the flaw is 
-corrected. You must require the gem in every affected application, as follows:
-
-  require 'rubygems' 
-  require 'cgi_multipart_eof_fix'
-
-If you only use mongrel_rails for application hosting, you may install mongrel 
-like so:
-
-  sudo gem install mongrel --source=http://mongrel.rubyforge.org/releases
-  
-Then mongrel will require the fix for you, provided you have installed version 2.0.0
-of this gem. This is a hack, and mongrel may change in the future.
-
-RESOURCES
-
-http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
-http://blog.evanweaver.com/articles/2006/12/05/cgi-rb-vulnerability-hotfix
-http://blog.evanweaver.com/articles/2006/12/05/new-cgi-rb-vulnerability
-    
-LICENSE
-
-Copyright 2006, 2007 Cloudburst, LLC. Portions copyright 2006 Zed A. Shaw,
-Yukihiro Matsumoto and used with permission. Licensed under the AFL 3.0. 
-See the included LICENSE.txt file.