cgi_multipart_eof_fix 2.3 → 2.5.0

data.tar.gz.sig

@@ -0,0 +1,2 @@
+a�R�U��㡏�Ҿ����x���v�Up!�s�ݯo����r��QE���i&O�+�v�6��grM��됿S�/W�ԮS'���v�^���DXL�tӻ�:���K����U��op	�~��	��X	6)T�q�x雡;�����l�GH����[F�o@�WP�lj����
�;�sa޵�i����]]ܻ��=iZl:Po��R�#6A+�x��ء�9�(�9��/Ūx�����aVv�r
+�˭�5�Wp

data/CHANGELOG

@@ -1,10 +1,14 @@
 
-v2.3. Use STDERR, not $stderr, just like Mongrel; tests now use Test::Unit; moving to the mongrel project on RubyForge.
+v2.5.0. Not required for JRuby.
 
-v2.2. Don't load on Ruby > 1.8.5; copyright correction.
+v2.4.0. Signed gem.
 
-v2.1. License change due to no provision for use in original Ruby license (prevents installation in Florida).
+v2.3.0. Use STDERR, not $stderr, just like Mongrel; tests now use Test::Unit; moving to the mongrel project on RubyForge.
 
-v2.0. Updated for second cgi.rb vulnerability.
+v2.2.0. Don't load on Ruby > 1.8.5; copyright correction.
+
+v2.1.0. License change due to no provision for use in original Ruby license (prevents installation in Florida).
+
+v2.0.0. Updated for second cgi.rb vulnerability.
 
 v1.0.0. Original single-patch release by Zed Shaw, et. al.

data/Manifest

@@ -1,7 +1,6 @@
-test/cgi_multipart_eof_fix_test.rb
-README
-Manifest
-LICENSE
-lib/rake_task_redefine_task.rb
-lib/cgi_multipart_eof_fix.rb
 CHANGELOG
+lib/cgi_multipart_eof_fix.rb
+LICENSE
+Manifest
+README
+test/test_cgi_multipart_eof_fix.rb

data/README

@@ -11,22 +11,17 @@ Copyright 2006, 2007 Cloudburst, LLC. Portions copyright 2006 Jeremy Kemper, Jam
 
 Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5. When multipart boundary attributes contain non-halting regular expression strings, the boundary searcher in the CGI module does not properly escape the parameter and will execute arbitrary regular expressions. This fix adds escaping for the user data.
 
-This is fix is cumulative with previous CGI multipart vulnerability fixes; see version 1.0.0 of the gem by Jamis Buck et. al.
-
-== Installation
-
-  sudo gem install cgi_multipart_eof_fix
-
-== Scope
-
-* Affected: standalone CGI, Mongrel, WEBrick
+* Affected application servers: standalone CGI, Mongrel, WEBrick
 * Unaffected: FastCGI, Ruby 1.8.6 (all servers)
 * Unknown: mod_ruby
 
-This library will not modify versions of Ruby greater than 1.8.5.
+This fix will not modify versions of Ruby greater than 1.8.5, and is cumulative with previous CGI multipart vulnerability fixes.
 
 == Usage
 
+Install the gem:
+  sudo gem install cgi_multipart_eof_fix
+
 Run the included test to verify that the patch works as intended. Then, <tt>require</tt> the gem in every affected application, as follows:
 
   require 'rubygems' 
@@ -34,8 +29,12 @@ Run the included test to verify that the patch works as intended. Then, <tt>requ
   
 Currently <tt>mongrel_rails</tt> requires this gem automatically. However, Mongrel may change in the future.
 
+== Reporting problems
+
+* http://rubyforge.org/tracker/?group_id=1306
+
 == Further resources
 
-* http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix
 * http://rubyforge.org/mailman/listinfo/mongrel-users
+* http://blog.evanweaver.com/articles/2006/12/05/cgi-rb-vulnerability-hotfix
 * http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/

data/cgi_multipart_eof_fix.gemspec

@@ -1,48 +1,44 @@
 
-# Gem::Specification for Cgi_multipart_eof_fix-2.3
+# Gem::Specification for Cgi_multipart_eof_fix-2.5.0
 # Originally generated by Echoe
 
 Gem::Specification.new do |s|
   s.name = %q{cgi_multipart_eof_fix}
-  s.version = "2.3"
-  s.date = %q{2007-08-14}
-  s.summary = %q{Fix an exploitable bug in CGI multipart parsing.}
+  s.version = "2.5.0"
+
+  s.specification_version = 2 if s.respond_to? :specification_version=
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Evan Weaver"]
+  s.date = %q{2007-10-26}
+  s.description = %q{Fix an exploitable bug in CGI multipart parsing.}
   s.email = %q{}
+  s.files = ["CHANGELOG", "lib/cgi_multipart_eof_fix.rb", "LICENSE", "Manifest", "README", "test/test_cgi_multipart_eof_fix.rb", "cgi_multipart_eof_fix.gemspec"]
+  s.has_rdoc = true
   s.homepage = %q{http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix}
+  s.require_paths = ["lib"]
   s.rubyforge_project = %q{mongrel}
-  s.description = %q{Fix an exploitable bug in CGI multipart parsing.}
-  s.has_rdoc = true
-  s.authors = ["Evan Weaver"]
-  s.files = ["test/cgi_multipart_eof_fix_test.rb", "README", "Manifest", "LICENSE", "lib/rake_task_redefine_task.rb", "lib/cgi_multipart_eof_fix.rb", "CHANGELOG", "cgi_multipart_eof_fix.gemspec"]
+  s.rubygems_version = %q{0.9.4.6}
+  s.summary = %q{Fix an exploitable bug in CGI multipart parsing.}
+  s.test_files = ["test/test_cgi_multipart_eof_fix.rb"]
 end
 
 
 # # Original Rakefile source (requires the Echoe gem):
 # 
 # 
-# require 'rubygems'
-# require 'lib/rake_task_redefine_task.rb'
+# require 'echoe'
 # 
-# begin
-#   gem 'echoe', '>=2.3'
-#   require 'echoe'
+# Echoe.new("cgi_multipart_eof_fix") do |p|
+#   p.author = "Evan Weaver" 
+#   p.rubyforge_name = "mongrel"
+#   p.summary = p.description = "Fix an exploitable bug in CGI multipart parsing."    
+#   p.url = "http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix"
+#   p.docs_host = "blog.evanweaver.com:~/www/bax/public/files/doc/"
+#   p.rdoc_pattern = /CHANGELOG|LICENSE|README|lib\/cgi_multipart_eof_fix/
 # 
-#   echoe = Echoe.new("cgi_multipart_eof_fix") do |p|
-#     p.author = "Evan Weaver" 
-#     p.rubyforge_name = "mongrel"
-#     p.summary = p.description = "Fix an exploitable bug in CGI multipart parsing."    
-#     p.url = "http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix"
-#     p.docs_host = "blog.evanweaver.com:~/www/snax/public/files/doc/"
-#     p.rdoc_pattern = /CHANGELOG|LICENSE|README|lib\/cgi_multipart_eof_fix/
-#     p.need_tar_gz = false
-#     p.need_tgz = true
-#   end
-#             
-# rescue LoadError
-#   desc 'Run the default tasks'
-#   task :default => :test  
+#   p.need_tar_gz = false
+#   p.need_tgz = true
+#   p.require_signed = true
 # end
 # 
-# Rake::Task.redefine_task("test") do
-#   system "ruby -Ibin:lib:test test/cgi_multipart_eof_fix_test.rb"
-# end

data/lib/cgi_multipart_eof_fix.rb

@@ -5,7 +5,7 @@
 
 version = RUBY_VERSION.split(".").map {|i| i.to_i }
 
-if version [0] < 2 and version [1] < 9 and version [2] < 6
+if version [0] < 2 and version [1] < 9 and version [2] < 6 and RUBY_PLATFORM !~ /java/
 
   STDERR.puts "** Ruby version is not up-to-date; loading cgi_multipart_eof_fix"  
 

data/test/{cgi_multipart_eof_fix_test.rb → test_cgi_multipart_eof_fix.rb}

@@ -15,7 +15,7 @@ Object.send(:remove_const, :STDERR)
 STDERR = StringIO.new # hide the multipart load warnings
 
 version  = RUBY_VERSION.split(".").map {|i| i.to_i }
-IS_VULNERABLE = (version [0] < 2 and version [1] < 9 and version [2] < 6)
+IS_VULNERABLE = (version [0] < 2 and version [1] < 9 and version [2] < 6 and RUBY_PLATFORM !~ /java/)
 
 class CgiMultipartTestError < StandardError
 end

metadata

@@ -1,10 +1,10 @@
 --- !ruby/object:Gem::Specification 
-rubygems_version: 0.9.4
-specification_version: 1
+rubygems_version: 0.9.4.6
+specification_version: 2
 name: cgi_multipart_eof_fix
 version: !ruby/object:Gem::Version 
-  version: "2.3"
-date: 2007-08-14 00:00:00 -04:00
+  version: 2.5.0
+date: 2007-10-26 00:00:00 -04:00
 summary: Fix an exploitable bug in CGI multipart parsing.
 require_paths: 
 - lib
@@ -16,29 +16,78 @@ autorequire:
 default_executable: 
 bindir: bin
 has_rdoc: true
-required_ruby_version: !ruby/object:Gem::Version::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement 
   requirements: 
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version 
-      version: 0.0.0
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
   version: 
 platform: ruby
 signing_key: 
 cert_chain: 
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDUDCCAjigAwIBAgIBADANBgkqhkiG9w0BAQUFADBOMRwwGgYDVQQDDBNtb25n
+  cmVsLWRldmVsb3BtZW50MRkwFwYKCZImiZPyLGQBGRYJcnVieWZvcmdlMRMwEQYK
+  CZImiZPyLGQBGRYDb3JnMB4XDTA3MDkxNjEwMzI0OVoXDTA4MDkxNTEwMzI0OVow
+  TjEcMBoGA1UEAwwTbW9uZ3JlbC1kZXZlbG9wbWVudDEZMBcGCgmSJomT8ixkARkW
+  CXJ1Ynlmb3JnZTETMBEGCgmSJomT8ixkARkWA29yZzCCASIwDQYJKoZIhvcNAQEB
+  BQADggEPADCCAQoCggEBAMb9v3B01eOHk3FyypbQgKXzJplUE5P6dXoG+xpPm0Lv
+  P7BQmeMncOwqQ7zXpVQU+lTpXtQFTsOE3vL7KnhQFJKGvUAkbh24VFyopu1I0yqF
+  mGu4nRqNXGXVj8TvLSj4S1WpSRLAa0acLPNyKhGmoV9+crqQypSjM6XKjBeppifo
+  4eBmWGjiJEYMIJBvJZPJ4rAVDDA8C6CM1m3gMBGNh8ELDhU8HI9AP3dMIkTI2Wx9
+  9xkJwHdroAaS0IFFtYChrwee4FbCF1FHDgoTosMwa47DrLHg4hZ6ojaKwK5QVWEV
+  XGb6ju5UqpktnSWF2W+Lvl/K0tI42OH2CAhebT1gEVUCAwEAAaM5MDcwCQYDVR0T
+  BAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFGHChyMSZ16u9WOzKhgJSQ9lqDc5
+  MA0GCSqGSIb3DQEBBQUAA4IBAQA/lfeN2WdB1xN+82tT7vNS4HOjRQw6MUh5yktu
+  GQjaGqm0UB+aX0Z9y0B0qpfv9rj7nmIvEGiwBmDepNWYCGuW15JyqpN7QVVnG2xS
+  Mrame7VqgjM7A+VGDD5In5LtWbM/CHAATvvFlQ5Ph13YE1EdnVbZ65c+KQv+5sFY
+  Q+zEop74d878uaC/SAHHXS46TiXneocaLSYw1CEZs/MAIy+9c4Q5ESbGpgnfg1Ad
+  6lwl7k3hsNHO/+tZzx4HJtOXDI1yAl3+q6T9J0yI3z97EinwvAKhS1eyOI2Y5eeT
+  tbQaNYkU127B3l/VNpd8fQm3Jkl/PqCCmDBQjUszFrJEODug
+  -----END CERTIFICATE-----
+
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDPzCCAiegAwIBAgIBADANBgkqhkiG9w0BAQUFADBOMRwwGgYDVQQDDBNtb25n
+  cmVsLWRldmVsb3BtZW50MRkwFwYKCZImiZPyLGQBGRYJcnVieWZvcmdlMRMwEQYK
+  CZImiZPyLGQBGRYDb3JnMB4XDTA3MDkxNjEwMzMwMFoXDTA4MDkxNTEwMzMwMFow
+  PTENMAsGA1UEAwwEZXZhbjEYMBYGCgmSJomT8ixkARkWCGNsb3VkYnVyMRIwEAYK
+  CZImiZPyLGQBGRYCc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk
+  LQijz2fICmev4+9s0WB71WzJFYCUYFQQxqGlenbxWut9dlPSsBbskGjg+UITeOXi
+  cTh3MTqAB0i1LJyNOiyvDsAivn7GjKXhVvflp2/npMhBBe83P4HOWqeQBjkk3QJI
+  FFNBvqbFLeEXIP+HiqAOiyNHZEVXMepLEJLzGrg3Ly7M7A6L5fK7jDrt8jkm+c+8
+  zGquVHV5ohAebGd/vpHMLjpA7lCG5+MBgYZd33rRfNtCxDJMNRgnOu9PsB05+LJn
+  MpDKQq3x0SkOf5A+MVOcadNCaAkFflYk3SUcXaXWxu/eCHgqfW1m76RNSp5djpKE
+  CgNPK9lGIWpB3CHzDaVNAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSw
+  MB0GA1UdDgQWBBT5aonPfFBdJ5rWFG+8dZwgyB54LjANBgkqhkiG9w0BAQUFAAOC
+  AQEAiKbzWgMcvZs/TPwJxr8tJ+7mSGz7+zDkWcbBl8FpQq1DtRcATh1oyTkQT7t+
+  rFEBYMmb0FxbbUnojQp8hIFgFkUwFpStwWBL/okLSehntzI2iwjuEtfj4ac9Q3Y2
+  uSdbmZqsQTuu+lEUc5C4qLK7YKwToaul+cx7vWxyk1YendcVwRlFLIBqA5cPrwo3
+  yyGLTHlRYn2c9PSbM1B63Yg+LqSSAa4QSU3Wv9pNdffVpvwHPVEQpO7ZDo5slQFL
+  Gf6+gbD/eZAvhpvmn8JlXb+LxKaFVMs2Yvrk1xOuT76SsPjEGWxkr7jZCIpsYfgQ
+  ALN3mi/9z0Mf1YroliUgF0v5Yw==
+  -----END CERTIFICATE-----
+
 post_install_message: 
 authors: 
 - Evan Weaver
 files: 
-- test/cgi_multipart_eof_fix_test.rb
-- README
-- Manifest
-- LICENSE
-- lib/rake_task_redefine_task.rb
-- lib/cgi_multipart_eof_fix.rb
 - CHANGELOG
+- lib/cgi_multipart_eof_fix.rb
+- LICENSE
+- Manifest
+- README
+- test/test_cgi_multipart_eof_fix.rb
 - cgi_multipart_eof_fix.gemspec
-test_files: []
-
+test_files: 
+- test/test_cgi_multipart_eof_fix.rb
 rdoc_options: []
 
 extra_rdoc_files: []

data/lib/rake_task_redefine_task.rb

@@ -1,25 +0,0 @@
-
-# http://www.bigbold.com/snippets/posts/show/2032
-module Rake
-  module TaskManager
-    def redefine_task(task_class, args, &block)
-      task_name, deps = resolve_args(args)
-      task_name = task_class.scope_name(@scope, task_name)
-      deps = [deps] unless deps.respond_to?(:to_ary)
-      deps = deps.collect {|d| d.to_s }
-      task = @tasks[task_name.to_s] = task_class.new(task_name, self)
-      task.application = self
-      task.add_comment(@last_comment)
-      @last_comment = nil
-      task.enhance(deps, &block)
-      task
-    end
-  end
-  class Task
-    class << self
-      def redefine_task(args, &block)
-        Rake.application.redefine_task(self, args, &block)
-      end
-    end
-  end
-end