cgi_multipart_eof_fix 2.2 → 2.3

data/CHANGELOG

@@ -1,9 +1,10 @@
 
-v2.2. don't load on Ruby > 1.8.5; copyright correction at request of Zed Shaw
+v2.3. Use STDERR, not $stderr, just like Mongrel; tests now use Test::Unit; moving to the mongrel project on RubyForge.
 
-v2.1. license change due to no provision for use in original Ruby license (prevents installation in Florida)
+v2.2. Don't load on Ruby > 1.8.5; copyright correction.
 
-v2.0. updated for second cgi.rb vulnerability
+v2.1. License change due to no provision for use in original Ruby license (prevents installation in Florida).
 
-v1.0.0. original single-patch release by Zed Shaw, et. al.
+v2.0. Updated for second cgi.rb vulnerability.
 
+v1.0.0. Original single-patch release by Zed Shaw, et. al.

data/LICENSE

@@ -0,0 +1,55 @@
+Mongrel Web Server (Mongrel) is copyrighted free software by Zed A. Shaw
+<zedshaw at zedshaw dot com> You can redistribute it and/or modify it under
+either the terms of the GPL or the conditions below:
+
+1. You may make and give away verbatim copies of the source form of the
+   software without restriction, provided that you duplicate all of the
+   original copyright notices and associated disclaimers.
+
+2. You may modify your copy of the software in any way, provided that
+   you do at least ONE of the following:
+
+     a) place your modifications in the Public Domain or otherwise make them
+     Freely Available, such as by posting said modifications to Usenet or an
+     equivalent medium, or by allowing the author to include your
+     modifications in the software.
+
+     b) use the modified software only within your corporation or
+        organization.
+
+     c) rename any non-standard executables so the names do not conflict with
+     standard executables, which must also be provided.
+
+     d) make other distribution arrangements with the author.
+
+3. You may distribute the software in object code or executable
+   form, provided that you do at least ONE of the following:
+
+     a) distribute the executables and library files of the software,
+     together with instructions (in the manual page or equivalent) on where
+     to get the original distribution.
+
+     b) accompany the distribution with the machine-readable source of the
+     software.
+
+     c) give non-standard executables non-standard names, with
+        instructions on where to get the original software distribution.
+
+     d) make other distribution arrangements with the author.
+
+4. You may modify and include the part of the software into any other
+   software (possibly commercial).  But some files in the distribution
+   are not written by the author, so that they are not under this terms.
+
+5. The scripts and library files supplied as input to or produced as 
+   output from the software do not automatically fall under the
+   copyright of the software, but belong to whomever generated them, 
+   and may be sold commercially, and may be aggregated with this
+   software.
+
+6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+   IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+   PURPOSE.
+
+

data/Manifest

@@ -1,9 +1,7 @@
 test/cgi_multipart_eof_fix_test.rb
-lib/rake_task_redefine_task.rb
-lib/cgi_multipart_eof_fix.rb
-Rakefile
-RUBY-LICENSE
 README
 Manifest
+LICENSE
+lib/rake_task_redefine_task.rb
+lib/cgi_multipart_eof_fix.rb
 CHANGELOG
-AFL3-LICENSE

data/README

@@ -5,7 +5,7 @@ Fix an exploitable bug in CGI multipart parsing.
 
 == License
 
-Copyright 2006, 2007 Cloudburst, LLC. Portions copyright 2006 Jeremy Kemper, Jamis Buck, Zed A. Shaw, and Yukihiro Matsumoto, and used with permission. Licensed under both the AFL 3.0 and Ruby License. 
+Copyright 2006, 2007 Cloudburst, LLC. Portions copyright 2006 Jeremy Kemper, Jamis Buck, Zed A. Shaw, and Yukihiro Matsumoto, and used with permission. See the included LICENSE file. 
 
 == Description
 
@@ -32,10 +32,10 @@ Run the included test to verify that the patch works as intended. Then, <tt>requ
   require 'rubygems' 
   require 'cgi_multipart_eof_fix'
   
-Currently Mongrel requires this gem automatically. However, Mongrel may change in the future.
+Currently <tt>mongrel_rails</tt> requires this gem automatically. However, Mongrel may change in the future.
 
 == Further resources
 
 * http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix
-* http://rubyforge.org/forum/forum.php?forum_id=13985
+* http://rubyforge.org/mailman/listinfo/mongrel-users
 * http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/

data/cgi_multipart_eof_fix.gemspec

@@ -0,0 +1,48 @@
+
+# Gem::Specification for Cgi_multipart_eof_fix-2.3
+# Originally generated by Echoe
+
+Gem::Specification.new do |s|
+  s.name = %q{cgi_multipart_eof_fix}
+  s.version = "2.3"
+  s.date = %q{2007-08-14}
+  s.summary = %q{Fix an exploitable bug in CGI multipart parsing.}
+  s.email = %q{}
+  s.homepage = %q{http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix}
+  s.rubyforge_project = %q{mongrel}
+  s.description = %q{Fix an exploitable bug in CGI multipart parsing.}
+  s.has_rdoc = true
+  s.authors = ["Evan Weaver"]
+  s.files = ["test/cgi_multipart_eof_fix_test.rb", "README", "Manifest", "LICENSE", "lib/rake_task_redefine_task.rb", "lib/cgi_multipart_eof_fix.rb", "CHANGELOG", "cgi_multipart_eof_fix.gemspec"]
+end
+
+
+# # Original Rakefile source (requires the Echoe gem):
+# 
+# 
+# require 'rubygems'
+# require 'lib/rake_task_redefine_task.rb'
+# 
+# begin
+#   gem 'echoe', '>=2.3'
+#   require 'echoe'
+# 
+#   echoe = Echoe.new("cgi_multipart_eof_fix") do |p|
+#     p.author = "Evan Weaver" 
+#     p.rubyforge_name = "mongrel"
+#     p.summary = p.description = "Fix an exploitable bug in CGI multipart parsing."    
+#     p.url = "http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix"
+#     p.docs_host = "blog.evanweaver.com:~/www/snax/public/files/doc/"
+#     p.rdoc_pattern = /CHANGELOG|LICENSE|README|lib\/cgi_multipart_eof_fix/
+#     p.need_tar_gz = false
+#     p.need_tgz = true
+#   end
+#             
+# rescue LoadError
+#   desc 'Run the default tasks'
+#   task :default => :test  
+# end
+# 
+# Rake::Task.redefine_task("test") do
+#   system "ruby -Ibin:lib:test test/cgi_multipart_eof_fix_test.rb"
+# end

data/lib/cgi_multipart_eof_fix.rb

@@ -1,9 +1,13 @@
 
-version = RUBY_VERSION.split(".").map {|num| num.to_i }
+# unfortunately: 
+# >> "1.8.6" < "1.8.10"
+# => false
 
-if version[0] < 2 and version[1] < 9 and version[2] < 6
+version = RUBY_VERSION.split(".").map {|i| i.to_i }
 
-  $stderr.puts "** Ruby version is not up-to-date; loading cgi_multipart_eof_fix"  
+if version [0] < 2 and version [1] < 9 and version [2] < 6
+
+  STDERR.puts "** Ruby version is not up-to-date; loading cgi_multipart_eof_fix"  
 
   require 'cgi'  
   
@@ -119,5 +123,5 @@ if version[0] < 2 and version[1] < 9 and version[2] < 6
   end
 
 else
-  $stderr.puts "** Ruby version is up-to-date; cgi_multipart_eof_fix was not loaded"  
+  # Ruby version is up-to-date; cgi_multipart_eof_fix was not loaded
 end

data/test/cgi_multipart_eof_fix_test.rb

@@ -1,31 +1,59 @@
 #!/usr/bin/env ruby
+
+require 'test/unit'
 require 'cgi'
 require 'stringio'
 require 'timeout'
 
-def test_read_multipart_eof_fix
-  boundary = '%?%(\w*)\\((\w*)\\)'
-  data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"a_field\"\r\n\r\nBang!\r\n--#{boundary}--\r\n"
+BOUNDARY = '%?%(\w*)\\((\w*)\\)'
+PAYLOAD = "--#{BOUNDARY}\r\nContent-Disposition: form-data; name=\"a_field\"\r\n\r\nBang!\r\n--#{BOUNDARY}--\r\n"
+ENV['REQUEST_METHOD'] = "POST"
+ENV['CONTENT_TYPE']   = "multipart/form-data; boundary=\"#{BOUNDARY}\""
+ENV['CONTENT_LENGTH'] = PAYLOAD.length.to_s
 
-  ENV['REQUEST_METHOD'] = "POST"
-  ENV['CONTENT_TYPE']   = "multipart/form-data; boundary=\"#{boundary}\""
-  ENV['CONTENT_LENGTH'] = data.length.to_s
+Object.send(:remove_const, :STDERR)
+STDERR = StringIO.new # hide the multipart load warnings
 
-  $stdin = StringIO.new(data)
+version  = RUBY_VERSION.split(".").map {|i| i.to_i }
+IS_VULNERABLE = (version [0] < 2 and version [1] < 9 and version [2] < 6)
 
-  begin
-    Timeout.timeout(3) { CGI.new }
-    $stderr.puts ' => CGI is safe: read_multipart does not hang on malicious multipart requests.'
-  rescue TimeoutError
-    $stderr.puts ' => CGI is exploitable: read_multipart hangs on malicious multipart requests.'
-  end
+class CgiMultipartTestError < StandardError
 end
 
-$stderr.puts 'Testing malicious multipart boundary request injection'
-test_read_multipart_eof_fix
-
-$stderr.puts 'Patching CGI::QueryExtension.read_multipart'
-require 'rubygems'
-require 'cgi_multipart_eof_fix'
+class CgiMultipartEofFixTest < Test::Unit::TestCase
 
-test_read_multipart_eof_fix
+  def read_multipart  
+    # can't use STDIN because of the dynamic constant assignment rule
+    $stdin = StringIO.new(PAYLOAD) 
+  
+    begin
+      Timeout.timeout(3) do 
+        CGI.new
+      end
+      "CGI is safe: read_multipart does not hang on malicious multipart requests."
+    rescue TimeoutError
+      raise CgiMultipartTestError, "CGI is exploitable: read_multipart hangs on malicious multipart requests."
+    end
+  end
+  
+  def test_exploitable
+    if IS_VULNERABLE
+      assert_raises CgiMultipartTestError do
+        read_multipart
+      end
+    else
+      # we're on 1.8.6 or higher already
+      assert_nothing_raised do
+        read_multipart      
+      end      
+    end
+  end
+  
+  def test_fixed
+    assert_nothing_raised do
+      load "#{File.dirname(__FILE__)}/../lib/cgi_multipart_eof_fix.rb"
+      read_multipart
+    end
+  end  
+  
+end

metadata

@@ -3,15 +3,15 @@ rubygems_version: 0.9.4
 specification_version: 1
 name: cgi_multipart_eof_fix
 version: !ruby/object:Gem::Version 
-  version: "2.2"
-date: 2007-08-07 00:00:00 -04:00
-summary: Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string.
+  version: "2.3"
+date: 2007-08-14 00:00:00 -04:00
+summary: Fix an exploitable bug in CGI multipart parsing.
 require_paths: 
 - lib
 email: ""
 homepage: http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix
-rubyforge_project: fauna
-description: Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string.
+rubyforge_project: mongrel
+description: Fix an exploitable bug in CGI multipart parsing.
 autorequire: 
 default_executable: 
 bindir: bin
@@ -30,14 +30,13 @@ authors:
 - Evan Weaver
 files: 
 - test/cgi_multipart_eof_fix_test.rb
-- lib/rake_task_redefine_task.rb
-- lib/cgi_multipart_eof_fix.rb
-- Rakefile
-- RUBY-LICENSE
 - README
 - Manifest
+- LICENSE
+- lib/rake_task_redefine_task.rb
+- lib/cgi_multipart_eof_fix.rb
 - CHANGELOG
-- AFL3-LICENSE
+- cgi_multipart_eof_fix.gemspec
 test_files: []
 
 rdoc_options: []

data/AFL3-LICENSE

@@ -1,184 +0,0 @@
-Academic Free License (AFL) v. 3.0
-
-This Academic Free License (the "License") applies to any original work
-of authorship (the "Original Work") whose owner (the "Licensor") has
-placed the following licensing notice adjacent to the copyright notice
-for the Original Work:
-
-Licensed under the Academic Free License version 3.0
-
-1) Grant of Copyright License. Licensor grants You a worldwide,
-royalty-free, non-exclusive, sublicensable license, for the duration of
-the copyright, to do the following:
-
-a) to reproduce the Original Work in copies, either alone or as part of
-a collective work;
-
-b) to translate, adapt, alter, transform, modify, or arrange the
-Original Work, thereby creating derivative works ("Derivative Works")
-based upon the Original Work;
-
-c) to distribute or communicate copies of the Original Work and
-Derivative Works to the public, under any license of your choice that
-does not contradict the terms and conditions, including Licensor's
-reserved rights and remedies, in this Academic Free License;
-
-d) to perform the Original Work publicly; and
-
-e) to display the Original Work publicly.
-
-2) Grant of Patent License. Licensor grants You a worldwide,
-royalty-free, non-exclusive, sublicensable license, under patent claims
-owned or controlled by the Licensor that are embodied in the Original
-Work as furnished by the Licensor, for the duration of the patents, to
-make, use, sell, offer for sale, have made, and import the Original Work
-and Derivative Works.
-
-3) Grant of Source Code License. The term "Source Code" means the
-preferred form of the Original Work for making modifications to it and
-all available documentation describing how to modify the Original Work.
-Licensor agrees to provide a machine-readable copy of the Source Code of
-the Original Work along with each copy of the Original Work that
-Licensor distributes. Licensor reserves the right to satisfy this
-obligation by placing a machine-readable copy of the Source Code in an
-information repository reasonably calculated to permit inexpensive and
-convenient access by You for as long as Licensor continues to distribute
-the Original Work.
-
-4) Exclusions From License Grant. Neither the names of Licensor, nor the
-names of any contributors to the Original Work, nor any of their
-trademarks or service marks, may be used to endorse or promote products
-derived from this Original Work without express prior permission of the
-Licensor. Except as expressly stated herein, nothing in this License
-grants any license to Licensor's trademarks, copyrights, patents, trade
-secrets or any other intellectual property. No patent license is granted
-to make, use, sell, offer for sale, have made, or import embodiments of
-any patent claims other than the licensed claims defined in Section 2.
-No license is granted to the trademarks of Licensor even if such marks
-are included in the Original Work. Nothing in this License shall be
-interpreted to prohibit Licensor from licensing under terms different
-from this License any Original Work that Licensor otherwise would have a
-right to license.
-
-5) External Deployment. The term "External Deployment" means the use,
-distribution, or communication of the Original Work or Derivative Works
-in any way such that the Original Work or Derivative Works may be used
-by anyone other than You, whether those works are distributed or
-communicated to those persons or made available as an application
-intended for use over a network. As an express condition for the grants
-of license hereunder, You must treat any External Deployment by You of
-the Original Work or a Derivative Work as a distribution under section
-1(c).
-
-6) Attribution Rights. You must retain, in the Source Code of any
-Derivative Works that You create, all copyright, patent, or trademark
-notices from the Source Code of the Original Work, as well as any
-notices of licensing and any descriptive text identified therein as an
-"Attribution Notice." You must cause the Source Code for any Derivative
-Works that You create to carry a prominent Attribution Notice reasonably
-calculated to inform recipients that You have modified the Original
-Work.
-
-7) Warranty of Provenance and Disclaimer of Warranty. Licensor warrants
-that the copyright in and to the Original Work and the patent rights
-granted herein by Licensor are owned by the Licensor or are sublicensed
-to You under the terms of this License with the permission of the
-contributor(s) of those copyrights and patent rights. Except as
-expressly stated in the immediately preceding sentence, the Original
-Work is provided under this License on an "AS IS" BASIS and WITHOUT
-WARRANTY, either express or implied, including, without limitation, the
-warranties of non-infringement, merchantability or fitness for a
-particular purpose. THE ENTIRE RISK AS TO THE QUALITY OF THE ORIGINAL
-WORK IS WITH YOU. This DISCLAIMER OF WARRANTY constitutes an essential
-part of this License. No license to the Original Work is granted by this
-License except under this disclaimer.
-
-8) Limitation of Liability. Under no circumstances and under no legal
-theory, whether in tort (including negligence), contract, or otherwise,
-shall the Licensor be liable to anyone for any indirect, special,
-incidental, or consequential damages of any character arising as a
-result of this License or the use of the Original Work including,
-without limitation, damages for loss of goodwill, work stoppage,
-computer failure or malfunction, or any and all other commercial damages
-or losses. This limitation of liability shall not apply to the extent
-applicable law prohibits such limitation.
-
-9) Acceptance and Termination. If, at any time, You expressly assented
-to this License, that assent indicates your clear and irrevocable
-acceptance of this License and all of its terms and conditions. If You
-distribute or communicate copies of the Original Work or a Derivative
-Work, You must make a reasonable effort under the circumstances to
-obtain the express assent of recipients to the terms of this License.
-This License conditions your rights to undertake the activities listed
-in Section 1, including your right to create Derivative Works based upon
-the Original Work, and doing so without honoring these terms and
-conditions is prohibited by copyright law and international treaty.
-Nothing in this License is intended to affect copyright exceptions and
-limitations (including "fair use" or "fair dealing"). This License shall
-terminate immediately and You may no longer exercise any of the rights
-granted to You by this License upon your failure to honor the conditions
-in Section 1(c).
-
-10) Termination for Patent Action. This License shall terminate
-automatically and You may no longer exercise any of the rights granted
-to You by this License as of the date You commence an action, including
-a cross-claim or counterclaim, against Licensor or any licensee alleging
-that the Original Work infringes a patent. This termination provision
-shall not apply for an action alleging patent infringement by
-combinations of the Original Work with other software or hardware.
-
-11) Jurisdiction, Venue and Governing Law. Any action or suit relating
-to this License may be brought only in the courts of a jurisdiction
-wherein the Licensor resides or in which Licensor conducts its primary
-business, and under the laws of that jurisdiction excluding its
-conflict-of-law provisions. The application of the United Nations
-Convention on Contracts for the International Sale of Goods is expressly
-excluded. Any use of the Original Work outside the scope of this License
-or after its termination shall be subject to the requirements and
-penalties of copyright or patent law in the appropriate jurisdiction.
-This section shall survive the termination of this License.
-
-12) Attorneys' Fees. In any action to enforce the terms of this License
-or seeking damages relating thereto, the prevailing party shall be
-entitled to recover its costs and expenses, including, without
-limitation, reasonable attorneys' fees and costs incurred in connection
-with such action, including any appeal of such action. This section
-shall survive the termination of this License.
-
-13) Miscellaneous. If any provision of this License is held to be
-unenforceable, such provision shall be reformed only to the extent
-necessary to make it enforceable.
-
-14) Definition of "You" in This License. "You" throughout this License,
-whether in upper or lower case, means an individual or a legal entity
-exercising rights under, and complying with all of the terms of, this
-License. For legal entities, "You" includes any entity that controls, is
-controlled by, or is under common control with you. For purposes of this
-definition, "control" means (i) the power, direct or indirect, to cause
-the direction or management of such entity, whether by contract or
-otherwise, or (ii) ownership of fifty percent (50%) or more of the
-outstanding shares, or (iii) beneficial ownership of such entity.
-
-15) Right to Use. You may use the Original Work in all ways not
-otherwise restricted or conditioned by this License or by law, and
-Licensor promises not to interfere with or be responsible for such uses
-by You.
-
-16) Modification of This License. This License is Copyright (c) 2005
-Lawrence Rosen. Permission is granted to copy, distribute, or
-communicate this License without modification. Nothing in this License
-permits You to modify this License as applied to the Original Work or to
-Derivative Works. However, You may modify the text of this License and
-copy, distribute or communicate your modified version (the "Modified
-License") and apply it to other original works of authorship subject to
-the following conditions: (i) You may not indicate in any way that your
-Modified License is the "Academic Free License" or "AFL" and you may not
-use those names in the name of your Modified License; (ii) You must
-replace the notice specified in the first paragraph above with the
-notice "Licensed under <insert your license name here>" or with a notice
-of your own that is not confusingly similar to the notice in this
-License; and (iii) You may not claim that your original works are open
-source software unless your Modified License has been approved by Open
-Source Initiative (OSI) and You comply with its license review and
-certification process.
-

data/RUBY-LICENSE

@@ -1,58 +0,0 @@
-Ruby is copyrighted free software by Yukihiro Matsumoto <matz@netlab.co.jp>.
-You can redistribute it and/or modify it under either the terms of the GPL
-(see COPYING.txt file), or the conditions below:
-
-  1. You may make and give away verbatim copies of the source form of the
-     software without restriction, provided that you duplicate all of the
-     original copyright notices and associated disclaimers.
-
-  2. You may modify your copy of the software in any way, provided that
-     you do at least ONE of the following:
-
-       a) place your modifications in the Public Domain or otherwise
-          make them Freely Available, such as by posting said
-	  modifications to Usenet or an equivalent medium, or by allowing
-	  the author to include your modifications in the software.
-
-       b) use the modified software only within your corporation or
-          organization.
-
-       c) rename any non-standard executables so the names do not conflict
-	  with standard executables, which must also be provided.
-
-       d) make other distribution arrangements with the author.
-
-  3. You may distribute the software in object code or executable
-     form, provided that you do at least ONE of the following:
-
-       a) distribute the executables and library files of the software,
-	  together with instructions (in the manual page or equivalent)
-	  on where to get the original distribution.
-
-       b) accompany the distribution with the machine-readable source of
-	  the software.
-
-       c) give non-standard executables non-standard names, with
-          instructions on where to get the original software distribution.
-
-       d) make other distribution arrangements with the author.
-
-  4. You may modify and include the part of the software into any other
-     software (possibly commercial).  But some files in the distribution
-     are not written by the author, so that they are not under this terms.
-
-     They are gc.c(partly), utils.c(partly), regex.[ch], st.[ch] and some
-     files under the ./missing directory.  See each file for the copying
-     condition.
-
-  5. The scripts and library files supplied as input to or produced as 
-     output from the software do not automatically fall under the
-     copyright of the software, but belong to whomever generated them, 
-     and may be sold commercially, and may be aggregated with this
-     software.
-
-  6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
-     IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
-     WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-     PURPOSE.
-

data/Rakefile

@@ -1,27 +0,0 @@
-
-require 'rubygems'
-require 'rake'
-require 'lib/rake_task_redefine_task.rb'
-
-begin
-  require 'rake/clean'
-  require 'echoe'
-
-  echoe = Echoe.new("cgi_multipart_eof_fix") do |p|
-    p.author = "Evan Weaver" 
-    p.rubyforge_name = "fauna"
-    p.summary = p.description = "Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string."    
-    p.url = "http://blog.evanweaver.com/pages/code#cgi_multipart_eof_fix"
-    p.docs_host = "blog.evanweaver.com:~/www/snax/public/files/doc/"
-    p.rdoc_pattern = /CHANGELOG|LICENSE|README|lib\/cgi_multipart_eof_fix/
-  end
-            
-rescue LoadError
-  desc 'Run the default tasks'
-  task :default => :test  
-end
-
-Rake::Task.redefine_task("test") do
-  system "ruby -Ibin:lib:test test/cgi_multipart_eof_fix_test.rb"
-end
-