RubyGems - devise - Versions diffs - 1.1.3 → 1.1.4 - Mend

devise 1.1.3 → 1.1.4

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (12) hide show

data/CHANGELOG.rdoc +5 -0
data/Gemfile +4 -10
data/Gemfile.lock +52 -62
data/README.rdoc +1 -1
data/Rakefile +1 -1
data/lib/devise.rb +5 -0
data/lib/devise/controllers/helpers.rb +2 -2
data/lib/devise/rails/warden_compat.rb +78 -0
data/lib/devise/version.rb +1 -1
data/test/integration/authenticatable_test.rb +11 -0
data/test/support/webrat/integrations/rails.rb +4 -19
metadata +8 -8

data/CHANGELOG.rdoc CHANGED

@@ -1,3 +1,8 @@
+== 1.1.4
+* bugfix
+  * Avoid session fixation attacks
 == 1.1.3
 * bugfix

data/Gemfile CHANGED

@@ -1,18 +1,12 @@
 source "http://rubygems.org"
-gem "rails", "3.0.0"
-gem "warden", "0.10.7"
+gemspec
+gem "rails", "3.0.1"
 gem "sqlite3-ruby"
-gem "webrat", "0.7.0"
+gem "webrat", "0.7.1"
 gem "mocha", :require => false
-gem "bcrypt-ruby", :require => "bcrypt"
 if RUBY_VERSION < '1.9'
   gem "ruby-debug", ">= 0.10.3"
-end
-group :mongoid do
-  gem "mongo"
-  gem "mongoid", :git => "git://github.com/mongoid/mongoid.git"
-  gem "bson_ext"
 end

data/Gemfile.lock CHANGED

@@ -1,24 +1,20 @@
-GIT
-  remote: git://github.com/mongoid/mongoid.git
-  revision: f38e3ef
+PATH
+  remote: .
   specs:
-    mongoid (2.0.0.beta.16)
-      activemodel (~> 3.0.0)
-      bson (= 1.0.4)
-      mongo (= 1.0.7)
-      tzinfo (~> 0.3.22)
-      will_paginate (~> 3.0.pre)
+    devise (1.1.4)
+      bcrypt-ruby (~> 2.1.2)
+      warden (~> 1.0.2)
 GEM
   remote: http://rubygems.org/
   specs:
     abstract (1.0.0)
-    actionmailer (3.0.0)
-      actionpack (= 3.0.0)
+    actionmailer (3.0.1)
+      actionpack (= 3.0.1)
       mail (~> 2.2.5)
-    actionpack (3.0.0)
-      activemodel (= 3.0.0)
-      activesupport (= 3.0.0)
+    actionpack (3.0.1)
+      activemodel (= 3.0.1)
+      activesupport (= 3.0.1)
       builder (~> 2.1.2)
       erubis (~> 2.6.6)
       i18n (~> 0.4.1)
@@ -26,89 +22,83 @@ GEM
       rack-mount (~> 0.6.12)
       rack-test (~> 0.5.4)
       tzinfo (~> 0.3.23)
-    activemodel (3.0.0)
-      activesupport (= 3.0.0)
+    activemodel (3.0.1)
+      activesupport (= 3.0.1)
       builder (~> 2.1.2)
       i18n (~> 0.4.1)
-    activerecord (3.0.0)
-      activemodel (= 3.0.0)
-      activesupport (= 3.0.0)
+    activerecord (3.0.1)
+      activemodel (= 3.0.1)
+      activesupport (= 3.0.1)
       arel (~> 1.0.0)
       tzinfo (~> 0.3.23)
-    activeresource (3.0.0)
-      activemodel (= 3.0.0)
-      activesupport (= 3.0.0)
-    activesupport (3.0.0)
+    activeresource (3.0.1)
+      activemodel (= 3.0.1)
+      activesupport (= 3.0.1)
+    activesupport (3.0.1)
     arel (1.0.1)
       activesupport (~> 3.0.0)
     bcrypt-ruby (2.1.2)
-    bson (1.0.4)
-    bson_ext (1.0.7)
     builder (2.1.2)
-    columnize (0.3.1)
+    columnize (0.3.2)
     erubis (2.6.6)
       abstract (>= 1.0.0)
-    i18n (0.4.1)
+    i18n (0.4.2)
     linecache (0.43)
-    mail (2.2.5)
+    mail (2.2.10)
       activesupport (>= 2.3.6)
-      mime-types
-      treetop (>= 1.4.5)
+      i18n (~> 0.4.1)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
     mime-types (1.16)
-    mocha (0.9.8)
+    mocha (0.9.9)
       rake
-    mongo (1.0.7)
-      bson (>= 1.0.4)
-    nokogiri (1.4.3.1)
+    nokogiri (1.4.4)
     polyglot (0.3.1)
     rack (1.2.1)
-    rack-mount (0.6.12)
+    rack-mount (0.6.13)
       rack (>= 1.0.0)
-    rack-test (0.5.4)
+    rack-test (0.5.6)
       rack (>= 1.0)
-    rails (3.0.0)
-      actionmailer (= 3.0.0)
-      actionpack (= 3.0.0)
-      activerecord (= 3.0.0)
-      activeresource (= 3.0.0)
-      activesupport (= 3.0.0)
+    rails (3.0.1)
+      actionmailer (= 3.0.1)
+      actionpack (= 3.0.1)
+      activerecord (= 3.0.1)
+      activeresource (= 3.0.1)
+      activesupport (= 3.0.1)
       bundler (~> 1.0.0)
-      railties (= 3.0.0)
-    railties (3.0.0)
-      actionpack (= 3.0.0)
-      activesupport (= 3.0.0)
+      railties (= 3.0.1)
+    railties (3.0.1)
+      actionpack (= 3.0.1)
+      activesupport (= 3.0.1)
       rake (>= 0.8.4)
       thor (~> 0.14.0)
     rake (0.8.7)
-    ruby-debug (0.10.3)
+    ruby-debug (0.10.4)
       columnize (>= 0.1)
-      ruby-debug-base (~> 0.10.3.0)
-    ruby-debug-base (0.10.3)
+      ruby-debug-base (~> 0.10.4.0)
+    ruby-debug-base (0.10.4)
       linecache (>= 0.3)
-    sqlite3-ruby (1.3.1)
-    thor (0.14.0)
-    treetop (1.4.8)
+    sqlite3-ruby (1.3.2)
+    thor (0.14.6)
+    treetop (1.4.9)
       polyglot (>= 0.3.1)
     tzinfo (0.3.23)
-    warden (0.10.7)
+    warden (1.0.2)
       rack (>= 1.0.0)
-    webrat (0.7.0)
+    webrat (0.7.1)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
-    will_paginate (3.0.pre2)
 PLATFORMS
   ruby
 DEPENDENCIES
-  bcrypt-ruby
-  bson_ext
+  bcrypt-ruby (~> 2.1.2)
+  devise!
   mocha
-  mongo
-  mongoid!
-  rails (= 3.0.0)
+  rails (= 3.0.1)
   ruby-debug (>= 0.10.3)
   sqlite3-ruby
-  warden (= 0.10.7)
-  webrat (= 0.7.0)
+  warden (~> 1.0.2)
+  webrat (= 0.7.1)

data/README.rdoc CHANGED

@@ -24,7 +24,7 @@ Right now it's composed of 11 modules:
 Devise 1.1 supports Rails 3 and is NOT backward compatible. You can use the latest Rails 3 beta gem with Devise latest gem:
-  gem install devise --version=1.1.rc2
+  gem install devise --version=1.1.3
 If you want to use Rails master (from git repository) you need to use Devise from git repository and vice-versa.

data/Rakefile CHANGED

@@ -45,7 +45,7 @@ begin
     s.authors = ['José Valim', 'Carlos Antônio']
     s.files =  FileList["[A-Z]*", "{app,config,lib}/**/*"]
     s.extra_rdoc_files = FileList["[A-Z]*"] - %w(Gemfile Rakefile)
-    s.add_dependency("warden", "~> 0.10.7")
+    s.add_dependency("warden", "~> 1.0.2")
     s.add_dependency("bcrypt-ruby", "~> 2.1.2")
   end

data/lib/devise.rb CHANGED

@@ -265,6 +265,11 @@ module Devise
     @@warden_config_block = block
   end
+  # Returns true if Rails version is bigger than 3.0.x
+  def self.rack_session?
+    Rails::VERSION::STRING[0,3] != "3.0"
+  end
   # A method used internally to setup warden manager from the Rails initialize
   # block.
   def self.configure_warden! #:nodoc:

data/lib/devise/controllers/helpers.rb CHANGED

@@ -83,7 +83,7 @@ module Devise
       #
       def stored_location_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        session.delete(:"#{scope}_return_to")
+        session.delete("#{scope}_return_to")
       end
       # The default url to be used after signing in. This is used by all Devise
@@ -114,7 +114,7 @@ module Devise
       #
       def after_sign_in_path_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        home_path = :"#{scope}_root_path"
+        home_path = "#{scope}_root_path"
         respond_to?(home_path, true) ? send(home_path) : root_path
       end

data/lib/devise/rails/warden_compat.rb CHANGED

@@ -36,4 +36,82 @@ class Warden::SessionSerializer
       raise
     end
   end
+end
+unless Devise.rack_session?
+  # We cannot use Rails Indifferent Hash because it messes up the flash object.
+  class Devise::IndifferentHash < Hash
+    alias_method :regular_writer, :[]= unless method_defined?(:regular_writer)
+    alias_method :regular_update, :update unless method_defined?(:regular_update)
+    def []=(key, value)
+      regular_writer(convert_key(key), value)
+    end
+    alias_method :store, :[]=
+    def update(other_hash)
+      other_hash.each_pair { |key, value| regular_writer(convert_key(key), value) }
+      self
+    end
+    alias_method :merge!, :update
+    def key?(key)
+      super(convert_key(key))
+    end
+    alias_method :include?, :key?
+    alias_method :has_key?, :key?
+    alias_method :member?, :key?
+    def fetch(key, *extras)
+      super(convert_key(key), *extras)
+    end
+    def values_at(*indices)
+      indices.collect {|key| self[convert_key(key)]}
+    end
+    def merge(hash)
+      self.dup.update(hash)
+    end
+    def delete(key)
+      super(convert_key(key))
+    end
+    def stringify_keys!; self end
+    def stringify_keys; dup end
+    undef :symbolize_keys!
+    def symbolize_keys; to_hash.symbolize_keys end
+    def to_options!; self end
+    protected
+    def convert_key(key)
+      key.kind_of?(Symbol) ? key.to_s : key
+    end
+  end
+  class ActionDispatch::Request
+    def reset_session
+      session.destroy if session && session.respond_to?(:destroy)
+      self.session = {}
+      @env['action_dispatch.request.flash_hash'] = nil
+    end
+  end
+  Warden::Manager.after_set_user :event => [:set_user, :authentication] do |record, warden, options|
+    if options[:scope] && warden.authenticated?(options[:scope])
+      request, flash = warden.request, warden.env['action_dispatch.request.flash_hash']
+      backup = request.session.to_hash
+      backup.delete("session_id")
+      request.reset_session
+      warden.env['action_dispatch.request.flash_hash'] = flash
+      request.session = Devise::IndifferentHash.new.update(backup)
+    end
+  end
 end

data/lib/devise/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.1.3".freeze
+  VERSION = "1.1.4".freeze
 end

data/test/integration/authenticatable_test.rb CHANGED

@@ -236,6 +236,17 @@ class AuthenticationSessionTest < ActionController::IntegrationTest
     get '/users'
     assert_equal "Cart", @controller.user_session[:cart]
   end
+  test 'session id is changed on sign in' do
+    get '/users'
+    session_id = request.session["session_id"]
+    get '/users'
+    assert_equal session_id, request.session["session_id"]
+    sign_in_as_user
+    assert_not_equal session_id, request.session["session_id"]
+  end
 end
 class AuthenticationWithScopesTest < ActionController::IntegrationTest

data/test/support/webrat/integrations/rails.rb CHANGED

@@ -1,9 +1,9 @@
-require 'webrat/core/elements/field'
+require 'webrat/core/elements/form'
 require 'action_dispatch/testing/integration'
 module Webrat
-  Field.class_eval do
-    def parse_rails_request_params(params)
+  Form.class_eval do
+    def self.parse_rails_request_params(params)
       Rack::Utils.parse_nested_query(params)
     end
   end
@@ -13,20 +13,5 @@ module ActionDispatch #:nodoc:
   IntegrationTest.class_eval do
     include Webrat::Methods
     include Webrat::Matchers
-    # The Rails version of within supports passing in a model and Webrat
-    # will apply a scope based on Rails' dom_id for that model.
-    #
-    # Example:
-    #   within User.last do
-    #     click_link "Delete"
-    #   end
-    def within(selector_or_object, &block)
-      if selector_or_object.is_a?(String)
-        super
-      else
-        super('#' + RecordIdentifier.dom_id(selector_or_object), &block)
-      end
-    end
   end
-end
+end

metadata CHANGED

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: devise
 version: !ruby/object:Gem::Version
-  hash: 21
+  hash: 27
   prerelease: false
   segments:
   - 1
   - 1
-  - 3
-  version: 1.1.3
+  - 4
+  version: 1.1.4
 platform: ruby
 authors:
 - "Jos\xC3\xA9 Valim"
@@ -16,7 +16,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2010-09-24 00:00:00 +02:00
+date: 2010-11-26 00:00:00 +01:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -27,12 +27,12 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        hash: 57
+        hash: 19
         segments:
+        - 1
         - 0
-        - 10
-        - 7
-        version: 0.10.7
+        - 2
+        version: 1.0.2
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency