mongrel 1.1.2 → 1.1.3

Sign up to get free protection for your applications and to get access to all the features.
data.tar.gz.sig CHANGED
Binary file
data/CHANGELOG CHANGED
@@ -1,4 +1,6 @@
1
1
 
2
+ v1.1.3. Fix security flaw of DirHandler; reported on mailing list.
3
+
2
4
  v1.1.2. Fix worker termination bug; fix JRuby 1.0.3 load order issue; fix require issue on systems without Rubygems.
3
5
 
4
6
  v1.1.1. Fix mongrel_rails restart bug; fix bug with Rack status codes.
@@ -384,7 +384,7 @@ void Init_http11()
384
384
  DEF_GLOBAL(server_protocol, "SERVER_PROTOCOL");
385
385
  DEF_GLOBAL(server_protocol_value, "HTTP/1.1");
386
386
  DEF_GLOBAL(http_host, "HTTP_HOST");
387
- DEF_GLOBAL(mongrel_version, "Mongrel 1.1.2"); /* XXX Why is this defined here? */
387
+ DEF_GLOBAL(mongrel_version, "Mongrel 1.1.3"); /* XXX Why is this defined here? */
388
388
  DEF_GLOBAL(server_software, "SERVER_SOFTWARE");
389
389
  DEF_GLOBAL(port_80, "80");
390
390
 
@@ -215,7 +215,7 @@ public class Http11 extends RubyObject {
215
215
 
216
216
  req.setInstanceVariable("@http_body", RubyString.newString(runtime, new ByteList(hp.parser.buffer, at, length)));
217
217
  req.aset(runtime.newString("SERVER_PROTOCOL"),runtime.newString("HTTP/1.1"));
218
- req.aset(runtime.newString("SERVER_SOFTWARE"),runtime.newString("Mongrel 1.1.2"));
218
+ req.aset(runtime.newString("SERVER_SOFTWARE"),runtime.newString("Mongrel 1.1.3"));
219
219
  }
220
220
  };
221
221
 
@@ -65,7 +65,7 @@ module Mongrel
65
65
  REQUEST_URI='REQUEST_URI'.freeze
66
66
  REQUEST_PATH='REQUEST_PATH'.freeze
67
67
 
68
- MONGREL_VERSION="1.1.2".freeze
68
+ MONGREL_VERSION="1.1.3".freeze
69
69
 
70
70
  MONGREL_TMP_BASE="mongrel".freeze
71
71
 
@@ -132,8 +132,12 @@ module Mongrel
132
132
  # Add the drive letter or root path
133
133
  req_path = File.join(@path, req_path) if @path
134
134
  req_path = File.expand_path req_path
135
-
136
- if File.exist? req_path
135
+
136
+ # do not remove the check for @path at the beginning, it's what prevents
137
+ # the serving of arbitrary files (and good programmer Rule #1 Says: If
138
+ # you don't understand something, it's not because I'm stupid, it's
139
+ # because you are).
140
+ if req_path.index(@path) == 0 and File.exist? req_path
137
141
  # It exists and it's in the right location
138
142
  if File.directory? req_path
139
143
  # The request is for a directory
@@ -153,7 +157,7 @@ module Mongrel
153
157
  return req_path
154
158
  end
155
159
  else
156
- # does not exist or isn't in the right spot
160
+ # does not exist or isn't in the right spot or isn't valid because not start with @path
157
161
  return nil
158
162
  end
159
163
  end
@@ -1,27 +1,27 @@
1
1
 
2
- # Gem::Specification for Mongrel-1.1.2
2
+ # Gem::Specification for Mongrel-1.1.3
3
3
  # Originally generated by Echoe
4
4
 
5
5
  Gem::Specification.new do |s|
6
6
  s.name = %q{mongrel}
7
- s.version = "1.1.2"
7
+ s.version = "1.1.3"
8
8
 
9
9
  s.specification_version = 2 if s.respond_to? :specification_version=
10
10
 
11
11
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
12
12
  s.authors = ["Zed A. Shaw"]
13
- s.date = %q{2007-12-15}
13
+ s.date = %q{2008-01-01}
14
14
  s.default_executable = %q{mongrel_rails}
15
15
  s.description = %q{A small fast HTTP library and server that runs Rails, Camping, Nitro and Iowa apps.}
16
16
  s.email = %q{}
17
17
  s.executables = ["mongrel_rails"]
18
18
  s.extensions = ["ext/http11/extconf.rb"]
19
19
  s.has_rdoc = true
20
- s.homepage = %q{}
20
+ s.homepage = %q{http://mongrel.rubyforge.org}
21
21
  s.require_paths = ["lib", "ext"]
22
22
  s.required_ruby_version = Gem::Requirement.new(">= 1.8.4")
23
23
  s.rubyforge_project = %q{mongrel}
24
- s.rubygems_version = %q{0.9.5}
24
+ s.rubygems_version = %q{1.0.1}
25
25
  s.summary = %q{A small fast HTTP library and server that runs Rails, Camping, Nitro and Iowa apps.}
26
26
  s.test_files = ["test/test_cgi_wrapper.rb", "test/test_command.rb", "test/test_conditional.rb", "test/test_configurator.rb", "test/test_debug.rb", "test/test_handlers.rb", "test/test_http11.rb", "test/test_redirect_handler.rb", "test/test_request_progress.rb", "test/test_response.rb", "test/test_stats.rb", "test/test_uriclassifier.rb", "test/test_ws.rb"]
27
27
 
@@ -43,20 +43,22 @@ end
43
43
  # p.summary = "A small fast HTTP library and server that runs Rails, Camping, Nitro and Iowa apps."
44
44
  # p.author ="Zed A. Shaw"
45
45
  # p.clean_pattern = ['ext/http11/*.{bundle,so,o,obj,pdb,lib,def,exp}', 'lib/*.{bundle,so,o,obj,pdb,lib,def,exp}', 'ext/http11/Makefile', 'pkg', 'lib/*.bundle', '*.gem', 'site/output', '.config', 'lib/http11.jar', 'ext/http11_java/classes', 'coverage']
46
+ # p.url = "http://mongrel.rubyforge.org"
46
47
  # p.rdoc_pattern = ['README', 'LICENSE', 'CHANGELOG', 'COPYING', 'lib/**/*.rb', 'doc/**/*.rdoc']
47
48
  # p.ignore_pattern = /^(pkg|site|projects|doc|log)|CVS|\.log/
48
- # p.ruby_version = '>= 1.8.4'
49
+ # p.ruby_version = '>=1.8.4'
49
50
  # p.dependencies = ['gem_plugin >=0.2.3']
50
51
  # p.extension_pattern = nil
51
52
  #
53
+ # when 'eweaver'
54
+ # when 'luislavena'
55
+ # end
56
+ #
52
57
  # p.need_tar_gz = false
53
58
  # p.need_tgz = true
54
59
  #
55
- # case RUBY_PLATFORM
56
- # when /mswin/
57
- # when /java/
58
- # else
59
- # p.extension_pattern = ["ext/**/extconf.rb"]
60
+ # if RUBY_PLATFORM !~ /mswin|java/
61
+ # p.extension_pattern = ["ext/**/extconf.rb"]
60
62
  # end
61
63
  #
62
64
  # p.eval = proc do
@@ -67,7 +69,7 @@ end
67
69
  # add_dependency('cgi_multipart_eof_fix', '>= 2.4')
68
70
  # when /java/
69
71
  # self.files += ['lib/http11.jar']
70
- # self.platform = 'jruby'
72
+ # self.platform = 'jruby' # XXX Is this right?
71
73
  # else
72
74
  # add_dependency('daemons', '>= 1.0.3')
73
75
  # add_dependency('fastthread', '>= 1.0.1')
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mongrel
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.2
4
+ version: 1.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Zed A. Shaw
@@ -52,7 +52,7 @@ cert_chain:
52
52
  ALN3mi/9z0Mf1YroliUgF0v5Yw==
53
53
  -----END CERTIFICATE-----
54
54
 
55
- date: 2007-12-15 00:00:00 -05:00
55
+ date: 2008-01-01 00:00:00 -05:00
56
56
  default_executable:
57
57
  dependencies:
58
58
  - !ruby/object:Gem::Dependency
@@ -170,7 +170,7 @@ files:
170
170
  - TODO
171
171
  - tools/trickletest.rb
172
172
  has_rdoc: true
173
- homepage: ""
173
+ homepage: http://mongrel.rubyforge.org
174
174
  post_install_message:
175
175
  rdoc_options: []
176
176
 
@@ -192,7 +192,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
192
192
  requirements: []
193
193
 
194
194
  rubyforge_project: mongrel
195
- rubygems_version: 0.9.5
195
+ rubygems_version: 1.0.1
196
196
  signing_key:
197
197
  specification_version: 2
198
198
  summary: A small fast HTTP library and server that runs Rails, Camping, Nitro and Iowa apps.
metadata.gz.sig CHANGED
Binary file