newrelic_rpm 3.3.2 → 3.3.2.1

data/CHANGELOG

@@ -1,3 +1,6 @@
+v3.3.2.1
+  * [SECURITY] fix for cookie handling by End User Monitoring instrumentation
+
 v3.3.2
   * deployments recipe change: truncate git SHAs to 7 characters
   * Fixes for obfuscation of PostgreSQL and SQLite queries

data/lib/new_relic/agent/transaction_info.rb

@@ -1,3 +1,5 @@
+require 'erb'
+
 module NewRelic
   module Agent
     class TransactionInfo
@@ -48,17 +50,22 @@ module NewRelic
       def self.reset(request=nil)
         clear
         instance = get
+        instance.token = get_token(request)
+      end
 
-        if request
-          agent_flag = request.cookies['NRAGENT']
-          if agent_flag
-            s = agent_flag.split("=")
-            if s.length == 2
-              if s[0] == "tk" && s[1]
-                instance.token = s[1]
-              end
+      def self.get_token(request)
+        return nil unless request
+        
+        agent_flag = request.cookies['NRAGENT']
+        if agent_flag
+          s = agent_flag.split("=")
+          if s.length == 2
+            if s[0] == "tk" && s[1]
+              ERB::Util.h(s[1])
             end
           end
+        else
+          nil
         end
       end
     end

data/lib/new_relic/version.rb

@@ -4,7 +4,7 @@ module NewRelic
     MAJOR = 3
     MINOR = 3
     TINY  = 2
-    BUILD = nil # Set to nil for a release, 'beta1', 'alpha', etc for prerelease builds
+    BUILD = 1 # Set to nil for a release, 'beta1', 'alpha', etc for prerelease builds
     STRING = [MAJOR, MINOR, TINY, BUILD].compact.join('.')
   end
 

data/newrelic_rpm.gemspec

@@ -4,21 +4,15 @@
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
-  s.name = %q{newrelic_rpm}
-  s.version = "3.3.2"
+  s.name = "newrelic_rpm"
+  s.version = "3.3.2.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Bill Kayser", "Jon Guymon", "Justin George", "Darin Swanson"]
-  s.date = %q{2012-02-16}
-  s.description = %q{New Relic is a performance management system, developed by New Relic,
-Inc (http://www.newrelic.com).  New Relic provides you with deep
-information about the performance of your web application as it runs
-in production. The New Relic Ruby Agent is dual-purposed as a either a
-Gem or plugin, hosted on
-http://github.com/newrelic/rpm/
-}
-  s.email = %q{support@newrelic.com}
-  s.executables = ["newrelic_cmd", "newrelic", "mongrel_rpm"]
+  s.date = "2012-03-15"
+  s.description = "New Relic is a performance management system, developed by New Relic,\nInc (http://www.newrelic.com).  New Relic provides you with deep\ninformation about the performance of your web application as it runs\nin production. The New Relic Ruby Agent is dual-purposed as a either a\nGem or plugin, hosted on\nhttp://github.com/newrelic/rpm/\n"
+  s.email = "support@newrelic.com"
+  s.executables = ["newrelic", "newrelic_cmd", "mongrel_rpm"]
   s.extra_rdoc_files = [
     "CHANGELOG",
     "LICENSE",
@@ -176,6 +170,7 @@ http://github.com/newrelic/rpm/
     "test/new_relic/agent/stats_engine/metric_stats_test.rb",
     "test/new_relic/agent/stats_engine/samplers_test.rb",
     "test/new_relic/agent/stats_engine_test.rb",
+    "test/new_relic/agent/transaction_info_test.rb",
     "test/new_relic/agent/transaction_sample_builder_test.rb",
     "test/new_relic/agent/transaction_sampler_test.rb",
     "test/new_relic/agent/worker_loop_test.rb",
@@ -286,28 +281,8 @@ http://github.com/newrelic/rpm/
     "vendor/gems/metric_parser-0.1.0.pre1/lib/new_relic/metric_parser/web_service.rb",
     "vendor/gems/metric_parser-0.1.0.pre1/lib/new_relic/metric_parser/web_transaction.rb"
   ]
-  s.homepage = %q{http://www.github.com/newrelic/rpm}
-  s.post_install_message = %q{
-PLEASE NOTE:
-
-Developer Mode is now a Rack middleware.
-
-Developer Mode is no longer available in Rails 2.1 and earlier.
-However, starting in version 2.12 you can use Developer Mode in any
-Rack based framework, in addition to Rails.  To install developer mode
-in a non-Rails application, just add NewRelic::Rack::DeveloperMode to
-your middleware stack.
-
-If you are using JRuby, we recommend using at least version 1.4 or 
-later because of issues with the implementation of the timeout library.
-
-Refer to the README.md file for more information.
-
-Please see http://github.com/newrelic/rpm/blob/master/CHANGELOG
-for a complete description of the features and enhancements available
-in version 3.3 of the Ruby Agent.
-  
-}
+  s.homepage = "http://www.github.com/newrelic/rpm"
+  s.post_install_message = "\nPLEASE NOTE:\n\nDeveloper Mode is now a Rack middleware.\n\nDeveloper Mode is no longer available in Rails 2.1 and earlier.\nHowever, starting in version 2.12 you can use Developer Mode in any\nRack based framework, in addition to Rails.  To install developer mode\nin a non-Rails application, just add NewRelic::Rack::DeveloperMode to\nyour middleware stack.\n\nIf you are using JRuby, we recommend using at least version 1.4 or \nlater because of issues with the implementation of the timeout library.\n\nRefer to the README.md file for more information.\n\nPlease see http://github.com/newrelic/rpm/blob/master/CHANGELOG\nfor a complete description of the features and enhancements available\nin version 3.3 of the Ruby Agent.\n  \n"
   s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "New Relic Ruby Agent"]
   s.require_paths = ["lib"]
   s.summary = "New Relic Ruby Agent"

data/test/new_relic/agent/transaction_info_test.rb

@@ -0,0 +1,13 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'..','..','test_helper'))
+require 'ostruct'
+
+class NewRelic::Agent::TransactionInfoTest < Test::Unit::TestCase
+  def setup
+    @request = OpenStruct.new(:cookies => {'NRAGENT' => 'tk=1234<tag>evil</tag>5678'})
+  end
+  
+  def test_get_token_gets_sanitized_token_from_cookie
+    assert_equal('1234&lt;tag&gt;evil&lt;/tag&gt;5678',
+                 NewRelic::Agent::TransactionInfo.get_token(@request))
+  end
+end

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification 
 name: newrelic_rpm
 version: !ruby/object:Gem::Version 
-  hash: 15
+  hash: 109
   prerelease: 
   segments: 
   - 3
   - 3
   - 2
-  version: 3.3.2
+  - 1
+  version: 3.3.2.1
 platform: ruby
 authors: 
 - Bill Kayser
@@ -18,8 +19,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-02-16 00:00:00 -08:00
-default_executable: 
+date: 2012-03-15 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: jeweler
@@ -73,8 +73,8 @@ description: |
 
 email: support@newrelic.com
 executables: 
-- newrelic_cmd
 - newrelic
+- newrelic_cmd
 - mongrel_rpm
 extensions: []
 
@@ -234,6 +234,7 @@ files:
 - test/new_relic/agent/stats_engine/metric_stats_test.rb
 - test/new_relic/agent/stats_engine/samplers_test.rb
 - test/new_relic/agent/stats_engine_test.rb
+- test/new_relic/agent/transaction_info_test.rb
 - test/new_relic/agent/transaction_sample_builder_test.rb
 - test/new_relic/agent/transaction_sampler_test.rb
 - test/new_relic/agent/worker_loop_test.rb
@@ -343,7 +344,6 @@ files:
 - vendor/gems/metric_parser-0.1.0.pre1/lib/new_relic/metric_parser/web_frontend.rb
 - vendor/gems/metric_parser-0.1.0.pre1/lib/new_relic/metric_parser/web_service.rb
 - vendor/gems/metric_parser-0.1.0.pre1/lib/new_relic/metric_parser/web_transaction.rb
-has_rdoc: true
 homepage: http://www.github.com/newrelic/rpm
 licenses: []
 
@@ -397,7 +397,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.4.2
+rubygems_version: 1.8.15
 signing_key: 
 specification_version: 3
 summary: New Relic Ruby Agent