patron 0.6.4 → 0.6.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/Gemfile.lock +1 -1
- data/README.md +7 -3
- data/ext/patron/session_ext.c +9 -1
- data/lib/patron/version.rb +1 -1
- data/spec/session_spec.rb +21 -0
- data/spec/support/test_server.rb +8 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a7318f9bed9b99f36570d83e3c0de4fe77e9fa93
|
4
|
+
data.tar.gz: 15cf5d9064bb24ce550e31e15c87feacb6d9e2a5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 07b6971951e179505a4df277951b57c5b509679fb7e1515f400fdd954e897a9b191c879ba467e409d5ef310b6fee44b7608c26cbf80d0629e1c3574be25a0487
|
7
|
+
data.tar.gz: aee56e977fce8e5e629df192aa83a5a27d69dd66a767adac38adb5786e36d93186162bd6166a6292a0826e15dc4c466fc6e0e2e1c7de885fe59e40c53f3235fc
|
data/CHANGELOG.md
CHANGED
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -92,10 +92,14 @@ For sharing a resource of sessions between threads we recommend using the excell
|
|
92
92
|
|
93
93
|
## Requirements
|
94
94
|
|
95
|
-
|
96
|
-
|
95
|
+
Patron uses encoding features of Ruby, so you need at least Ruby 1.9. Also, a
|
96
|
+
recent version of libCURL is required. We recommend at least 7.19.4 because
|
97
|
+
it [supports limiting the protocols](https://curl.haxx.se/libcurl/c/CURLOPT_PROTOCOLS.html),
|
98
|
+
and that is very important for security - especially if you follow redirects.
|
99
|
+
|
100
|
+
On OSX the provided libcurl is sufficient. You will have to install the libcurl
|
97
101
|
development packages on Debian or Ubuntu. Other Linux systems are probably
|
98
|
-
similar. Windows
|
102
|
+
similar. For Windows we do not have an established build instruction at the moment, unfortunately.
|
99
103
|
|
100
104
|
## Installation
|
101
105
|
|
data/ext/patron/session_ext.c
CHANGED
@@ -470,7 +470,15 @@ static void set_options_from_request(VALUE self, VALUE request) {
|
|
470
470
|
rb_raise(rb_eArgError, "Must provide a URL");
|
471
471
|
}
|
472
472
|
curl_easy_setopt(curl, CURLOPT_URL, StringValuePtr(url));
|
473
|
-
|
473
|
+
|
474
|
+
#ifdef CURLPROTO_HTTP
|
475
|
+
// Security: do not allow Curl to go looking on gopher/SMTP etc.
|
476
|
+
// Must prevent situations like this:
|
477
|
+
// https://hackerone.com/reports/115748
|
478
|
+
curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
|
479
|
+
curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
|
480
|
+
#endif
|
481
|
+
|
474
482
|
timeout = rb_funcall(request, rb_intern("timeout"), 0);
|
475
483
|
if (RTEST(timeout)) {
|
476
484
|
curl_easy_setopt(curl, CURLOPT_TIMEOUT, FIX2INT(timeout));
|
data/lib/patron/version.rb
CHANGED
data/spec/session_spec.rb
CHANGED
@@ -36,6 +36,27 @@ describe Patron::Session do
|
|
36
36
|
@session.base_url = "http://localhost:9001"
|
37
37
|
end
|
38
38
|
|
39
|
+
context 'when trying a non-HTTP(s) URL' do
|
40
|
+
forbidden_protos = %w( smb tftp imap smtp telnet dict ftp sftp scp file gopher )
|
41
|
+
forbidden_protos.each do |forbidden_proto|
|
42
|
+
it "should deny a #{forbidden_proto.upcase} request" do
|
43
|
+
@session.base_url = nil
|
44
|
+
expect {
|
45
|
+
@session.get('%s://localhost' % forbidden_proto)
|
46
|
+
}.to raise_error(Patron::UnsupportedProtocol)
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
it 'does not follow a redirect to a non-HTTP/HTTPS URL' do
|
52
|
+
# The "/evil-redirect" servlet tries to do a redirect to SMTP,
|
53
|
+
# which can lead to exploits. By default, libCURL will just follow
|
54
|
+
# that redirect.
|
55
|
+
expect {
|
56
|
+
@session.get('/evil-redirect')
|
57
|
+
}.to raise_error(Patron::UnsupportedProtocol)
|
58
|
+
end
|
59
|
+
|
39
60
|
it "should work when forcing ipv4" do
|
40
61
|
@session.force_ipv4 = true
|
41
62
|
expect { @session.get("/test") }.to_not raise_error
|
data/spec/support/test_server.rb
CHANGED
@@ -108,6 +108,13 @@ class RedirectServlet < HTTPServlet::AbstractServlet
|
|
108
108
|
end
|
109
109
|
end
|
110
110
|
|
111
|
+
class EvilRedirectServlet < HTTPServlet::AbstractServlet
|
112
|
+
def do_GET(req,res)
|
113
|
+
res['Location'] = "smtp://mailbox:secret@localhost"
|
114
|
+
res.status = 301
|
115
|
+
end
|
116
|
+
end
|
117
|
+
|
111
118
|
class TestPostBodyServlet < HTTPServlet::AbstractServlet
|
112
119
|
include RespondWith
|
113
120
|
def do_POST(req, res)
|
@@ -188,6 +195,7 @@ class PatronTestServer
|
|
188
195
|
@server.mount("/testpatch", TestPatchBodyServlet)
|
189
196
|
@server.mount("/timeout", TimeoutServlet)
|
190
197
|
@server.mount("/redirect", RedirectServlet)
|
198
|
+
@server.mount("/evil-redirect", EvilRedirectServlet)
|
191
199
|
@server.mount("/picture", PictureServlet)
|
192
200
|
@server.mount("/setcookie", SetCookieServlet)
|
193
201
|
@server.mount("/repetitiveheader", RepetitiveHeaderServlet)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: patron
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.6.
|
4
|
+
version: 0.6.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Phillip Toland
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-06-
|
11
|
+
date: 2016-06-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|