patron 0.6.4 → 0.6.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/Gemfile.lock +1 -1
- data/README.md +7 -3
- data/ext/patron/session_ext.c +9 -1
- data/lib/patron/version.rb +1 -1
- data/spec/session_spec.rb +21 -0
- data/spec/support/test_server.rb +8 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a7318f9bed9b99f36570d83e3c0de4fe77e9fa93
|
|
4
|
+
data.tar.gz: 15cf5d9064bb24ce550e31e15c87feacb6d9e2a5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 07b6971951e179505a4df277951b57c5b509679fb7e1515f400fdd954e897a9b191c879ba467e409d5ef310b6fee44b7608c26cbf80d0629e1c3574be25a0487
|
|
7
|
+
data.tar.gz: aee56e977fce8e5e629df192aa83a5a27d69dd66a767adac38adb5786e36d93186162bd6166a6292a0826e15dc4c466fc6e0e2e1c7de885fe59e40c53f3235fc
|
data/CHANGELOG.md
CHANGED
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -92,10 +92,14 @@ For sharing a resource of sessions between threads we recommend using the excell
|
|
|
92
92
|
|
|
93
93
|
## Requirements
|
|
94
94
|
|
|
95
|
-
|
|
96
|
-
|
|
95
|
+
Patron uses encoding features of Ruby, so you need at least Ruby 1.9. Also, a
|
|
96
|
+
recent version of libCURL is required. We recommend at least 7.19.4 because
|
|
97
|
+
it [supports limiting the protocols](https://curl.haxx.se/libcurl/c/CURLOPT_PROTOCOLS.html),
|
|
98
|
+
and that is very important for security - especially if you follow redirects.
|
|
99
|
+
|
|
100
|
+
On OSX the provided libcurl is sufficient. You will have to install the libcurl
|
|
97
101
|
development packages on Debian or Ubuntu. Other Linux systems are probably
|
|
98
|
-
similar. Windows
|
|
102
|
+
similar. For Windows we do not have an established build instruction at the moment, unfortunately.
|
|
99
103
|
|
|
100
104
|
## Installation
|
|
101
105
|
|
data/ext/patron/session_ext.c
CHANGED
|
@@ -470,7 +470,15 @@ static void set_options_from_request(VALUE self, VALUE request) {
|
|
|
470
470
|
rb_raise(rb_eArgError, "Must provide a URL");
|
|
471
471
|
}
|
|
472
472
|
curl_easy_setopt(curl, CURLOPT_URL, StringValuePtr(url));
|
|
473
|
-
|
|
473
|
+
|
|
474
|
+
#ifdef CURLPROTO_HTTP
|
|
475
|
+
// Security: do not allow Curl to go looking on gopher/SMTP etc.
|
|
476
|
+
// Must prevent situations like this:
|
|
477
|
+
// https://hackerone.com/reports/115748
|
|
478
|
+
curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
|
|
479
|
+
curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
|
|
480
|
+
#endif
|
|
481
|
+
|
|
474
482
|
timeout = rb_funcall(request, rb_intern("timeout"), 0);
|
|
475
483
|
if (RTEST(timeout)) {
|
|
476
484
|
curl_easy_setopt(curl, CURLOPT_TIMEOUT, FIX2INT(timeout));
|
data/lib/patron/version.rb
CHANGED
data/spec/session_spec.rb
CHANGED
|
@@ -36,6 +36,27 @@ describe Patron::Session do
|
|
|
36
36
|
@session.base_url = "http://localhost:9001"
|
|
37
37
|
end
|
|
38
38
|
|
|
39
|
+
context 'when trying a non-HTTP(s) URL' do
|
|
40
|
+
forbidden_protos = %w( smb tftp imap smtp telnet dict ftp sftp scp file gopher )
|
|
41
|
+
forbidden_protos.each do |forbidden_proto|
|
|
42
|
+
it "should deny a #{forbidden_proto.upcase} request" do
|
|
43
|
+
@session.base_url = nil
|
|
44
|
+
expect {
|
|
45
|
+
@session.get('%s://localhost' % forbidden_proto)
|
|
46
|
+
}.to raise_error(Patron::UnsupportedProtocol)
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
it 'does not follow a redirect to a non-HTTP/HTTPS URL' do
|
|
52
|
+
# The "/evil-redirect" servlet tries to do a redirect to SMTP,
|
|
53
|
+
# which can lead to exploits. By default, libCURL will just follow
|
|
54
|
+
# that redirect.
|
|
55
|
+
expect {
|
|
56
|
+
@session.get('/evil-redirect')
|
|
57
|
+
}.to raise_error(Patron::UnsupportedProtocol)
|
|
58
|
+
end
|
|
59
|
+
|
|
39
60
|
it "should work when forcing ipv4" do
|
|
40
61
|
@session.force_ipv4 = true
|
|
41
62
|
expect { @session.get("/test") }.to_not raise_error
|
data/spec/support/test_server.rb
CHANGED
|
@@ -108,6 +108,13 @@ class RedirectServlet < HTTPServlet::AbstractServlet
|
|
|
108
108
|
end
|
|
109
109
|
end
|
|
110
110
|
|
|
111
|
+
class EvilRedirectServlet < HTTPServlet::AbstractServlet
|
|
112
|
+
def do_GET(req,res)
|
|
113
|
+
res['Location'] = "smtp://mailbox:secret@localhost"
|
|
114
|
+
res.status = 301
|
|
115
|
+
end
|
|
116
|
+
end
|
|
117
|
+
|
|
111
118
|
class TestPostBodyServlet < HTTPServlet::AbstractServlet
|
|
112
119
|
include RespondWith
|
|
113
120
|
def do_POST(req, res)
|
|
@@ -188,6 +195,7 @@ class PatronTestServer
|
|
|
188
195
|
@server.mount("/testpatch", TestPatchBodyServlet)
|
|
189
196
|
@server.mount("/timeout", TimeoutServlet)
|
|
190
197
|
@server.mount("/redirect", RedirectServlet)
|
|
198
|
+
@server.mount("/evil-redirect", EvilRedirectServlet)
|
|
191
199
|
@server.mount("/picture", PictureServlet)
|
|
192
200
|
@server.mount("/setcookie", SetCookieServlet)
|
|
193
201
|
@server.mount("/repetitiveheader", RepetitiveHeaderServlet)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: patron
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.6.
|
|
4
|
+
version: 0.6.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Phillip Toland
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-06-
|
|
11
|
+
date: 2016-06-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|