RubyGems - pelle-oauth - Versions diffs - 0.3.5 → 0.3.6 - Mend

pelle-oauth 0.3.5 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

data/History.txt +2 -0
data/Rakefile +33 -24
data/lib/oauth/consumer.rb +5 -2
data/lib/oauth/helper.rb +23 -1
data/lib/oauth/signature/base.rb +1 -1
data/lib/oauth/signature/plaintext.rb +1 -1
data/oauth.gemspec +1 -1
data/test/test_action_controller_request_proxy.rb +1 -0
data/test/test_signature.rb +19 -3
metadata +1 -1

data/History.txt CHANGED Viewed

@@ -1,6 +1,8 @@
 == 0.3.6
 * Added -B CLI option to use the :body authentication scheme (Seth)
+* Added :ca_file consumer option to allow consumer specific certificate override. (Pelle)
+* Added a secure_equals in Helper to prevent timing attacks. (Pelle)
 == 0.3.5 2009-06-03

data/Rakefile CHANGED Viewed

@@ -1,35 +1,44 @@
-%w[rubygems rake rake/clean fileutils newgem rubigen].each { |f| require f }
+%w[rubygems rake rake/clean fileutils].each { |f| require f }
 $LOAD_PATH << File.dirname(__FILE__) + '/lib'
 require 'oauth'
 require 'oauth/version'
-# Generate all the Rake tasks
-# Run 'rake -T' to see list of generated tasks (from gem root directory)
-$hoe = Hoe.new('oauth', OAuth::VERSION) do |p|
-  p.author = ['Pelle Braendgaard','Blaine Cook','Larry Halff','Jesse Clark','Jon Crosby', 'Seth Fitzsimmons']
-  p.email = "oauth-ruby@googlegroups.com"
-  p.description = "OAuth Core Ruby implementation"
-  p.summary = p.description
-  p.changes              = p.paragraphs_of("History.txt", 0..1).join("\n\n")
-  p.rubyforge_name       = p.name # TODO this is default value
-  p.url = "http://oauth.rubyforge.org"
+begin
+  require 'hoe'
+  require 'newgem'
+  require 'rubigen'
+  # Generate all the Rake tasks
+  # Run 'rake -T' to see list of generated tasks (from gem root directory)
+  $hoe = Hoe.new('oauth', OAuth::VERSION) do |p|
+    p.author = ['Pelle Braendgaard','Blaine Cook','Larry Halff','Jesse Clark','Jon Crosby', 'Seth Fitzsimmons']
+    p.email = "oauth-ruby@googlegroups.com"
+    p.description = "OAuth Core Ruby implementation"
+    p.summary = p.description
+    p.changes              = p.paragraphs_of("History.txt", 0..1).join("\n\n")
+    p.rubyforge_name       = p.name # TODO this is default value
+    p.url = "http://oauth.rubyforge.org"
-  p.extra_deps         = [
-    ['ruby-hmac','>= 0.3.1']
-  ]
-  p.extra_dev_deps = [
-    ['newgem', ">= #{::Newgem::VERSION}"],
-    ['actionpack'],
-    ['rack']
-  ]
+    p.extra_deps         = [
+      ['ruby-hmac','>= 0.3.1']
+    ]
+    p.extra_dev_deps = [
+      ['newgem', ">= #{::Newgem::VERSION}"],
+      ['actionpack'],
+      ['rack']
+    ]
-  p.clean_globs |= %w[**/.DS_Store tmp *.log **/.*.sw? *.gem .config **/.DS_Store]
-  path = (p.rubyforge_name == p.name) ? p.rubyforge_name : "\#{p.rubyforge_name}/\#{p.name}"
-  p.remote_rdoc_dir = File.join(path.gsub(/^#{p.rubyforge_name}\/?/,''), 'rdoc')
-  p.rsync_args = '-av --delete --ignore-errors'
+    p.clean_globs |= %w[**/.DS_Store tmp *.log **/.*.sw? *.gem .config **/.DS_Store]
+    path = (p.rubyforge_name == p.name) ? p.rubyforge_name : "\#{p.rubyforge_name}/\#{p.name}"
+    p.remote_rdoc_dir = File.join(path.gsub(/^#{p.rubyforge_name}\/?/,''), 'rdoc')
+    p.rsync_args = '-av --delete --ignore-errors'
+  end
+  require 'newgem/tasks' # load /tasks/*.rake
+rescue LoadError
+  puts "hoe not available"
 end
-require 'newgem/tasks' # load /tasks/*.rake
 Dir['tasks/**/*.rake'].each { |t| load t }
 # TODO - want other tests/tasks run by default? Add them to the list

data/lib/oauth/consumer.rb CHANGED Viewed

@@ -38,6 +38,9 @@ module OAuth
       # Default http method used for OAuth Token Requests (defaults to :post)
       :http_method   => :post,
+      # Add a custom ca_file for consumer
+      # :ca_file       => '/etc/certs.pem'
       :oauth_version => "1.0"
     }
@@ -278,8 +281,8 @@ module OAuth
       http_object.use_ssl = (our_uri.scheme == 'https')
-      if CA_FILE
-        http_object.ca_file = CA_FILE
+      if @options[:ca_file] || CA_FILE
+        http_object.ca_file = @options[:ca_file] || CA_FILE
         http_object.verify_mode = OpenSSL::SSL::VERIFY_PEER
         http_object.verify_depth = 5
       else

data/lib/oauth/helper.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 require 'openssl'
 require 'base64'
+require 'enumerator'
 module OAuth
   module Helper
@@ -70,9 +71,30 @@ module OAuth
       # convert into a Hash
       Hash[*params.flatten]
     end
+    # A secure version of equals meant to avoid timing attacks as specified here
+    # http://codahale.com/a-lesson-in-timing-attacks/
+    def secure_equals(a,b)
+      return a==b unless a.is_a?(String)&&b.is_a?(String)
+      result = 0
+      bytes(a).zip(bytes(b)).each do |x,y|
+        result |= (x ^ y)
+      end
+      (result == 0) && (a.length == b.length)
+    end
     def unescape(value)
       URI.unescape(value.gsub('+', '%2B'))
     end
+    # Creates a per byte enumerator for a string regardless of RUBY VERSION
+    def bytes(a)
+      return [] if a.nil?
+      if a.respond_to?(:bytes)
+        a.bytes
+      else
+        Enumerable::Enumerator.new(a, :each_byte)
+      end
+    end
   end
 end

data/lib/oauth/signature/base.rb CHANGED Viewed

@@ -55,7 +55,7 @@ module OAuth::Signature
     end
     def ==(cmp_signature)
-      Base64.decode64(signature) == Base64.decode64(cmp_signature)
+      secure_equals(Base64.decode64(signature), Base64.decode64(cmp_signature))
     end
     def verify

data/lib/oauth/signature/plaintext.rb CHANGED Viewed

@@ -9,7 +9,7 @@ module OAuth::Signature
     end
     def ==(cmp_signature)
-      signature == escape(cmp_signature)
+      secure_equals(signature , escape(cmp_signature))
     end
     def signature_base_string

data/oauth.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@
 Gem::Specification.new do |s|
   s.name = %q{oauth}
-  s.version = "0.3.5"
+  s.version = "0.3.6"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Pelle Braendgaard", "Blaine Cook", "Larry Halff", "Jesse Clark", "Jon Crosby", "Seth Fitzsimmons", "Matt Sanford"]

data/test/test_action_controller_request_proxy.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+gem 'actionpack','2.2.2'
 require File.dirname(__FILE__) + '/test_helper.rb'
 require 'oauth/request_proxy/action_controller_request.rb'
 require 'action_controller'

data/test/test_signature.rb CHANGED Viewed

@@ -1,19 +1,35 @@
+# encoding: utf-8
 require File.dirname(__FILE__) + '/test_helper.rb'
 class TestOauth < Test::Unit::TestCase
+  include OAuth::Helper
   def test_parameter_escaping_kcode_invariant
     old = $KCODE
     begin
       %w(n N e E s S u U).each do |kcode|
         $KCODE = kcode
-        assert_equal '%E3%81%82', OAuth::Helper.escape('あ'),
+        assert_equal '%E3%81%82', OAuth::Helper.escape("あ"),
                       "Failed to correctly escape Japanese under $KCODE = #{kcode}"
-        assert_equal '%C3%A9', OAuth::Helper.escape('é'),
+        assert_equal '%C3%A9', OAuth::Helper.escape("é"),
                       "Failed to correctly escape e+acute under $KCODE = #{kcode}"
       end
     ensure
       $KCODE = old
     end
   end
+  def test_secure_equals
+    [nil,1,12345,"12345",'1','Hello'*45].each do |value|
+      assert secure_equals(value,value)
+    end
+  end
+  def test_not_secure_equals
+    a=[nil,1,12345,"12345",'1','Hello'*45]
+    a.zip(a.reverse).each do |a,b|
+      assert !secure_equals(a,b)
+    end
+  end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pelle-oauth
 version: !ruby/object:Gem::Version
-  version: 0.3.5
+  version: 0.3.6
 platform: ruby
 authors:
 - Pelle Braendgaard