rack-cache 1.1 → 1.2

data/CHANGES

@@ -1,3 +1,12 @@
+## 1.2 / March 2012
+
+  * Fix a cookie leak vulnerability effecting large numbers of Rails 3.x installs:
+    https://github.com/rtomayko/rack-cache/pull/52
+
+  * Never 304 on PUT or POST requests.
+
+  * Misc bundler and test tooling fixes.
+
 ## 1.1 / September 2011
 
   * Allow (INM/IMS) validation requests through to backend on miss. Makes it

data/Rakefile

@@ -15,13 +15,13 @@ end
 desc 'Run specs with unit test style output'
 task :test => FileList['test/*_test.rb'] do |t|
   suite = t.prerequisites
-  sh "bacon -q -I.:lib:test #{suite.join(' ')}", :verbose => false
+  sh "bundle exec bacon -q -I.:lib:test #{suite.join(' ')}", :verbose => false
 end
 
 desc 'Run specs with story style output'
 task :spec => FileList['test/*_test.rb'] do |t|
   suite = t.prerequisites
-  sh "bacon -I.:lib:test #{suite.join(' ')}", :verbose => false
+  sh "bundle exec bacon -I.:lib:test #{suite.join(' ')}", :verbose => false
 end
 
 desc 'Generate test coverage report'

data/lib/rack/cache/context.rb

@@ -18,6 +18,7 @@ module Rack::Cache
     def initialize(backend, options={})
       @backend = backend
       @trace = []
+      @env = nil
 
       initialize_options options
       yield self if block_given?
@@ -82,7 +83,10 @@ module Rack::Cache
       end
 
       # tidy up response a bit
-      response.not_modified! if not_modified?(response)
+      if (@request.get? || @request.head?) && not_modified?(response)
+        response.not_modified!
+      end
+
       if @request.head?
         response.body.close if response.body.respond_to?(:close)
         response.body = []
@@ -259,6 +263,7 @@ module Rack::Cache
 
     # Write the response to the cache.
     def store(response)
+      strip_ignore_headers(response)
       metastore.store(@request, response, entitystore)
       response.headers['Age'] = response.age.to_s
     rescue Exception => e
@@ -268,6 +273,12 @@ module Rack::Cache
       record :store
     end
 
+    # Remove all ignored response headers before writing to the cache.
+    def strip_ignore_headers(response)
+      stripped_values = ignore_headers.map { |name| response.headers.delete(name) }
+      record :ignore if stripped_values.any?
+    end
+
     def log_error(exception)
       @env['rack.errors'].write("cache error: #{exception.message}\n#{exception.backtrace.join("\n")}\n")
     end

data/lib/rack/cache/metastore.rb

@@ -37,7 +37,7 @@ module Rack::Cache
       match = entries.detect{|req,res| requests_match?(res['Vary'], env, req)}
       return nil if match.nil?
 
-      req, res = match
+      _, res = match
       if body = entity_store.open(res['X-Content-Digest'])
         restore_response(res, body)
       else

data/lib/rack/cache/options.rb

@@ -78,6 +78,14 @@ module Rack::Cache
     # Default: 0
     option_accessor :default_ttl
 
+    # Set of response headers that are removed before storing them in the
+    # cache. These headers are only removed for cacheable responses.  For
+    # example, in most cases, it makes sense to prevent cookies from being
+    # stored in the cache.
+    #
+    # Default: ['Set-Cookie']
+    option_accessor :ignore_headers
+
     # Set of request headers that trigger "private" cache-control behavior
     # on responses that don't explicitly state whether the response is
     # public or private via a Cache-Control directive. Applications that use
@@ -138,6 +146,7 @@ module Rack::Cache
         'rack-cache.metastore'        => 'heap:/',
         'rack-cache.entitystore'      => 'heap:/',
         'rack-cache.default_ttl'      => 0,
+        'rack-cache.ignore_headers'   => ['Set-Cookie'],
         'rack-cache.private_headers'  => ['Authorization', 'Cookie'],
         'rack-cache.allow_reload'     => false,
         'rack-cache.allow_revalidate' => false,

data/rack-cache.gemspec

@@ -3,11 +3,11 @@ Gem::Specification.new do |s|
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
 
   s.name = 'rack-cache'
-  s.version = '1.1'
-  s.date = '2011-09-18'
+  s.version = '1.2'
+  s.date = '2012-03-05'
 
-  s.description = "HTTP Caching for Rack"
   s.summary     = "HTTP Caching for Rack"
+  s.description = "Rack::Cache is suitable as a quick drop-in component to enable HTTP caching for Rack-based applications that produce freshness (Expires, Cache-Control) and/or validation (Last-Modified, ETag) information."
 
   s.authors = ["Ryan Tomayko"]
   s.email = "r@tomayko.com"
@@ -17,7 +17,6 @@ Gem::Specification.new do |s|
     CHANGES
     COPYING
     Gemfile
-    Gemfile.lock
     README
     Rakefile
     TODO

data/test/context_test.rb

@@ -57,6 +57,7 @@ describe 'Rack::Cache::Context' do
     response.should.be.ok
     cache.trace.should.include :miss
     cache.trace.should.include :store
+    cache.trace.should.not.include :ignore
     response.headers.should.include 'Age'
     response.headers['Cache-Control'].should.equal 'public'
   end
@@ -85,6 +86,40 @@ describe 'Rack::Cache::Context' do
     response.headers['Cache-Control'].should.equal 'private'
   end
 
+  it 'does remove Set-Cookie response header from a cacheable response' do
+    respond_with 200, 'Cache-Control' => 'public', 'ETag' => '"FOO"', 'Set-Cookie' => 'TestCookie=OK'
+    get '/'
+
+    app.should.be.called
+    response.should.be.ok
+    cache.trace.should.include :store
+    cache.trace.should.include :ignore
+    response.headers['Set-Cookie'].should.be.nil
+  end
+
+  it 'does remove all configured ignore_headers from a cacheable response' do
+    respond_with 200, 'Cache-Control' => 'public', 'ETag' => '"FOO"', 'SET-COOKIE' => 'TestCookie=OK', 'X-Strip-Me' => 'Secret'
+    get '/', 'rack-cache.ignore_headers' => ['set-cookie', 'x-strip-me']
+
+    app.should.be.called
+    response.should.be.ok
+    cache.trace.should.include :store
+    cache.trace.should.include :ignore
+    response.headers['Set-Cookie'].should.be.nil
+    response.headers['x-strip-me'].should.be.nil
+  end
+
+  it 'does not remove Set-Cookie response header from a private response' do
+    respond_with 200, 'Cache-Control' => 'private', 'Set-Cookie' => 'TestCookie=OK'
+    get '/'
+
+    app.should.be.called
+    response.should.be.ok
+    cache.trace.should.not.include :store
+    cache.trace.should.not.include :ignore
+    response.headers['Set-Cookie'].should.equal 'TestCookie=OK'
+  end
+
   it 'responds with 304 when If-Modified-Since matches Last-Modified' do
     timestamp = Time.now.httpdate
     respond_with do |req,res|

metadata

@@ -1,94 +1,75 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: rack-cache
-version: !ruby/object:Gem::Version 
-  hash: 13
+version: !ruby/object:Gem::Version
+  version: '1.2'
   prerelease: 
-  segments: 
-  - 1
-  - 1
-  version: "1.1"
 platform: ruby
-authors: 
+authors:
 - Ryan Tomayko
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2011-09-18 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2012-03-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: rack
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: &70248834703480 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        - 4
-        version: "0.4"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0.4'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: bacon
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  version_requirements: *70248834703480
+- !ruby/object:Gem::Dependency
+  name: bacon
+  requirement: &70248834703100 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: memcached
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  version_requirements: *70248834703100
+- !ruby/object:Gem::Dependency
+  name: memcached
+  requirement: &70248834702640 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: dalli
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  version_requirements: *70248834702640
+- !ruby/object:Gem::Dependency
+  name: dalli
+  requirement: &70248834702220 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id004
-description: HTTP Caching for Rack
+  prerelease: false
+  version_requirements: *70248834702220
+description: Rack::Cache is suitable as a quick drop-in component to enable HTTP caching
+  for Rack-based applications that produce freshness (Expires, Cache-Control) and/or
+  validation (Last-Modified, ETag) information.
 email: r@tomayko.com
 executables: []
-
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - README
 - COPYING
 - TODO
 - CHANGES
-files: 
+files:
 - CHANGES
 - COPYING
 - Gemfile
-- Gemfile.lock
 - README
 - Rakefile
 - TODO
@@ -129,43 +110,35 @@ files:
 - test/storage_test.rb
 homepage: http://tomayko.com/src/rack-cache/
 licenses: []
-
 post_install_message: 
-rdoc_options: 
+rdoc_options:
 - --line-numbers
 - --inline-source
 - --title
 - Rack::Cache
 - --main
 - Rack::Cache
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.8.6
+rubygems_version: 1.8.11
 signing_key: 
 specification_version: 2
 summary: HTTP Caching for Rack
-test_files: 
+test_files:
 - test/cache_test.rb
 - test/cachecontrol_test.rb
 - test/context_test.rb

data/Gemfile.lock

@@ -1,22 +0,0 @@
-PATH
-  remote: .
-  specs:
-    rack-cache (1.0.3)
-      rack (>= 0.4)
-
-GEM
-  remote: http://rubygems.org/
-  specs:
-    bacon (1.1.0)
-    dalli (1.0.5)
-    memcached (1.3)
-    rack (1.3.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  bacon
-  dalli
-  memcached
-  rack-cache!