rack-protection 1.5.3 → 1.5.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +5 -5
  2. data/lib/rack/protection/authenticity_token.rb +2 -2
  3. data/lib/rack/protection/base.rb +24 -0
  4. data/lib/rack/protection/path_traversal.rb +4 -1
  5. data/lib/rack/protection/version.rb +1 -1
  6. data/rack-protection.gemspec +1 -1
  7. metadata +3 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 738b46a37db596fd6ab75ccccfcf98b8530684d5
4
- data.tar.gz: ba76d3a2e8e5f5ec8493acf43980325a5a2bfb55
2
+ SHA256:
3
+ metadata.gz: 2b7d78da301d9f7fc81ae73e46a389c2b8ce10ab8121f169fd760018ac506d47
4
+ data.tar.gz: a91bd28f8624f325d6714262ac11d83e0a347405f14e600780cb1bfd846e5b34
5
5
  SHA512:
6
- metadata.gz: 3c88e6d4d2bcb83aa35327db0bf8d1ef7e0057579573e305958a99cdb642bffab66009e73404322be636bc3860c0acbd58fc6c15a6dda8d55948713ef28fbae4
7
- data.tar.gz: 651bf843d47d99accab655195673ae835d266602845edb8fadd913c7bff8677636c0b2db825ea0e087309b6d62f89035d503eccf6e698c2d11c625150eccb111
6
+ metadata.gz: 0c5de92c0283313c00d50c1f9a219c808ad587caabff81c4d1530abd8f0e7d9c0f3753ad9bab7c06a29ce97b2a717fddc04ced642adff058f3431419286e4da6
7
+ data.tar.gz: d3bf5830bf30475871b73ba54ee38f962bd93c2e1f420b59b649d6dcb7f97d89f091d3add3f692ba847ffe5f5c6cade665d522c86220087d977fb3706e41bd58
data/lib/rack/protection/authenticity_token.rb CHANGED
@@ -23,8 +23,8 @@ module Rack
23
23
  session = session env
24
24
  token = session[:csrf] ||= session['_csrf_token'] || random_string
25
25
  safe?(env) ||
26
- env['HTTP_X_CSRF_TOKEN'] == token ||
27
- Request.new(env).params[options[:authenticity_param]] == token
26
+ secure_compare(env['HTTP_X_CSRF_TOKEN'].to_s, token) ||
27
+ secure_compare(Request.new(env).params[options[:authenticity_param]].to_s, token)
28
28
  end
29
29
  end
30
30
  end
data/lib/rack/protection/base.rb CHANGED
@@ -110,6 +110,30 @@ module Rack
110
110
  options[:encryptor].hexdigest value.to_s
111
111
  end
112
112
 
113
+ # The implementations of secure_compare and bytesize are taken from
114
+ # Rack::Utils to be able to support rack older than XXXX.
115
+ def secure_compare(a, b)
116
+ return false unless bytesize(a) == bytesize(b)
117
+
118
+ l = a.unpack("C*")
119
+
120
+ r, i = 0, -1
121
+ b.each_byte { |v| r |= v ^ l[i+=1] }
122
+ r == 0
123
+ end
124
+
125
+ # Return the bytesize of String; uses String#size under Ruby 1.8 and
126
+ # String#bytesize under 1.9.
127
+ if ''.respond_to?(:bytesize)
128
+ def bytesize(string)
129
+ string.bytesize
130
+ end
131
+ else
132
+ def bytesize(string)
133
+ string.size
134
+ end
135
+ end
136
+
113
137
  alias default_reaction deny
114
138
 
115
139
  def html?(headers)
data/lib/rack/protection/path_traversal.rb CHANGED
@@ -24,14 +24,17 @@ module Rack
24
24
  encoding = path.encoding
25
25
  dot = '.'.encode(encoding)
26
26
  slash = '/'.encode(encoding)
27
+ backslash = '\\'.encode(encoding)
27
28
  else
28
29
  # Ruby 1.8
29
30
  dot = '.'
30
31
  slash = '/'
32
+ backslash = '\\'
31
33
  end
32
34
 
33
35
  parts = []
34
- unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
36
+ unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
37
+ unescaped = unescaped.gsub(backslash, slash)
35
38
 
36
39
  unescaped.split(slash).each do |part|
37
40
  next if part.empty? or part == dot
data/lib/rack/protection/version.rb CHANGED
@@ -4,7 +4,7 @@ module Rack
4
4
  VERSION
5
5
  end
6
6
 
7
- SIGNATURE = [1, 5, 3]
7
+ SIGNATURE = [1, 5, 5]
8
8
  VERSION = SIGNATURE.join('.')
9
9
 
10
10
  VERSION.extend Comparable
data/rack-protection.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
  Gem::Specification.new do |s|
3
3
  # general infos
4
4
  s.name = "rack-protection"
5
- s.version = "1.5.3"
5
+ s.version = "1.5.5"
6
6
  s.description = "You should use protection!"
7
7
  s.homepage = "http://github.com/rkh/rack-protection"
8
8
  s.summary = s.description
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.5.3
4
+ version: 1.5.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Konstantin Haase
@@ -35,7 +35,7 @@ authors:
35
35
  autorequire:
36
36
  bindir: bin
37
37
  cert_chain: []
38
- date: 2014-04-08 00:00:00.000000000 Z
38
+ date: 2018-03-07 00:00:00.000000000 Z
39
39
  dependencies:
40
40
  - !ruby/object:Gem::Dependency
41
41
  name: rack
@@ -168,9 +168,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
168
168
  version: '0'
169
169
  requirements: []
170
170
  rubyforge_project:
171
- rubygems_version: 2.0.14
171
+ rubygems_version: 2.7.3
172
172
  signing_key:
173
173
  specification_version: 4
174
174
  summary: You should use protection!
175
175
  test_files: []
176
- has_rdoc: