rack 1.1.5 → 1.1.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

data/README CHANGED
@@ -479,6 +479,23 @@ run on port 11211) and memcache-client installed.
479
479
  * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
480
480
  * Fixed erroneous test case in the 1.3.x series
481
481
 
482
+ * February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
483
+ * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
484
+
485
+ * February 7th, Thirty fifth public release 1.4.5
486
+ * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
487
+ * Fix CVE-2013-0262, symlink path traversal in Rack::File
488
+
489
+ * February 7th, Thirty fifth public release 1.5.2
490
+ * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
491
+ * Fix CVE-2013-0262, symlink path traversal in Rack::File
492
+ * Add various methods to Session for enhanced Rails compatibility
493
+ * Request#trusted_proxy? now only matches whole stirngs
494
+ * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
495
+ * URLMap host matching in environments that don't set the Host header fixed
496
+ * Fix a race condition that could result in overwritten pidfiles
497
+ * Various documentation additions
498
+
482
499
  == Contact
483
500
 
484
501
  Please post bugs, suggestions and patches to
@@ -20,7 +20,7 @@ module Rack
20
20
 
21
21
  # Return the Rack release as a dotted string.
22
22
  def self.release
23
- "1.1.5"
23
+ "1.1.6"
24
24
  end
25
25
 
26
26
  autoload :Builder, "rack/builder"
@@ -55,7 +55,7 @@ module Rack
55
55
 
56
56
  if @secret && session_data
57
57
  session_data, digest = session_data.split("--")
58
- session_data = nil unless digest == generate_hmac(session_data)
58
+ session_data = nil unless Utils.secure_compare(digest, generate_hmac(session_data))
59
59
  end
60
60
 
61
61
  begin
@@ -285,6 +285,18 @@ module Rack
285
285
  end
286
286
  module_function :bytesize
287
287
 
288
+ # Constant time string comparison.
289
+ def secure_compare(a, b)
290
+ return false unless bytesize(a) == bytesize(b)
291
+
292
+ l = a.unpack("C*")
293
+
294
+ r, i = 0, -1
295
+ b.each_byte { |v| r |= v ^ l[i+=1] }
296
+ r == 0
297
+ end
298
+ module_function :secure_compare
299
+
288
300
  # Context allows the use of a compatible middleware at different points
289
301
  # in a request handling stack. A compatible middleware must define
290
302
  # #context which should take the arguments env and app. The first of which
@@ -3,7 +3,7 @@ require 'rack' # For Rack.release
3
3
 
4
4
  Gem::Specification.new do |s|
5
5
  s.name = "rack"
6
- s.version = "1.1.5"
6
+ s.version = "1.1.6"
7
7
  s.platform = Gem::Platform::RUBY
8
8
  s.summary = "a modular Ruby webserver interface"
9
9
 
@@ -205,6 +205,11 @@ context "Rack::Utils" do
205
205
  Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
206
206
  end
207
207
 
208
+ specify "should perform constant time string comparison" do
209
+ Rack::Utils.secure_compare('a', 'a').should.equal true
210
+ Rack::Utils.secure_compare('a', 'b').should.equal false
211
+ end
212
+
208
213
  specify "should return status code for integer" do
209
214
  Rack::Utils.status_code(200).should.equal 200
210
215
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- hash: 25
4
+ hash: 31
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
8
  - 1
9
- - 5
10
- version: 1.1.5
9
+ - 6
10
+ version: 1.1.6
11
11
  platform: ruby
12
12
  authors:
13
13
  - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2013-01-13 00:00:00 Z
18
+ date: 2013-02-08 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: test-spec