rack 1.3.9 → 1.3.10
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- data/README.rdoc +17 -0
- data/lib/rack/session/cookie.rb +1 -1
- data/lib/rack/utils.rb +12 -0
- data/rack.gemspec +1 -1
- data/test/spec_utils.rb +5 -0
- metadata +5 -5
data/README.rdoc
CHANGED
@@ -483,6 +483,23 @@ run on port 11211) and memcache-client installed.
|
|
483
483
|
* [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
|
484
484
|
* Fixed erroneous test case in the 1.3.x series
|
485
485
|
|
486
|
+
* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
|
487
|
+
* Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
|
488
|
+
|
489
|
+
* February 7th, Thirty fifth public release 1.4.5
|
490
|
+
* Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
|
491
|
+
* Fix CVE-2013-0262, symlink path traversal in Rack::File
|
492
|
+
|
493
|
+
* February 7th, Thirty fifth public release 1.5.2
|
494
|
+
* Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
|
495
|
+
* Fix CVE-2013-0262, symlink path traversal in Rack::File
|
496
|
+
* Add various methods to Session for enhanced Rails compatibility
|
497
|
+
* Request#trusted_proxy? now only matches whole stirngs
|
498
|
+
* Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
|
499
|
+
* URLMap host matching in environments that don't set the Host header fixed
|
500
|
+
* Fix a race condition that could result in overwritten pidfiles
|
501
|
+
* Various documentation additions
|
502
|
+
|
486
503
|
== Contact
|
487
504
|
|
488
505
|
Please post bugs, suggestions and patches to
|
data/lib/rack/session/cookie.rb
CHANGED
@@ -112,7 +112,7 @@ module Rack
|
|
112
112
|
|
113
113
|
if @secret && session_data
|
114
114
|
session_data, digest = session_data.split("--")
|
115
|
-
session_data = nil unless digest
|
115
|
+
session_data = nil unless Rack::Utils.secure_compare(digest, generate_hmac(session_data))
|
116
116
|
end
|
117
117
|
|
118
118
|
coder.decode(session_data) || {}
|
data/lib/rack/utils.rb
CHANGED
@@ -346,6 +346,18 @@ module Rack
|
|
346
346
|
end
|
347
347
|
module_function :byte_ranges
|
348
348
|
|
349
|
+
# Constant time string comparison.
|
350
|
+
def secure_compare(a, b)
|
351
|
+
return false unless bytesize(a) == bytesize(b)
|
352
|
+
|
353
|
+
l = a.unpack("C*")
|
354
|
+
|
355
|
+
r, i = 0, -1
|
356
|
+
b.each_byte { |v| r |= v ^ l[i+=1] }
|
357
|
+
r == 0
|
358
|
+
end
|
359
|
+
module_function :secure_compare
|
360
|
+
|
349
361
|
# Context allows the use of a compatible middleware at different points
|
350
362
|
# in a request handling stack. A compatible middleware must define
|
351
363
|
# #context which should take the arguments env and app. The first of which
|
data/rack.gemspec
CHANGED
data/test/spec_utils.rb
CHANGED
@@ -301,6 +301,11 @@ describe Rack::Utils do
|
|
301
301
|
Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
|
302
302
|
end
|
303
303
|
|
304
|
+
should "should perform constant time string comparison" do
|
305
|
+
Rack::Utils.secure_compare('a', 'a').should.equal true
|
306
|
+
Rack::Utils.secure_compare('a', 'b').should.equal false
|
307
|
+
end
|
308
|
+
|
304
309
|
should "return status code for integer" do
|
305
310
|
Rack::Utils.status_code(200).should.equal 200
|
306
311
|
end
|
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 15
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 1
|
8
8
|
- 3
|
9
|
-
-
|
10
|
-
version: 1.3.
|
9
|
+
- 10
|
10
|
+
version: 1.3.10
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Christian Neukirchen
|
@@ -15,7 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2013-
|
18
|
+
date: 2013-02-08 00:00:00 Z
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
21
21
|
name: bacon
|
@@ -81,7 +81,7 @@ dependencies:
|
|
81
81
|
requirements:
|
82
82
|
- - ">="
|
83
83
|
- !ruby/object:Gem::Version
|
84
|
-
hash: -
|
84
|
+
hash: -747770836
|
85
85
|
segments:
|
86
86
|
- 1
|
87
87
|
- 2
|