RubyGems - rack - Versions diffs - 1.4.2 → 1.4.5 - Mend

rack 1.4.2 → 1.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

data/README.rdoc +33 -0
data/lib/rack/auth/abstract/request.rb +5 -1
data/lib/rack/file.rb +6 -11
data/lib/rack/multipart/parser.rb +10 -3
data/lib/rack/session/cookie.rb +1 -1
data/lib/rack/utils.rb +12 -1
data/lib/rack.rb +12 -0
data/rack.gemspec +1 -1
data/test/spec_auth.rb +57 -0
data/test/spec_lock.rb +1 -1
data/test/spec_multipart.rb +53 -0
data/test/spec_sendfile.rb +6 -5
data/test/spec_utils.rb +5 -0
metadata +7 -5

data/README.rdoc CHANGED Viewed

@@ -473,11 +473,44 @@ run on port 11211) and memcache-client installed.
   * Rack::BodyProxy now explicitly defines #each, useful for C extensions
   * Cookies that are not URI escaped no longer cause exceptions
+* January 7th, 2013: Thirtieth public release 1.3.8
+  * Security: Prevent unbounded reads in large multipart boundaries
+* January 7th, 2013: Thirty first public release 1.4.3
+  * Security: Prevent unbounded reads in large multipart boundaries
+* January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
+  * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
+  * Fixed erroneous test case in the 1.3.x series
+* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+* February 7th, Thirty fifth public release 1.4.5
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+* February 7th, Thirty fifth public release 1.5.2
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+  * Add various methods to Session for enhanced Rails compatibility
+  * Request#trusted_proxy? now only matches whole stirngs
+  * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
+  * URLMap host matching in environments that don't set the Host header fixed
+  * Fix a race condition that could result in overwritten pidfiles
+  * Various documentation additions
 == Contact
 Please post bugs, suggestions and patches to
 the bug tracker at <http://github.com/rack/rack/issues>.
+Please post security related bugs and suggestions to the core team at
+<https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
+to wide usage of the library, it is strongly preferred that we manage timing in
+order to provide viable patches at the time of disclosure. Your assistance in
+this matter is greatly appreciated.
 Mailing list archives are available at
 <http://groups.google.com/group/rack-devel>.

data/lib/rack/auth/abstract/request.rb CHANGED Viewed

@@ -21,7 +21,11 @@ module Rack
       end
       def scheme
-        @scheme ||= parts.first.downcase.to_sym
+        @scheme ||=
+          begin
+            s = parts.first.downcase
+            Rack::Auth.schemes.include?(s) ? s.to_sym : s
+          end
       end
       def params

data/lib/rack/file.rb CHANGED Viewed

@@ -47,19 +47,14 @@ module Rack
       @path_info = Utils.unescape(env["PATH_INFO"])
       parts = @path_info.split SEPS
-      parts.inject(0) do |depth, part|
-        case part
-        when '', '.'
-          depth
-        when '..'
-          return fail(404, "Not Found") if depth - 1 < 0
-          depth - 1
-        else
-          depth + 1
-        end
+      clean = []
+      parts.each do |part|
+        next if part.empty? || part == '.'
+        part == '..' ? clean.pop : clean << part
       end
-      @path = F.join(@root, *parts)
+      @path = F.join(@root, *clean)
       available = begin
         F.file?(@path) && F.readable?(@path)

data/lib/rack/multipart/parser.rb CHANGED Viewed

@@ -70,9 +70,16 @@ module Rack
       def fast_forward_to_first_boundary
         loop do
-          read_buffer = @io.gets
-          break if read_buffer == full_boundary
-          raise EOFError, "bad content body" if read_buffer.nil?
+          content = @io.read(BUFSIZE)
+          raise EOFError, "bad content body" unless content
+          @buf << content
+          while @buf.gsub!(/\A([^\n]*\n)/, '')
+            read_buffer = $1
+            return if read_buffer == full_boundary
+          end
+          raise EOFError, "bad content body" if Utils.bytesize(@buf) >= BUFSIZE
         end
       end

data/lib/rack/session/cookie.rb CHANGED Viewed

@@ -117,7 +117,7 @@ module Rack
             if session_data && digest
               ok = @secrets.any? do |secret|
-                secret && digest == generate_hmac(session_data, secret)
+                secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
               end
             end

data/lib/rack/utils.rb CHANGED Viewed

@@ -5,7 +5,6 @@ require 'tempfile'
 require 'rack/multipart'
 major, minor, patch = RUBY_VERSION.split('.').map { |v| v.to_i }
-ruby_engine = defined?(RUBY_ENGINE) ? RUBY_ENGINE : 'ruby'
 if major == 1 && minor < 9
   require 'rack/backports/uri/common_18'
@@ -343,6 +342,18 @@ module Rack
     end
     module_function :byte_ranges
+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+      l = a.unpack("C*")
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which

data/lib/rack.rb CHANGED Viewed

@@ -73,6 +73,18 @@ module Rack
       autoload :Params, "rack/auth/digest/params"
       autoload :Request, "rack/auth/digest/request"
     end
+    # Not all of the following schemes are "standards", but they are used often.
+    @schemes = %w[basic digest bearer mac token oauth oauth2]
+    def self.add_scheme scheme
+      @schemes << scheme
+      @schemes.uniq!
+    end
+    def self.schemes
+      @schemes.dup
+    end
   end
   module Session

data/rack.gemspec CHANGED Viewed

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.4.2"
+  s.version         = "1.4.5"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"

data/test/spec_auth.rb ADDED Viewed

@@ -0,0 +1,57 @@
+require 'rack'
+describe Rack::Auth do
+  it "should have all common authentication schemes" do
+    Rack::Auth.schemes.should.include? 'basic'
+    Rack::Auth.schemes.should.include? 'digest'
+    Rack::Auth.schemes.should.include? 'bearer'
+    Rack::Auth.schemes.should.include? 'token'
+  end
+  it "should allow registration of new auth schemes" do
+    Rack::Auth.schemes.should.not.include "test"
+    Rack::Auth.add_scheme "test"
+    Rack::Auth.schemes.should.include "test"
+  end
+end
+describe Rack::Auth::AbstractRequest do
+  it "should symbolize known auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :basic
+    env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :digest
+    env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :bearer
+    env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :mac
+    env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :token
+    env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :oauth
+    env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :oauth2
+  end
+  it "should not symbolize unknown auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == "magic"
+  end
+end

data/test/spec_lock.rb CHANGED Viewed

@@ -142,7 +142,7 @@ describe Rack::Lock do
   should "unlock if the app throws" do
     lock = Lock.new
     env = Rack::MockRequest.env_for("/")
-    app = lock_app(lambda {|env| throw :bacon }, lock)
+    app = lock_app(lambda {|_| throw :bacon }, lock)
     lambda { app.call(env) }.should.throw(:bacon)
     lock.synchronized.should.equal false
   end

data/test/spec_multipart.rb CHANGED Viewed

@@ -48,6 +48,59 @@ describe Rack::Multipart do
     params['profile']['bio'].should.include 'hello'
   end
+  should "reject insanely long boundaries" do
+    # using a pipe since a tempfile can use up too much space
+    rd, wr = IO.pipe
+    # we only call rewind once at start, so make sure it succeeds
+    # and doesn't hit ESPIPE
+    def rd.rewind; end
+    wr.sync = true
+    # mock out length to make this pipe look like a Tempfile
+    def rd.length
+      1024 * 1024 * 8
+    end
+    # write to a pipe in a background thread, this will write a lot
+    # unless Rack (properly) shuts down the read end
+    thr = Thread.new do
+      begin
+        wr.write("--AaB03x")
+        # make the initial boundary a few gigs long
+        longer = "0123456789" * 1024 * 1024
+        (1024 * 1024).times { wr.write(longer) }
+        wr.write("\r\n")
+        wr.write('Content-Disposition: form-data; name="a"; filename="a.txt"')
+        wr.write("\r\n")
+        wr.write("Content-Type: text/plain\r\n")
+        wr.write("\r\na")
+        wr.write("--AaB03x--\r\n")
+        wr.close
+      rescue => err # this is EPIPE if Rack shuts us down
+        err
+      end
+    end
+    fixture = {
+      "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+      "CONTENT_LENGTH" => rd.length.to_s,
+      :input => rd,
+    }
+    env = Rack::MockRequest.env_for '/', fixture
+    lambda {
+      Rack::Multipart.parse_multipart(env)
+    }.should.raise(EOFError)
+    rd.close
+    err = thr.value
+    err.should.be.instance_of Errno::EPIPE
+    wr.close
+  end
   should "parse multipart upload with text file" do
     env = Rack::MockRequest.env_for("/", multipart_fixture(:text))
     params = Rack::Multipart.parse_multipart(env)

data/test/spec_sendfile.rb CHANGED Viewed

@@ -2,6 +2,7 @@ require 'fileutils'
 require 'rack/lint'
 require 'rack/sendfile'
 require 'rack/mock'
+require 'tmpdir'
 describe Rack::File do
   should "respond to #to_path" do
@@ -11,9 +12,9 @@ end
 describe Rack::Sendfile do
   def sendfile_body
-    FileUtils.touch "/tmp/rack_sendfile"
+    FileUtils.touch File.join(Dir.tmpdir,  "rack_sendfile")
     res = ['Hello World']
-    def res.to_path ; "/tmp/rack_sendfile" ; end
+    def res.to_path ; File.join(Dir.tmpdir,  "rack_sendfile") ; end
     res
   end
@@ -44,7 +45,7 @@ describe Rack::Sendfile do
       response.should.be.ok
       response.body.should.be.empty
       response.headers['Content-Length'].should.equal '0'
-      response.headers['X-Sendfile'].should.equal '/tmp/rack_sendfile'
+      response.headers['X-Sendfile'].should.equal File.join(Dir.tmpdir,  "rack_sendfile")
     end
   end
@@ -53,14 +54,14 @@ describe Rack::Sendfile do
       response.should.be.ok
       response.body.should.be.empty
       response.headers['Content-Length'].should.equal '0'
-      response.headers['X-Lighttpd-Send-File'].should.equal '/tmp/rack_sendfile'
+      response.headers['X-Lighttpd-Send-File'].should.equal File.join(Dir.tmpdir,  "rack_sendfile")
     end
   end
   it "sets X-Accel-Redirect response header and discards body" do
     headers = {
       'HTTP_X_SENDFILE_TYPE' => 'X-Accel-Redirect',
-      'HTTP_X_ACCEL_MAPPING' => '/tmp/=/foo/bar/'
+      'HTTP_X_ACCEL_MAPPING' => "#{Dir.tmpdir}/=/foo/bar/"
     }
     request headers do |response|
       response.should.be.ok

data/test/spec_utils.rb CHANGED Viewed

@@ -331,6 +331,11 @@ describe Rack::Utils do
     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
   end
+  should "should perform constant time string comparison" do
+    Rack::Utils.secure_compare('a', 'a').should.equal true
+    Rack::Utils.secure_compare('a', 'b').should.equal false
+  end
   should "return status code for integer" do
     Rack::Utils.status_code(200).should.equal 200
   end

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  hash: 3
+  hash: 13
   prerelease:
   segments:
   - 1
   - 4
-  - 2
-  version: 1.4.2
+  - 5
+  version: 1.4.5
 platform: ruby
 authors:
 - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-01-07 00:00:00 Z
+date: 2013-02-08 00:00:00 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bacon
@@ -81,7 +81,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        hash: -503647054
+        hash: 3904189667
         segments:
         - 1
         - 2
@@ -237,6 +237,7 @@ files:
 - test/multipart/webkit
 - test/rackup/config.ru
 - test/registering_handler/rack/handler/registering_myself.rb
+- test/spec_auth.rb
 - test/spec_auth_basic.rb
 - test/spec_auth_digest.rb
 - test/spec_body_proxy.rb
@@ -328,6 +329,7 @@ signing_key:
 specification_version: 3
 summary: a modular Ruby webserver interface
 test_files:
+- test/spec_auth.rb
 - test/spec_auth_basic.rb
 - test/spec_auth_digest.rb
 - test/spec_body_proxy.rb