rack 1.4.3 → 1.4.4

data/README.rdoc

@@ -479,11 +479,21 @@ run on port 11211) and memcache-client installed.
 * January 7th, 2013: Thirty first public release 1.4.3
   * Security: Prevent unbounded reads in large multipart boundaries
 
+* January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
+  * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
+  * Fixed erroneous test case in the 1.3.x series
+
 == Contact
 
 Please post bugs, suggestions and patches to
 the bug tracker at <http://github.com/rack/rack/issues>.
 
+Please post security related bugs and suggestions to the core team at
+<https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
+to wide usage of the library, it is strongly preferred that we manage timing in
+order to provide viable patches at the time of disclosure. Your assistance in
+this matter is greatly appreciated.
+
 Mailing list archives are available at
 <http://groups.google.com/group/rack-devel>.
 

data/lib/rack.rb

@@ -73,6 +73,18 @@ module Rack
       autoload :Params, "rack/auth/digest/params"
       autoload :Request, "rack/auth/digest/request"
     end
+
+    # Not all of the following schemes are "standards", but they are used often.
+    @schemes = %w[basic digest bearer mac token oauth oauth2]
+
+    def self.add_scheme scheme
+      @schemes << scheme
+      @schemes.uniq!
+    end
+
+    def self.schemes
+      @schemes.dup
+    end
   end
 
   module Session

data/lib/rack/auth/abstract/request.rb

@@ -21,7 +21,11 @@ module Rack
       end
 
       def scheme
-        @scheme ||= parts.first.downcase.to_sym
+        @scheme ||=
+          begin
+            s = parts.first.downcase
+            Rack::Auth.schemes.include?(s) ? s.to_sym : s
+          end
       end
 
       def params

data/lib/rack/utils.rb

@@ -5,7 +5,6 @@ require 'tempfile'
 require 'rack/multipart'
 
 major, minor, patch = RUBY_VERSION.split('.').map { |v| v.to_i }
-ruby_engine = defined?(RUBY_ENGINE) ? RUBY_ENGINE : 'ruby'
 
 if major == 1 && minor < 9
   require 'rack/backports/uri/common_18'

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.4.3"
+  s.version         = "1.4.4"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 

data/test/spec_auth.rb

@@ -0,0 +1,57 @@
+require 'rack'
+
+describe Rack::Auth do
+  it "should have all common authentication schemes" do
+    Rack::Auth.schemes.should.include? 'basic'
+    Rack::Auth.schemes.should.include? 'digest'
+    Rack::Auth.schemes.should.include? 'bearer'
+    Rack::Auth.schemes.should.include? 'token'
+  end
+
+  it "should allow registration of new auth schemes" do
+    Rack::Auth.schemes.should.not.include "test"
+    Rack::Auth.add_scheme "test"
+    Rack::Auth.schemes.should.include "test"
+  end
+end
+
+describe Rack::Auth::AbstractRequest do
+  it "should symbolize known auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :basic
+
+
+    env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :digest
+
+    env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :bearer
+
+    env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :mac
+
+    env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :token
+
+    env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :oauth
+
+    env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :oauth2
+  end
+
+  it "should not symbolize unknown auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == "magic"
+  end
+end

data/test/spec_lock.rb

@@ -142,7 +142,7 @@ describe Rack::Lock do
   should "unlock if the app throws" do
     lock = Lock.new
     env = Rack::MockRequest.env_for("/")
-    app = lock_app(lambda {|env| throw :bacon }, lock)
+    app = lock_app(lambda {|_| throw :bacon }, lock)
     lambda { app.call(env) }.should.throw(:bacon)
     lock.synchronized.should.equal false
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack
 version: !ruby/object:Gem::Version 
-  hash: 1
+  hash: 15
   prerelease: 
   segments: 
   - 1
   - 4
-  - 3
-  version: 1.4.3
+  - 4
+  version: 1.4.4
 platform: ruby
 authors: 
 - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-01-07 00:00:00 Z
+date: 2013-01-13 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bacon
@@ -81,7 +81,7 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: -1379016806
+        hash: -2982847160
         segments: 
         - 1
         - 2
@@ -237,6 +237,7 @@ files:
 - test/multipart/webkit
 - test/rackup/config.ru
 - test/registering_handler/rack/handler/registering_myself.rb
+- test/spec_auth.rb
 - test/spec_auth_basic.rb
 - test/spec_auth_digest.rb
 - test/spec_body_proxy.rb
@@ -328,6 +329,7 @@ signing_key:
 specification_version: 3
 summary: a modular Ruby webserver interface
 test_files: 
+- test/spec_auth.rb
 - test/spec_auth_basic.rb
 - test/spec_auth_digest.rb
 - test/spec_body_proxy.rb