rack 1.4.3 → 1.4.5

data/README.rdoc

@@ -479,11 +479,38 @@ run on port 11211) and memcache-client installed.
 * January 7th, 2013: Thirty first public release 1.4.3
   * Security: Prevent unbounded reads in large multipart boundaries
 
+* January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
+  * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
+  * Fixed erroneous test case in the 1.3.x series
+
+* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+
+* February 7th, Thirty fifth public release 1.4.5
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+
+* February 7th, Thirty fifth public release 1.5.2
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+  * Add various methods to Session for enhanced Rails compatibility
+  * Request#trusted_proxy? now only matches whole stirngs
+  * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
+  * URLMap host matching in environments that don't set the Host header fixed
+  * Fix a race condition that could result in overwritten pidfiles
+  * Various documentation additions
+
 == Contact
 
 Please post bugs, suggestions and patches to
 the bug tracker at <http://github.com/rack/rack/issues>.
 
+Please post security related bugs and suggestions to the core team at
+<https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
+to wide usage of the library, it is strongly preferred that we manage timing in
+order to provide viable patches at the time of disclosure. Your assistance in
+this matter is greatly appreciated.
+
 Mailing list archives are available at
 <http://groups.google.com/group/rack-devel>.
 

data/lib/rack/auth/abstract/request.rb

@@ -21,7 +21,11 @@ module Rack
       end
 
       def scheme
-        @scheme ||= parts.first.downcase.to_sym
+        @scheme ||=
+          begin
+            s = parts.first.downcase
+            Rack::Auth.schemes.include?(s) ? s.to_sym : s
+          end
       end
 
       def params

data/lib/rack/file.rb

@@ -47,19 +47,14 @@ module Rack
       @path_info = Utils.unescape(env["PATH_INFO"])
       parts = @path_info.split SEPS
 
-      parts.inject(0) do |depth, part|
-        case part
-        when '', '.'
-          depth
-        when '..'
-          return fail(404, "Not Found") if depth - 1 < 0
-          depth - 1
-        else
-          depth + 1
-        end
+      clean = []
+
+      parts.each do |part|
+        next if part.empty? || part == '.'
+        part == '..' ? clean.pop : clean << part
       end
 
-      @path = F.join(@root, *parts)
+      @path = F.join(@root, *clean)
 
       available = begin
         F.file?(@path) && F.readable?(@path)

data/lib/rack/session/cookie.rb

@@ -117,7 +117,7 @@ module Rack
 
             if session_data && digest
               ok = @secrets.any? do |secret|
-                secret && digest == generate_hmac(session_data, secret)
+                secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
               end
             end
 

data/lib/rack/utils.rb

@@ -5,7 +5,6 @@ require 'tempfile'
 require 'rack/multipart'
 
 major, minor, patch = RUBY_VERSION.split('.').map { |v| v.to_i }
-ruby_engine = defined?(RUBY_ENGINE) ? RUBY_ENGINE : 'ruby'
 
 if major == 1 && minor < 9
   require 'rack/backports/uri/common_18'
@@ -343,6 +342,18 @@ module Rack
     end
     module_function :byte_ranges
 
+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
+
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which

data/lib/rack.rb

@@ -73,6 +73,18 @@ module Rack
       autoload :Params, "rack/auth/digest/params"
       autoload :Request, "rack/auth/digest/request"
     end
+
+    # Not all of the following schemes are "standards", but they are used often.
+    @schemes = %w[basic digest bearer mac token oauth oauth2]
+
+    def self.add_scheme scheme
+      @schemes << scheme
+      @schemes.uniq!
+    end
+
+    def self.schemes
+      @schemes.dup
+    end
   end
 
   module Session

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.4.3"
+  s.version         = "1.4.5"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 

data/test/spec_auth.rb

@@ -0,0 +1,57 @@
+require 'rack'
+
+describe Rack::Auth do
+  it "should have all common authentication schemes" do
+    Rack::Auth.schemes.should.include? 'basic'
+    Rack::Auth.schemes.should.include? 'digest'
+    Rack::Auth.schemes.should.include? 'bearer'
+    Rack::Auth.schemes.should.include? 'token'
+  end
+
+  it "should allow registration of new auth schemes" do
+    Rack::Auth.schemes.should.not.include "test"
+    Rack::Auth.add_scheme "test"
+    Rack::Auth.schemes.should.include "test"
+  end
+end
+
+describe Rack::Auth::AbstractRequest do
+  it "should symbolize known auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :basic
+
+
+    env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :digest
+
+    env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :bearer
+
+    env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :mac
+
+    env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :token
+
+    env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :oauth
+
+    env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should.equal :oauth2
+  end
+
+  it "should not symbolize unknown auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == "magic"
+  end
+end

data/test/spec_lock.rb

@@ -142,7 +142,7 @@ describe Rack::Lock do
   should "unlock if the app throws" do
     lock = Lock.new
     env = Rack::MockRequest.env_for("/")
-    app = lock_app(lambda {|env| throw :bacon }, lock)
+    app = lock_app(lambda {|_| throw :bacon }, lock)
     lambda { app.call(env) }.should.throw(:bacon)
     lock.synchronized.should.equal false
   end

data/test/spec_sendfile.rb

@@ -2,6 +2,7 @@ require 'fileutils'
 require 'rack/lint'
 require 'rack/sendfile'
 require 'rack/mock'
+require 'tmpdir'
 
 describe Rack::File do
   should "respond to #to_path" do
@@ -11,9 +12,9 @@ end
 
 describe Rack::Sendfile do
   def sendfile_body
-    FileUtils.touch "/tmp/rack_sendfile"
+    FileUtils.touch File.join(Dir.tmpdir,  "rack_sendfile")
     res = ['Hello World']
-    def res.to_path ; "/tmp/rack_sendfile" ; end
+    def res.to_path ; File.join(Dir.tmpdir,  "rack_sendfile") ; end
     res
   end
 
@@ -44,7 +45,7 @@ describe Rack::Sendfile do
       response.should.be.ok
       response.body.should.be.empty
       response.headers['Content-Length'].should.equal '0'
-      response.headers['X-Sendfile'].should.equal '/tmp/rack_sendfile'
+      response.headers['X-Sendfile'].should.equal File.join(Dir.tmpdir,  "rack_sendfile")
     end
   end
 
@@ -53,14 +54,14 @@ describe Rack::Sendfile do
       response.should.be.ok
       response.body.should.be.empty
       response.headers['Content-Length'].should.equal '0'
-      response.headers['X-Lighttpd-Send-File'].should.equal '/tmp/rack_sendfile'
+      response.headers['X-Lighttpd-Send-File'].should.equal File.join(Dir.tmpdir,  "rack_sendfile")
     end
   end
 
   it "sets X-Accel-Redirect response header and discards body" do
     headers = {
       'HTTP_X_SENDFILE_TYPE' => 'X-Accel-Redirect',
-      'HTTP_X_ACCEL_MAPPING' => '/tmp/=/foo/bar/'
+      'HTTP_X_ACCEL_MAPPING' => "#{Dir.tmpdir}/=/foo/bar/"
     }
     request headers do |response|
       response.should.be.ok

data/test/spec_utils.rb

@@ -331,6 +331,11 @@ describe Rack::Utils do
     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
   end
 
+  should "should perform constant time string comparison" do
+    Rack::Utils.secure_compare('a', 'a').should.equal true
+    Rack::Utils.secure_compare('a', 'b').should.equal false
+  end
+
   should "return status code for integer" do
     Rack::Utils.status_code(200).should.equal 200
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack
 version: !ruby/object:Gem::Version 
-  hash: 1
+  hash: 13
   prerelease: 
   segments: 
   - 1
   - 4
-  - 3
-  version: 1.4.3
+  - 5
+  version: 1.4.5
 platform: ruby
 authors: 
 - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-01-07 00:00:00 Z
+date: 2013-02-08 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bacon
@@ -81,7 +81,7 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: -1379016806
+        hash: 3904189667
         segments: 
         - 1
         - 2
@@ -237,6 +237,7 @@ files:
 - test/multipart/webkit
 - test/rackup/config.ru
 - test/registering_handler/rack/handler/registering_myself.rb
+- test/spec_auth.rb
 - test/spec_auth_basic.rb
 - test/spec_auth_digest.rb
 - test/spec_body_proxy.rb
@@ -328,6 +329,7 @@ signing_key:
 specification_version: 3
 summary: a modular Ruby webserver interface
 test_files: 
+- test/spec_auth.rb
 - test/spec_auth_basic.rb
 - test/spec_auth_digest.rb
 - test/spec_body_proxy.rb