rack 1.4.4 → 1.4.5

data/README.rdoc

@@ -483,6 +483,23 @@ run on port 11211) and memcache-client installed.
   * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
   * Fixed erroneous test case in the 1.3.x series
 
+* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+
+* February 7th, Thirty fifth public release 1.4.5
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+
+* February 7th, Thirty fifth public release 1.5.2
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+  * Add various methods to Session for enhanced Rails compatibility
+  * Request#trusted_proxy? now only matches whole stirngs
+  * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
+  * URLMap host matching in environments that don't set the Host header fixed
+  * Fix a race condition that could result in overwritten pidfiles
+  * Various documentation additions
+
 == Contact
 
 Please post bugs, suggestions and patches to

data/lib/rack/file.rb

@@ -47,19 +47,14 @@ module Rack
       @path_info = Utils.unescape(env["PATH_INFO"])
       parts = @path_info.split SEPS
 
-      parts.inject(0) do |depth, part|
-        case part
-        when '', '.'
-          depth
-        when '..'
-          return fail(404, "Not Found") if depth - 1 < 0
-          depth - 1
-        else
-          depth + 1
-        end
+      clean = []
+
+      parts.each do |part|
+        next if part.empty? || part == '.'
+        part == '..' ? clean.pop : clean << part
       end
 
-      @path = F.join(@root, *parts)
+      @path = F.join(@root, *clean)
 
       available = begin
         F.file?(@path) && F.readable?(@path)

data/lib/rack/session/cookie.rb

@@ -117,7 +117,7 @@ module Rack
 
             if session_data && digest
               ok = @secrets.any? do |secret|
-                secret && digest == generate_hmac(session_data, secret)
+                secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
               end
             end
 

data/lib/rack/utils.rb

@@ -342,6 +342,18 @@ module Rack
     end
     module_function :byte_ranges
 
+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
+
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.4.4"
+  s.version         = "1.4.5"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 

data/test/spec_sendfile.rb

@@ -2,6 +2,7 @@ require 'fileutils'
 require 'rack/lint'
 require 'rack/sendfile'
 require 'rack/mock'
+require 'tmpdir'
 
 describe Rack::File do
   should "respond to #to_path" do
@@ -11,9 +12,9 @@ end
 
 describe Rack::Sendfile do
   def sendfile_body
-    FileUtils.touch "/tmp/rack_sendfile"
+    FileUtils.touch File.join(Dir.tmpdir,  "rack_sendfile")
     res = ['Hello World']
-    def res.to_path ; "/tmp/rack_sendfile" ; end
+    def res.to_path ; File.join(Dir.tmpdir,  "rack_sendfile") ; end
     res
   end
 
@@ -44,7 +45,7 @@ describe Rack::Sendfile do
       response.should.be.ok
       response.body.should.be.empty
       response.headers['Content-Length'].should.equal '0'
-      response.headers['X-Sendfile'].should.equal '/tmp/rack_sendfile'
+      response.headers['X-Sendfile'].should.equal File.join(Dir.tmpdir,  "rack_sendfile")
     end
   end
 
@@ -53,14 +54,14 @@ describe Rack::Sendfile do
       response.should.be.ok
       response.body.should.be.empty
       response.headers['Content-Length'].should.equal '0'
-      response.headers['X-Lighttpd-Send-File'].should.equal '/tmp/rack_sendfile'
+      response.headers['X-Lighttpd-Send-File'].should.equal File.join(Dir.tmpdir,  "rack_sendfile")
     end
   end
 
   it "sets X-Accel-Redirect response header and discards body" do
     headers = {
       'HTTP_X_SENDFILE_TYPE' => 'X-Accel-Redirect',
-      'HTTP_X_ACCEL_MAPPING' => '/tmp/=/foo/bar/'
+      'HTTP_X_ACCEL_MAPPING' => "#{Dir.tmpdir}/=/foo/bar/"
     }
     request headers do |response|
       response.should.be.ok

data/test/spec_utils.rb

@@ -331,6 +331,11 @@ describe Rack::Utils do
     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
   end
 
+  should "should perform constant time string comparison" do
+    Rack::Utils.secure_compare('a', 'a').should.equal true
+    Rack::Utils.secure_compare('a', 'b').should.equal false
+  end
+
   should "return status code for integer" do
     Rack::Utils.status_code(200).should.equal 200
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack
 version: !ruby/object:Gem::Version 
-  hash: 15
+  hash: 13
   prerelease: 
   segments: 
   - 1
   - 4
-  - 4
-  version: 1.4.4
+  - 5
+  version: 1.4.5
 platform: ruby
 authors: 
 - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-01-13 00:00:00 Z
+date: 2013-02-08 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bacon
@@ -81,7 +81,7 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: -2982847160
+        hash: 3904189667
         segments: 
         - 1
         - 2