rack 2.0.5 → 2.0.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 67795fcdb4d1f94c31a5d36ab7d5c617132674e9
4
- data.tar.gz: 28f1d6b5f728c8b766752a023b5c7c2c0b6014f6
2
+ SHA256:
3
+ metadata.gz: c26f21f48fd630f4f95eead2d2845f51c160bcd084824b305d81d95bad08b6d9
4
+ data.tar.gz: 312598a6017f9dd516214a2390f828008e6f30a6f6b4acc570c79133b975c8a4
5
5
  SHA512:
6
- metadata.gz: 13a96a15f60371cbfc1986593a92f099f14eefbfcc6d8833f7bd124ef87797f4f2ea443e5c35aeec1486c73cee4511098544d79b4e9d24f3b44a53f20cac13a3
7
- data.tar.gz: 9cf9fda3a38fdc8bad2e5be1110b2f13c40a1999d6a9c8ea07f61b76b330f6d5f9cbee96bc751c5b54dc0c0376fbc1aa360f60240c7bd103b2ce2f6d725dd2bf
6
+ metadata.gz: bf760ff4d0077492ddd2760a8b9d9a16a45560dd55612c29b31331ce70f0308defa5edacbcd74bac2a8f0fb26a41330ff3bb995cc6367822deea2246c474e7aa
7
+ data.tar.gz: d4e666fcdbdc9c09b6175b4b3ec96f20f1638c12133ebc2666428be6cb98d54097ef8a4351e92f9ba9637ed7b0bc64ea45b755081ae07f24264bbb6ecd10c270
data/SPEC CHANGED
@@ -60,8 +60,8 @@ below.
60
60
  the presence or absence of the
61
61
  appropriate HTTP header in the
62
62
  request. See
63
- {https://tools.ietf.org/html/rfc3875#section-4.1.18
64
- RFC3875 section 4.1.18} for
63
+ <a href="https://tools.ietf.org/html/rfc3875#section-4.1.18">
64
+ RFC3875 section 4.1.18</a> for
65
65
  specific behavior.
66
66
  In addition to this, the Rack environment must include these
67
67
  Rack-specific variables:
@@ -98,12 +98,13 @@ Rack-specific variables:
98
98
  Additional environment specifications have approved to
99
99
  standardized middleware APIs. None of these are required to
100
100
  be implemented by the server.
101
- <tt>rack.session</tt>:: A hash like interface for storing request session data.
101
+ <tt>rack.session</tt>:: A hash like interface for storing
102
+ request session data.
102
103
  The store must implement:
103
- store(key, value) (aliased as []=);
104
- fetch(key, default = nil) (aliased as []);
105
- delete(key);
106
- clear;
104
+ store(key, value) (aliased as []=);
105
+ fetch(key, default = nil) (aliased as []);
106
+ delete(key);
107
+ clear;
107
108
  <tt>rack.logger</tt>:: A common object interface for logging messages.
108
109
  The object must implement:
109
110
  info(message, &block)
@@ -18,7 +18,7 @@ module Rack
18
18
  VERSION.join(".")
19
19
  end
20
20
 
21
- RELEASE = "2.0.5"
21
+ RELEASE = "2.0.6"
22
22
 
23
23
  # Return the Rack release as a dotted string.
24
24
  def self.release
@@ -5,7 +5,7 @@ module Rack
5
5
  class MultipartPartLimitError < Errno::EMFILE; end
6
6
 
7
7
  class Parser
8
- BUFSIZE = 1_048_576
8
+ BUFSIZE = 16384
9
9
  TEXT_PLAIN = "text/plain"
10
10
  TEMPFILE_FACTORY = lambda { |filename, content_type|
11
11
  Tempfile.new(["RackMultipart", ::File.extname(filename.gsub("\0".freeze, '%00'.freeze))])
@@ -11,6 +11,8 @@ module Rack
11
11
  # req.params["data"]
12
12
 
13
13
  class Request
14
+ SCHEME_WHITELIST = %w(https http).freeze
15
+
14
16
  def initialize(env)
15
17
  @params = nil
16
18
  super(env)
@@ -188,10 +190,8 @@ module Rack
188
190
  'https'
189
191
  elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
190
192
  'https'
191
- elsif get_header(HTTP_X_FORWARDED_SCHEME)
192
- get_header(HTTP_X_FORWARDED_SCHEME)
193
- elsif get_header(HTTP_X_FORWARDED_PROTO)
194
- get_header(HTTP_X_FORWARDED_PROTO).split(',')[0]
193
+ elsif forwarded_scheme
194
+ forwarded_scheme
195
195
  else
196
196
  get_header(RACK_URL_SCHEME)
197
197
  end
@@ -479,6 +479,19 @@ module Rack
479
479
  def reject_trusted_ip_addresses(ip_addresses)
480
480
  ip_addresses.reject { |ip| trusted_proxy?(ip) }
481
481
  end
482
+
483
+ def forwarded_scheme
484
+ scheme_headers = [
485
+ get_header(HTTP_X_FORWARDED_SCHEME),
486
+ get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
487
+ ]
488
+
489
+ scheme_headers.each do |header|
490
+ return header if SCHEME_WHITELIST.include?(header)
491
+ end
492
+
493
+ nil
494
+ end
482
495
  end
483
496
 
484
497
  include Env
@@ -46,7 +46,7 @@ module Rack
46
46
  end
47
47
 
48
48
  def prefers_plaintext?(env)
49
- !accepts_html(env)
49
+ !accepts_html?(env)
50
50
  end
51
51
 
52
52
  def accepts_html?(env)
@@ -572,6 +572,11 @@ class RackRequestTest < Minitest::Spec
572
572
  request.must_be :ssl?
573
573
  end
574
574
 
575
+ it "prevents scheme abuse" do
576
+ request = make_request(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>'))
577
+ request.scheme.must_equal 'http'
578
+ end
579
+
575
580
  it "parse cookies" do
576
581
  req = make_request \
577
582
  Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m")
@@ -77,4 +77,17 @@ describe Rack::ShowExceptions do
77
77
  assert_match(res, /ShowExceptions/)
78
78
  assert_match(res, /unknown location/)
79
79
  end
80
+
81
+ it "knows to prefer plaintext for non-html" do
82
+ # We don't need an app for this
83
+ exc = Rack::ShowExceptions.new(nil)
84
+
85
+ [
86
+ [{ "HTTP_ACCEPT" => "text/plain" }, true],
87
+ [{ "HTTP_ACCEPT" => "text/foo" }, true],
88
+ [{ "HTTP_ACCEPT" => "text/html" }, false]
89
+ ].each do |env, expected|
90
+ assert_equal(expected, exc.prefers_plaintext?(env))
91
+ end
92
+ end
80
93
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.5
4
+ version: 2.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Leah Neukirchen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-04-23 00:00:00.000000000 Z
11
+ date: 2018-11-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -275,59 +275,59 @@ required_rubygems_version: !ruby/object:Gem::Requirement
275
275
  version: '0'
276
276
  requirements: []
277
277
  rubyforge_project:
278
- rubygems_version: 2.6.13
278
+ rubygems_version: 2.7.6
279
279
  signing_key:
280
280
  specification_version: 4
281
281
  summary: a modular Ruby webserver interface
282
282
  test_files:
283
- - test/spec_auth_basic.rb
284
- - test/spec_auth_digest.rb
285
- - test/spec_body_proxy.rb
286
- - test/spec_builder.rb
287
- - test/spec_cascade.rb
288
- - test/spec_cgi.rb
289
- - test/spec_chunked.rb
290
- - test/spec_common_logger.rb
291
- - test/spec_conditional_get.rb
292
- - test/spec_config.rb
293
- - test/spec_content_length.rb
294
- - test/spec_content_type.rb
283
+ - test/spec_multipart.rb
295
284
  - test/spec_deflater.rb
296
- - test/spec_directory.rb
285
+ - test/spec_static.rb
286
+ - test/spec_session_cookie.rb
287
+ - test/spec_session_pool.rb
297
288
  - test/spec_etag.rb
298
- - test/spec_events.rb
299
- - test/spec_fastcgi.rb
300
- - test/spec_file.rb
289
+ - test/spec_version.rb
301
290
  - test/spec_handler.rb
302
- - test/spec_head.rb
303
- - test/spec_lint.rb
304
- - test/spec_lobster.rb
305
- - test/spec_lock.rb
306
- - test/spec_logger.rb
307
- - test/spec_media_type.rb
308
- - test/spec_method_override.rb
291
+ - test/spec_thin.rb
292
+ - test/spec_session_abstract_id.rb
309
293
  - test/spec_mime.rb
310
- - test/spec_mock.rb
311
- - test/spec_multipart.rb
312
- - test/spec_null_logger.rb
313
294
  - test/spec_recursive.rb
295
+ - test/spec_null_logger.rb
296
+ - test/spec_media_type.rb
297
+ - test/spec_cgi.rb
298
+ - test/spec_method_override.rb
299
+ - test/spec_content_type.rb
300
+ - test/spec_session_abstract_session_hash.rb
314
301
  - test/spec_request.rb
315
- - test/spec_response.rb
316
- - test/spec_rewindable_input.rb
302
+ - test/spec_chunked.rb
303
+ - test/spec_show_exceptions.rb
317
304
  - test/spec_runtime.rb
305
+ - test/spec_fastcgi.rb
306
+ - test/spec_common_logger.rb
307
+ - test/spec_builder.rb
308
+ - test/spec_config.rb
309
+ - test/spec_utils.rb
318
310
  - test/spec_sendfile.rb
311
+ - test/spec_lobster.rb
312
+ - test/spec_lint.rb
313
+ - test/spec_conditional_get.rb
314
+ - test/spec_tempfile_reaper.rb
315
+ - test/spec_mock.rb
319
316
  - test/spec_server.rb
320
- - test/spec_session_abstract_id.rb
321
- - test/spec_session_abstract_session_hash.rb
322
- - test/spec_session_cookie.rb
323
- - test/spec_session_memcache.rb
324
- - test/spec_session_pool.rb
325
- - test/spec_show_exceptions.rb
317
+ - test/spec_directory.rb
318
+ - test/spec_webrick.rb
319
+ - test/spec_response.rb
320
+ - test/spec_file.rb
326
321
  - test/spec_show_status.rb
327
- - test/spec_static.rb
328
- - test/spec_tempfile_reaper.rb
329
- - test/spec_thin.rb
322
+ - test/spec_body_proxy.rb
323
+ - test/spec_logger.rb
324
+ - test/spec_auth_digest.rb
330
325
  - test/spec_urlmap.rb
331
- - test/spec_utils.rb
332
- - test/spec_version.rb
333
- - test/spec_webrick.rb
326
+ - test/spec_events.rb
327
+ - test/spec_cascade.rb
328
+ - test/spec_auth_basic.rb
329
+ - test/spec_head.rb
330
+ - test/spec_lock.rb
331
+ - test/spec_rewindable_input.rb
332
+ - test/spec_session_memcache.rb
333
+ - test/spec_content_length.rb