rack 0.9.0 → 0.9.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (8) hide show
  1. data/RDOX +2 -1
  2. data/README +6 -2
  3. data/Rakefile +8 -8
  4. data/lib/rack/directory.rb +3 -2
  5. data/lib/rack/file.rb +2 -2
  6. data/test/spec_rack_directory.rb +5 -0
  7. data/test/spec_rack_file.rb +7 -0
  8. metadata +4 -73
data/RDOX CHANGED
@@ -103,6 +103,7 @@
103
103
  * sets Last-Modified header
104
104
  * serves files with URL encoded filenames
105
105
  * does not allow directory traversal
106
+ * does not allow directory traversal with encoded periods
106
107
  * 404s if it can't find the file
107
108
  * detects SystemCallErrors
108
109
 
@@ -320,4 +321,4 @@
320
321
  * should correctly set cookies
321
322
  * should provide a .run
322
323
 
323
- 243 specifications, 4 empty (1008 requirements), 0 failures
324
+ 244 specifications, 4 empty (1004 requirements), 0 failures
data/README CHANGED
@@ -224,6 +224,9 @@ run on port 11211) and memcache-client installed.
224
224
  * Made HeaderHash case-preserving.
225
225
  * Many bugfixes and small improvements.
226
226
 
227
+ * January 9th, 2009: Sixth public release 0.9.1.
228
+ * Fix directory traversal exploits in Rack::File and Rack::Directory.
229
+
227
230
  == Contact
228
231
 
229
232
  Please mail bugs, suggestions and patches to
@@ -258,8 +261,9 @@ would like to thank:
258
261
  * Tim Fletcher, for the HTTP authentication code.
259
262
  * Luc Heinrich for the Cookie sessions, the static file handler and bugfixes.
260
263
  * Armin Ronacher, for the logo and racktools.
261
- * Aredridel, Ben Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd, and
262
- Phil Hagelberg for bug fixing and other improvements.
264
+ * Aredridel, Ben Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd,
265
+ Tom Robinson, and Phil Hagelberg for bug fixing and other
266
+ improvements.
263
267
  * Stephen Bannasch, for bug reports and documentation.
264
268
  * Gary Wright, for proposing a better Rack::Response interface.
265
269
  * Jonathan Buch, for improvements regarding Rack::Response.
data/Rakefile CHANGED
@@ -134,14 +134,14 @@ Also see http://rack.rubyforge.org.
134
134
  s.homepage = 'http://rack.rubyforge.org'
135
135
  s.rubyforge_project = 'rack'
136
136
 
137
- s.add_development_dependency 'test-spec'
138
-
139
- s.add_development_dependency 'camping'
140
- s.add_development_dependency 'fcgi'
141
- s.add_development_dependency 'memcache-client'
142
- s.add_development_dependency 'mongrel'
143
- s.add_development_dependency 'ruby-openid', '~> 2.0.0'
144
- s.add_development_dependency 'thin'
137
+ #s.add_development_dependency 'test-spec'
138
+
139
+ #s.add_development_dependency 'camping'
140
+ #s.add_development_dependency 'fcgi'
141
+ #s.add_development_dependency 'memcache-client'
142
+ #s.add_development_dependency 'mongrel'
143
+ #s.add_development_dependency 'ruby-openid', '~> 2.0.0'
144
+ #s.add_development_dependency 'thin'
145
145
  end
146
146
 
147
147
  Rake::GemPackageTask.new(spec) do |p|
data/lib/rack/directory.rb CHANGED
@@ -54,12 +54,13 @@ table { width:100%%; }
54
54
 
55
55
  def _call(env)
56
56
  @env = env
57
- @path_info, @script_name = env.values_at('PATH_INFO', 'SCRIPT_NAME')
57
+ @script_name = env['SCRIPT_NAME']
58
+ @path_info = Utils.unescape(env['PATH_INFO'])
58
59
 
59
60
  if forbidden = check_forbidden
60
61
  forbidden
61
62
  else
62
- @path = F.join(@root, Utils.unescape(@path_info))
63
+ @path = F.join(@root, @path_info)
63
64
  list_path
64
65
  end
65
66
  end
data/lib/rack/file.rb CHANGED
@@ -23,9 +23,9 @@ module Rack
23
23
  F = ::File
24
24
 
25
25
  def _call(env)
26
- return forbidden if env["PATH_INFO"].include? ".."
27
-
28
26
  @path_info = Utils.unescape(env["PATH_INFO"])
27
+ return forbidden if @path_info.include? ".."
28
+
29
29
  @path = F.join(@root, @path_info)
30
30
 
31
31
  begin
data/test/spec_rack_directory.rb CHANGED
@@ -45,6 +45,11 @@ context "Rack::Directory" do
45
45
  get("/cgi/../test")
46
46
 
47
47
  res.should.be.forbidden
48
+
49
+ res = Rack::MockRequest.new(Rack::Lint.new(app)).
50
+ get("/cgi/%2E%2E/test")
51
+
52
+ res.should.be.forbidden
48
53
  end
49
54
 
50
55
  specify "404s if it can't find the file" do
data/test/spec_rack_file.rb CHANGED
@@ -41,6 +41,13 @@ context "Rack::File" do
41
41
  res.should.be.forbidden
42
42
  end
43
43
 
44
+ specify "does not allow directory traversal with encoded periods" do
45
+ res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
46
+ get("/%2E%2E/README")
47
+
48
+ res.should.be.forbidden
49
+ end
50
+
44
51
  specify "404s if it can't find the file" do
45
52
  res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
46
53
  get("/cgi/blubb")
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.9.0
4
+ version: 0.9.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Christian Neukirchen
@@ -9,79 +9,10 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
11
 
12
- date: 2009-01-06 00:00:00 +01:00
12
+ date: 2009-01-09 00:00:00 +01:00
13
13
  default_executable:
14
- dependencies:
15
- - !ruby/object:Gem::Dependency
16
- name: test-spec
17
- type: :development
18
- version_requirement:
19
- version_requirements: !ruby/object:Gem::Requirement
20
- requirements:
21
- - - ">="
22
- - !ruby/object:Gem::Version
23
- version: "0"
24
- version:
25
- - !ruby/object:Gem::Dependency
26
- name: camping
27
- type: :development
28
- version_requirement:
29
- version_requirements: !ruby/object:Gem::Requirement
30
- requirements:
31
- - - ">="
32
- - !ruby/object:Gem::Version
33
- version: "0"
34
- version:
35
- - !ruby/object:Gem::Dependency
36
- name: fcgi
37
- type: :development
38
- version_requirement:
39
- version_requirements: !ruby/object:Gem::Requirement
40
- requirements:
41
- - - ">="
42
- - !ruby/object:Gem::Version
43
- version: "0"
44
- version:
45
- - !ruby/object:Gem::Dependency
46
- name: memcache-client
47
- type: :development
48
- version_requirement:
49
- version_requirements: !ruby/object:Gem::Requirement
50
- requirements:
51
- - - ">="
52
- - !ruby/object:Gem::Version
53
- version: "0"
54
- version:
55
- - !ruby/object:Gem::Dependency
56
- name: mongrel
57
- type: :development
58
- version_requirement:
59
- version_requirements: !ruby/object:Gem::Requirement
60
- requirements:
61
- - - ">="
62
- - !ruby/object:Gem::Version
63
- version: "0"
64
- version:
65
- - !ruby/object:Gem::Dependency
66
- name: ruby-openid
67
- type: :development
68
- version_requirement:
69
- version_requirements: !ruby/object:Gem::Requirement
70
- requirements:
71
- - - ~>
72
- - !ruby/object:Gem::Version
73
- version: 2.0.0
74
- version:
75
- - !ruby/object:Gem::Dependency
76
- name: thin
77
- type: :development
78
- version_requirement:
79
- version_requirements: !ruby/object:Gem::Requirement
80
- requirements:
81
- - - ">="
82
- - !ruby/object:Gem::Version
83
- version: "0"
84
- version:
14
+ dependencies: []
15
+
85
16
  description: Rack provides minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Also see http://rack.rubyforge.org.
86
17
  email: chneukirchen@gmail.com
87
18
  executables: