rack 1.1.5 → 1.1.6

data/README

@@ -479,6 +479,23 @@ run on port 11211) and memcache-client installed.
   * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
   * Fixed erroneous test case in the 1.3.x series
 
+* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+
+* February 7th, Thirty fifth public release 1.4.5
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+
+* February 7th, Thirty fifth public release 1.5.2
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+  * Add various methods to Session for enhanced Rails compatibility
+  * Request#trusted_proxy? now only matches whole stirngs
+  * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
+  * URLMap host matching in environments that don't set the Host header fixed
+  * Fix a race condition that could result in overwritten pidfiles
+  * Various documentation additions
+
 == Contact
 
 Please post bugs, suggestions and patches to

data/lib/rack.rb

@@ -20,7 +20,7 @@ module Rack
 
   # Return the Rack release as a dotted string.
   def self.release
-    "1.1.5"
+    "1.1.6"
   end
 
   autoload :Builder, "rack/builder"

data/lib/rack/session/cookie.rb

@@ -55,7 +55,7 @@ module Rack
 
         if @secret && session_data
           session_data, digest = session_data.split("--")
-          session_data = nil  unless digest == generate_hmac(session_data)
+          session_data = nil  unless Utils.secure_compare(digest, generate_hmac(session_data))
         end
 
         begin

data/lib/rack/utils.rb

@@ -285,6 +285,18 @@ module Rack
     end
     module_function :bytesize
 
+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
+
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which

data/rack.gemspec

@@ -3,7 +3,7 @@ require 'rack' # For Rack.release
 
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.1.5"
+  s.version         = "1.1.6"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 

data/test/spec_rack_utils.rb

@@ -205,6 +205,11 @@ context "Rack::Utils" do
     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
   end
 
+  specify "should perform constant time string comparison" do
+    Rack::Utils.secure_compare('a', 'a').should.equal true
+    Rack::Utils.secure_compare('a', 'b').should.equal false
+  end
+
   specify "should return status code for integer" do
     Rack::Utils.status_code(200).should.equal 200
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack
 version: !ruby/object:Gem::Version 
-  hash: 25
+  hash: 31
   prerelease: 
   segments: 
   - 1
   - 1
-  - 5
-  version: 1.1.5
+  - 6
+  version: 1.1.6
 platform: ruby
 authors: 
 - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-01-13 00:00:00 Z
+date: 2013-02-08 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: test-spec