rack 1.2.3 → 1.2.4

data/README

@@ -341,6 +341,9 @@ run on port 11211) and memcache-client installed.
   * Pulled in relevant bug fixes from 1.3
   * Fixed 1.8.6 support
 
+* September 16, 2011: Eighteenth public release 1.2.4
+  * Fix a bug with MRI regex engine to prevent XSS by malformed unicode
+
 == Contact
 
 Please post bugs, suggestions and patches to
@@ -365,6 +368,8 @@ The Rack Core Team, consisting of
 * Michael Fellinger (manveru)
 * Ryan Tomayko (rtomayko)
 * Scytrin dai Kinthra (scytrin)
+* Aaron Patterson (tenderlove)
+* Konstantin Haase (rkh)
 
 would like to thank:
 

data/lib/rack/sendfile.rb

@@ -46,16 +46,15 @@ module Rack
   #     proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
   #
   #     proxy_set_header   X-Sendfile-Type     X-Accel-Redirect;
-  #     proxy_set_header   X-Accel-Mapping     /files/=/var/www/;
+  #     proxy_set_header   X-Accel-Mapping     /var/www/=/files/;
   #
   #     proxy_pass         http://127.0.0.1:8080/;
   #   }
   #
   # Note that the X-Sendfile-Type header must be set exactly as shown above. The
-  # X-Accel-Mapping header should specify the name of the private URL pattern,
-  # followed by an equals sign (=), followed by the location on the file system
-  # that it maps to. The middleware performs a simple substitution on the
-  # resulting path.
+  # X-Accel-Mapping header should specify the internal URI path, followed by an
+  # equals sign (=), followed name of the location in the file system that it maps
+  # to. The middleware performs a simple substitution on the resulting path.
   #
   # See Also: http://wiki.codemongers.com/NginxXSendfile
   #

data/lib/rack/utils.rb

@@ -134,8 +134,15 @@ module Rack
       ">" => ">",
       "'" => "'",
       '"' => """,
+      "/" => "/"
     }
-    ESCAPE_HTML_PATTERN = Regexp.union(*ESCAPE_HTML.keys)
+    if //.respond_to?(:encoding)
+      ESCAPE_HTML_PATTERN = Regexp.union(*ESCAPE_HTML.keys)
+    else
+      # On 1.8, there is a kcode = 'u' bug that allows for XSS otherwhise
+      # TODO doesn't apply to jruby, so a better condition above might be preferable?
+      ESCAPE_HTML_PATTERN = /#{Regexp.union(*ESCAPE_HTML.keys)}/n
+    end
 
     # Escape ampersands, brackets and quotes to their HTML/XML entities.
     def escape_html(string)

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.2.3"
+  s.version         = "1.2.4"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 

data/test/spec_utils.rb

@@ -2,6 +2,14 @@ require 'rack/utils'
 require 'rack/mock'
 
 describe Rack::Utils do
+  def kcodeu
+    one8 = RUBY_VERSION.to_f < 1.9
+    default_kcode, $KCODE = $KCODE, 'U' if one8
+    yield
+  ensure
+    $KCODE = default_kcode if one8
+  end
+
   should "escape correctly" do
     Rack::Utils.escape("fo<o>bar").should.equal "fo%3Co%3Ebar"
     Rack::Utils.escape("a space").should.equal "a+space"
@@ -18,6 +26,38 @@ describe Rack::Utils do
     Rack::Utils.escape(matz_name_sep).should.equal '%E3%81%BE%E3%81%A4+%E3%82%82%E3%81%A8'
   end
 
+  if RUBY_VERSION[/^\d+\.\d+/] == '1.8'
+    should "escape correctly for multibyte characters if $KCODE is set to 'U'" do
+      kcodeu do
+        matz_name = "\xE3\x81\xBE\xE3\x81\xA4\xE3\x82\x82\xE3\x81\xA8".unpack("a*")[0] # Matsumoto
+        matz_name.force_encoding("UTF-8") if matz_name.respond_to? :force_encoding
+        Rack::Utils.escape(matz_name).should.equal '%E3%81%BE%E3%81%A4%E3%82%82%E3%81%A8'
+        matz_name_sep = "\xE3\x81\xBE\xE3\x81\xA4 \xE3\x82\x82\xE3\x81\xA8".unpack("a*")[0] # Matsu moto
+        matz_name_sep.force_encoding("UTF-8") if matz_name_sep.respond_to? :force_encoding
+        Rack::Utils.escape(matz_name_sep).should.equal '%E3%81%BE%E3%81%A4+%E3%82%82%E3%81%A8'
+      end
+    end
+
+    should "unescape multibyte characters correctly if $KCODE is set to 'U'" do
+      kcodeu do
+        Rack::Utils.unescape('%E3%81%BE%E3%81%A4+%E3%82%82%E3%81%A8').should.equal(
+        "\xE3\x81\xBE\xE3\x81\xA4 \xE3\x82\x82\xE3\x81\xA8".unpack("a*")[0])
+      end
+    end
+  end
+
+  should "escape objects that responds to to_s" do
+    kcodeu do
+      Rack::Utils.escape(:id).should.equal "id"
+    end
+  end
+
+  if "".respond_to?(:encode)
+    should "escape non-UTF8 strings" do
+      Rack::Utils.escape("ø".encode("ISO-8859-1")).should.equal "%F8"
+    end
+  end
+
   should "unescape correctly" do
     Rack::Utils.unescape("fo%3Co%3Ebar").should.equal "fo<o>bar"
     Rack::Utils.unescape("a+space").should.equal "a space"
@@ -175,6 +215,38 @@ describe Rack::Utils do
       message.should.equal "value must be a Hash"
   end
 
+  should "escape html entities [&><'\"/]" do
+    Rack::Utils.escape_html("foo").should.equal "foo"
+    Rack::Utils.escape_html("f&o").should.equal "f&amp;o"
+    Rack::Utils.escape_html("f<o").should.equal "f&lt;o"
+    Rack::Utils.escape_html("f>o").should.equal "f&gt;o"
+    Rack::Utils.escape_html("f'o").should.equal "f&#39;o"
+    Rack::Utils.escape_html('f"o').should.equal "f&quot;o"
+    Rack::Utils.escape_html("f/o").should.equal "f&#47;o"
+    Rack::Utils.escape_html("<foo></foo>").should.equal "&lt;foo&gt;&lt;&#47;foo&gt;"
+  end
+
+  should "escape html entities even on MRI when it's bugged" do
+    test_escape = lambda do
+      kcodeu do
+        Rack::Utils.escape_html("\300<").should.equal "\300&lt;"
+      end
+    end
+
+    if RUBY_VERSION.to_f < 1.9
+      test_escape.call
+    else
+      test_escape.should.raise(ArgumentError)
+    end
+  end
+
+  if "".respond_to?(:encode)
+    should "escape html entities in unicode strings" do
+      # the following will cause warnings if the regex is poorly encoded:
+      Rack::Utils.escape_html("☃").should.equal "☃"
+    end
+  end
+
   should "figure out which encodings are acceptable" do
     helper = lambda do |a, b|
       request = Rack::Request.new(Rack::MockRequest.env_for("", "HTTP_ACCEPT_ENCODING" => a))

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack
 version: !ruby/object:Gem::Version 
-  hash: 25
+  hash: 23
   prerelease: 
   segments: 
   - 1
   - 2
-  - 3
-  version: 1.2.3
+  - 4
+  version: 1.2.4
 platform: ruby
 authors: 
 - Christian Neukirchen
@@ -15,8 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-05-23 00:00:00 -07:00
-default_executable: 
+date: 2011-09-16 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bacon
@@ -256,7 +255,6 @@ files:
 - Rakefile
 - README
 - SPEC
-has_rdoc: true
 homepage: http://rack.rubyforge.org
 licenses: []
 
@@ -286,7 +284,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: rack
-rubygems_version: 1.5.2
+rubygems_version: 1.8.10
 signing_key: 
 specification_version: 3
 summary: a modular Ruby webserver interface