rack 1.2.6 → 1.2.7
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- data/README +16 -0
- data/lib/rack.rb +12 -0
- data/lib/rack/auth/abstract/request.rb +5 -1
- data/rack.gemspec +1 -1
- data/test/spec_auth.rb +57 -0
- metadata +6 -4
data/README
CHANGED
@@ -469,11 +469,27 @@ run on port 11211) and memcache-client installed.
|
|
469
469
|
* Rack::BodyProxy now explicitly defines #each, useful for C extensions
|
470
470
|
* Cookies that are not URI escaped no longer cause exceptions
|
471
471
|
|
472
|
+
* January 7th, 2013: Thirtieth public release 1.3.8
|
473
|
+
* Security: Prevent unbounded reads in large multipart boundaries
|
474
|
+
|
475
|
+
* January 7th, 2013: Thirty first public release 1.4.3
|
476
|
+
* Security: Prevent unbounded reads in large multipart boundaries
|
477
|
+
|
478
|
+
* January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
|
479
|
+
* [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
|
480
|
+
* Fixed erroneous test case in the 1.3.x series
|
481
|
+
|
472
482
|
== Contact
|
473
483
|
|
474
484
|
Please post bugs, suggestions and patches to
|
475
485
|
the bug tracker at <http://github.com/rack/rack/issues>.
|
476
486
|
|
487
|
+
Please post security related bugs and suggestions to the core team at
|
488
|
+
<https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
|
489
|
+
to wide usage of the library, it is strongly preferred that we manage timing in
|
490
|
+
order to provide viable patches at the time of disclosure. Your assistance in
|
491
|
+
this matter is greatly appreciated.
|
492
|
+
|
477
493
|
Mailing list archives are available at
|
478
494
|
<http://groups.google.com/group/rack-devel>.
|
479
495
|
|
data/lib/rack.rb
CHANGED
@@ -71,6 +71,18 @@ module Rack
|
|
71
71
|
autoload :Params, "rack/auth/digest/params"
|
72
72
|
autoload :Request, "rack/auth/digest/request"
|
73
73
|
end
|
74
|
+
|
75
|
+
# Not all of the following schemes are "standards", but they are used often.
|
76
|
+
@schemes = %w[basic digest bearer mac token oauth oauth2]
|
77
|
+
|
78
|
+
def self.add_scheme scheme
|
79
|
+
@schemes << scheme
|
80
|
+
@schemes.uniq!
|
81
|
+
end
|
82
|
+
|
83
|
+
def self.schemes
|
84
|
+
@schemes.dup
|
85
|
+
end
|
74
86
|
end
|
75
87
|
|
76
88
|
module Session
|
data/rack.gemspec
CHANGED
data/test/spec_auth.rb
ADDED
@@ -0,0 +1,57 @@
|
|
1
|
+
require 'rack'
|
2
|
+
|
3
|
+
describe Rack::Auth do
|
4
|
+
it "should have all common authentication schemes" do
|
5
|
+
Rack::Auth.schemes.should.include? 'basic'
|
6
|
+
Rack::Auth.schemes.should.include? 'digest'
|
7
|
+
Rack::Auth.schemes.should.include? 'bearer'
|
8
|
+
Rack::Auth.schemes.should.include? 'token'
|
9
|
+
end
|
10
|
+
|
11
|
+
it "should allow registration of new auth schemes" do
|
12
|
+
Rack::Auth.schemes.should.not.include "test"
|
13
|
+
Rack::Auth.add_scheme "test"
|
14
|
+
Rack::Auth.schemes.should.include "test"
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
describe Rack::Auth::AbstractRequest do
|
19
|
+
it "should symbolize known auth schemes" do
|
20
|
+
env = Rack::MockRequest.env_for('/')
|
21
|
+
env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
|
22
|
+
req = Rack::Auth::AbstractRequest.new(env)
|
23
|
+
req.scheme.should.equal :basic
|
24
|
+
|
25
|
+
|
26
|
+
env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
|
27
|
+
req = Rack::Auth::AbstractRequest.new(env)
|
28
|
+
req.scheme.should.equal :digest
|
29
|
+
|
30
|
+
env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
|
31
|
+
req = Rack::Auth::AbstractRequest.new(env)
|
32
|
+
req.scheme.should.equal :bearer
|
33
|
+
|
34
|
+
env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
|
35
|
+
req = Rack::Auth::AbstractRequest.new(env)
|
36
|
+
req.scheme.should.equal :mac
|
37
|
+
|
38
|
+
env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
|
39
|
+
req = Rack::Auth::AbstractRequest.new(env)
|
40
|
+
req.scheme.should.equal :token
|
41
|
+
|
42
|
+
env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
|
43
|
+
req = Rack::Auth::AbstractRequest.new(env)
|
44
|
+
req.scheme.should.equal :oauth
|
45
|
+
|
46
|
+
env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
|
47
|
+
req = Rack::Auth::AbstractRequest.new(env)
|
48
|
+
req.scheme.should.equal :oauth2
|
49
|
+
end
|
50
|
+
|
51
|
+
it "should not symbolize unknown auth schemes" do
|
52
|
+
env = Rack::MockRequest.env_for('/')
|
53
|
+
env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
|
54
|
+
req = Rack::Auth::AbstractRequest.new(env)
|
55
|
+
req.scheme.should == "magic"
|
56
|
+
end
|
57
|
+
end
|
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 17
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 1
|
8
8
|
- 2
|
9
|
-
-
|
10
|
-
version: 1.2.
|
9
|
+
- 7
|
10
|
+
version: 1.2.7
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Christian Neukirchen
|
@@ -15,7 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2013-01-
|
18
|
+
date: 2013-01-13 00:00:00 Z
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
21
21
|
name: bacon
|
@@ -204,6 +204,7 @@ files:
|
|
204
204
|
- test/multipart/semicolon
|
205
205
|
- test/multipart/text
|
206
206
|
- test/rackup/config.ru
|
207
|
+
- test/spec_auth.rb
|
207
208
|
- test/spec_auth_basic.rb
|
208
209
|
- test/spec_auth_digest.rb
|
209
210
|
- test/spec_builder.rb
|
@@ -289,6 +290,7 @@ signing_key:
|
|
289
290
|
specification_version: 3
|
290
291
|
summary: a modular Ruby webserver interface
|
291
292
|
test_files:
|
293
|
+
- test/spec_auth.rb
|
292
294
|
- test/spec_auth_basic.rb
|
293
295
|
- test/spec_auth_digest.rb
|
294
296
|
- test/spec_builder.rb
|