rack 1.2.6 → 1.2.7

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

data/README CHANGED
@@ -469,11 +469,27 @@ run on port 11211) and memcache-client installed.
469
469
  * Rack::BodyProxy now explicitly defines #each, useful for C extensions
470
470
  * Cookies that are not URI escaped no longer cause exceptions
471
471
 
472
+ * January 7th, 2013: Thirtieth public release 1.3.8
473
+ * Security: Prevent unbounded reads in large multipart boundaries
474
+
475
+ * January 7th, 2013: Thirty first public release 1.4.3
476
+ * Security: Prevent unbounded reads in large multipart boundaries
477
+
478
+ * January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
479
+ * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
480
+ * Fixed erroneous test case in the 1.3.x series
481
+
472
482
  == Contact
473
483
 
474
484
  Please post bugs, suggestions and patches to
475
485
  the bug tracker at <http://github.com/rack/rack/issues>.
476
486
 
487
+ Please post security related bugs and suggestions to the core team at
488
+ <https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
489
+ to wide usage of the library, it is strongly preferred that we manage timing in
490
+ order to provide viable patches at the time of disclosure. Your assistance in
491
+ this matter is greatly appreciated.
492
+
477
493
  Mailing list archives are available at
478
494
  <http://groups.google.com/group/rack-devel>.
479
495
 
@@ -71,6 +71,18 @@ module Rack
71
71
  autoload :Params, "rack/auth/digest/params"
72
72
  autoload :Request, "rack/auth/digest/request"
73
73
  end
74
+
75
+ # Not all of the following schemes are "standards", but they are used often.
76
+ @schemes = %w[basic digest bearer mac token oauth oauth2]
77
+
78
+ def self.add_scheme scheme
79
+ @schemes << scheme
80
+ @schemes.uniq!
81
+ end
82
+
83
+ def self.schemes
84
+ @schemes.dup
85
+ end
74
86
  end
75
87
 
76
88
  module Session
@@ -15,7 +15,11 @@ module Rack
15
15
  end
16
16
 
17
17
  def scheme
18
- @scheme ||= parts.first.downcase.to_sym
18
+ @scheme ||=
19
+ begin
20
+ s = parts.first.downcase
21
+ Rack::Auth.schemes.include?(s) ? s.to_sym : s
22
+ end
19
23
  end
20
24
 
21
25
  def params
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = "rack"
3
- s.version = "1.2.6"
3
+ s.version = "1.2.7"
4
4
  s.platform = Gem::Platform::RUBY
5
5
  s.summary = "a modular Ruby webserver interface"
6
6
 
@@ -0,0 +1,57 @@
1
+ require 'rack'
2
+
3
+ describe Rack::Auth do
4
+ it "should have all common authentication schemes" do
5
+ Rack::Auth.schemes.should.include? 'basic'
6
+ Rack::Auth.schemes.should.include? 'digest'
7
+ Rack::Auth.schemes.should.include? 'bearer'
8
+ Rack::Auth.schemes.should.include? 'token'
9
+ end
10
+
11
+ it "should allow registration of new auth schemes" do
12
+ Rack::Auth.schemes.should.not.include "test"
13
+ Rack::Auth.add_scheme "test"
14
+ Rack::Auth.schemes.should.include "test"
15
+ end
16
+ end
17
+
18
+ describe Rack::Auth::AbstractRequest do
19
+ it "should symbolize known auth schemes" do
20
+ env = Rack::MockRequest.env_for('/')
21
+ env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
22
+ req = Rack::Auth::AbstractRequest.new(env)
23
+ req.scheme.should.equal :basic
24
+
25
+
26
+ env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
27
+ req = Rack::Auth::AbstractRequest.new(env)
28
+ req.scheme.should.equal :digest
29
+
30
+ env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
31
+ req = Rack::Auth::AbstractRequest.new(env)
32
+ req.scheme.should.equal :bearer
33
+
34
+ env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
35
+ req = Rack::Auth::AbstractRequest.new(env)
36
+ req.scheme.should.equal :mac
37
+
38
+ env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
39
+ req = Rack::Auth::AbstractRequest.new(env)
40
+ req.scheme.should.equal :token
41
+
42
+ env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
43
+ req = Rack::Auth::AbstractRequest.new(env)
44
+ req.scheme.should.equal :oauth
45
+
46
+ env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
47
+ req = Rack::Auth::AbstractRequest.new(env)
48
+ req.scheme.should.equal :oauth2
49
+ end
50
+
51
+ it "should not symbolize unknown auth schemes" do
52
+ env = Rack::MockRequest.env_for('/')
53
+ env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
54
+ req = Rack::Auth::AbstractRequest.new(env)
55
+ req.scheme.should == "magic"
56
+ end
57
+ end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- hash: 19
4
+ hash: 17
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
8
  - 2
9
- - 6
10
- version: 1.2.6
9
+ - 7
10
+ version: 1.2.7
11
11
  platform: ruby
12
12
  authors:
13
13
  - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2013-01-07 00:00:00 Z
18
+ date: 2013-01-13 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: bacon
@@ -204,6 +204,7 @@ files:
204
204
  - test/multipart/semicolon
205
205
  - test/multipart/text
206
206
  - test/rackup/config.ru
207
+ - test/spec_auth.rb
207
208
  - test/spec_auth_basic.rb
208
209
  - test/spec_auth_digest.rb
209
210
  - test/spec_builder.rb
@@ -289,6 +290,7 @@ signing_key:
289
290
  specification_version: 3
290
291
  summary: a modular Ruby webserver interface
291
292
  test_files:
293
+ - test/spec_auth.rb
292
294
  - test/spec_auth_basic.rb
293
295
  - test/spec_auth_digest.rb
294
296
  - test/spec_builder.rb