rack 1.2.7 → 1.2.8
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- data/README +17 -0
- data/lib/rack/session/cookie.rb +1 -1
- data/lib/rack/utils.rb +25 -0
- data/rack.gemspec +1 -1
- data/test/spec_utils.rb +6 -1
- metadata +4 -4
data/README
CHANGED
@@ -479,6 +479,23 @@ run on port 11211) and memcache-client installed.
|
|
479
479
|
* [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
|
480
480
|
* Fixed erroneous test case in the 1.3.x series
|
481
481
|
|
482
|
+
* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
|
483
|
+
* Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
|
484
|
+
|
485
|
+
* February 7th, Thirty fifth public release 1.4.5
|
486
|
+
* Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
|
487
|
+
* Fix CVE-2013-0262, symlink path traversal in Rack::File
|
488
|
+
|
489
|
+
* February 7th, Thirty fifth public release 1.5.2
|
490
|
+
* Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
|
491
|
+
* Fix CVE-2013-0262, symlink path traversal in Rack::File
|
492
|
+
* Add various methods to Session for enhanced Rails compatibility
|
493
|
+
* Request#trusted_proxy? now only matches whole stirngs
|
494
|
+
* Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
|
495
|
+
* URLMap host matching in environments that don't set the Host header fixed
|
496
|
+
* Fix a race condition that could result in overwritten pidfiles
|
497
|
+
* Various documentation additions
|
498
|
+
|
482
499
|
== Contact
|
483
500
|
|
484
501
|
Please post bugs, suggestions and patches to
|
data/lib/rack/session/cookie.rb
CHANGED
@@ -55,7 +55,7 @@ module Rack
|
|
55
55
|
|
56
56
|
if @secret && session_data
|
57
57
|
session_data, digest = session_data.split("--")
|
58
|
-
session_data = nil unless digest
|
58
|
+
session_data = nil unless Utils.secure_compare(digest, generate_hmac(session_data))
|
59
59
|
end
|
60
60
|
|
61
61
|
begin
|
data/lib/rack/utils.rb
CHANGED
@@ -298,6 +298,31 @@ module Rack
|
|
298
298
|
end
|
299
299
|
module_function :rfc2822
|
300
300
|
|
301
|
+
# Return the bytesize of String; uses String#length under Ruby 1.8 and
|
302
|
+
# String#bytesize under 1.9.
|
303
|
+
if ''.respond_to?(:bytesize)
|
304
|
+
def bytesize(string)
|
305
|
+
string.bytesize
|
306
|
+
end
|
307
|
+
else
|
308
|
+
def bytesize(string)
|
309
|
+
string.size
|
310
|
+
end
|
311
|
+
end
|
312
|
+
module_function :bytesize
|
313
|
+
|
314
|
+
# Constant time string comparison.
|
315
|
+
def secure_compare(a, b)
|
316
|
+
return false unless bytesize(a) == bytesize(b)
|
317
|
+
|
318
|
+
l = a.unpack("C*")
|
319
|
+
|
320
|
+
r, i = 0, -1
|
321
|
+
b.each_byte { |v| r |= v ^ l[i+=1] }
|
322
|
+
r == 0
|
323
|
+
end
|
324
|
+
module_function :secure_compare
|
325
|
+
|
301
326
|
# Context allows the use of a compatible middleware at different points
|
302
327
|
# in a request handling stack. A compatible middleware must define
|
303
328
|
# #context which should take the arguments env and app. The first of which
|
data/rack.gemspec
CHANGED
data/test/spec_utils.rb
CHANGED
@@ -274,7 +274,12 @@ describe Rack::Utils do
|
|
274
274
|
Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
|
275
275
|
end
|
276
276
|
|
277
|
-
should "
|
277
|
+
should "should perform constant time string comparison" do
|
278
|
+
Rack::Utils.secure_compare('a', 'a').should.equal true
|
279
|
+
Rack::Utils.secure_compare('a', 'b').should.equal false
|
280
|
+
end
|
281
|
+
|
282
|
+
should "should return status code for integer" do
|
278
283
|
Rack::Utils.status_code(200).should.equal 200
|
279
284
|
end
|
280
285
|
|
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 15
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 1
|
8
8
|
- 2
|
9
|
-
-
|
10
|
-
version: 1.2.
|
9
|
+
- 8
|
10
|
+
version: 1.2.8
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Christian Neukirchen
|
@@ -15,7 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2013-
|
18
|
+
date: 2013-02-08 00:00:00 Z
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
21
21
|
name: bacon
|