rack 1.3.9 → 1.3.10

data/README.rdoc

@@ -483,6 +483,23 @@ run on port 11211) and memcache-client installed.
   * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
   * Fixed erroneous test case in the 1.3.x series
 
+* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+
+* February 7th, Thirty fifth public release 1.4.5
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+
+* February 7th, Thirty fifth public release 1.5.2
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+  * Add various methods to Session for enhanced Rails compatibility
+  * Request#trusted_proxy? now only matches whole stirngs
+  * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
+  * URLMap host matching in environments that don't set the Host header fixed
+  * Fix a race condition that could result in overwritten pidfiles
+  * Various documentation additions
+
 == Contact
 
 Please post bugs, suggestions and patches to

data/lib/rack/session/cookie.rb

@@ -112,7 +112,7 @@ module Rack
 
           if @secret && session_data
             session_data, digest = session_data.split("--")
-            session_data = nil  unless digest == generate_hmac(session_data)
+            session_data = nil  unless Rack::Utils.secure_compare(digest, generate_hmac(session_data))
           end
 
           coder.decode(session_data) || {}

data/lib/rack/utils.rb

@@ -346,6 +346,18 @@ module Rack
     end
     module_function :byte_ranges
 
+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
+
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.3.9"
+  s.version         = "1.3.10"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 

data/test/spec_utils.rb

@@ -301,6 +301,11 @@ describe Rack::Utils do
     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
   end
 
+  should "should perform constant time string comparison" do
+    Rack::Utils.secure_compare('a', 'a').should.equal true
+    Rack::Utils.secure_compare('a', 'b').should.equal false
+  end
+
   should "return status code for integer" do
     Rack::Utils.status_code(200).should.equal 200
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack
 version: !ruby/object:Gem::Version 
-  hash: 9
+  hash: 15
   prerelease: 
   segments: 
   - 1
   - 3
-  - 9
-  version: 1.3.9
+  - 10
+  version: 1.3.10
 platform: ruby
 authors: 
 - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-01-13 00:00:00 Z
+date: 2013-02-08 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bacon
@@ -81,7 +81,7 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: -1582507482
+        hash: -747770836
         segments: 
         - 1
         - 2