rack 1.3.3 → 1.3.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rack might be problematic. Click here for more details.
- data/README.rdoc +9 -0
- data/lib/rack/backports/uri/{common.rb → common_18.rb} +0 -0
- data/lib/rack/backports/uri/common_192.rb +54 -0
- data/lib/rack/body_proxy.rb +4 -7
- data/lib/rack/mime.rb +3 -0
- data/lib/rack/utils.rb +4 -3
- data/rack.gemspec +2 -2
- data/test/spec_body_proxy.rb +8 -3
- data/test/spec_utils.rb +10 -0
- metadata +12 -7
data/README.rdoc
CHANGED
@@ -361,6 +361,15 @@ run on port 11211) and memcache-client installed.
|
|
361
361
|
* Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
|
362
362
|
* Rack::ConditionalGet handles broken If-Modified-Since helpers
|
363
363
|
|
364
|
+
* September 16, 2011: Eighteenth public release 1.2.4
|
365
|
+
* Fix a bug with MRI regex engine to prevent XSS by malformed unicode
|
366
|
+
|
367
|
+
* October 1, 2011: Nineteenth public release 1.3.4
|
368
|
+
* Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
|
369
|
+
* Small documentation update
|
370
|
+
* Fix an issue where BodyProxy could cause an infinite recursion
|
371
|
+
* Add some supporting files for travis-ci
|
372
|
+
|
364
373
|
== Contact
|
365
374
|
|
366
375
|
Please post bugs, suggestions and patches to
|
File without changes
|
@@ -0,0 +1,54 @@
|
|
1
|
+
# :stopdoc:
|
2
|
+
|
3
|
+
# Stolen from ruby core's uri/common.rb @32618ba to fix DoS issues in 1.9.2
|
4
|
+
#
|
5
|
+
# https://github.com/ruby/ruby/blob/32618ba7438a2247042bba9b5d85b5d49070f5e5/lib/uri/common.rb
|
6
|
+
#
|
7
|
+
# Issue:
|
8
|
+
# http://redmine.ruby-lang.org/issues/5149
|
9
|
+
#
|
10
|
+
# Relevant Fixes:
|
11
|
+
# https://github.com/ruby/ruby/commit/b5f91deee04aa6ccbe07c23c8222b937c22a799b
|
12
|
+
# https://github.com/ruby/ruby/commit/93177c1e5c3906abf14472ae0b905d8b5c72ce1b
|
13
|
+
#
|
14
|
+
# This should probably be removed once there is a Ruby 1.9.2 patch level that
|
15
|
+
# includes this fix.
|
16
|
+
|
17
|
+
require 'uri/common'
|
18
|
+
|
19
|
+
module URI
|
20
|
+
def self.decode_www_form(str, enc=Encoding::UTF_8)
|
21
|
+
return [] if str.empty?
|
22
|
+
unless /\A#{WFKV_}=#{WFKV_}(?:[;&]#{WFKV_}=#{WFKV_})*\z/o =~ str
|
23
|
+
raise ArgumentError, "invalid data of application/x-www-form-urlencoded (#{str})"
|
24
|
+
end
|
25
|
+
ary = []
|
26
|
+
$&.scan(/([^=;&]+)=([^;&]*)/) do
|
27
|
+
ary << [decode_www_form_component($1, enc), decode_www_form_component($2, enc)]
|
28
|
+
end
|
29
|
+
ary
|
30
|
+
end
|
31
|
+
|
32
|
+
def self.decode_www_form_component(str, enc=Encoding::UTF_8)
|
33
|
+
if TBLDECWWWCOMP_.empty?
|
34
|
+
tbl = {}
|
35
|
+
256.times do |i|
|
36
|
+
h, l = i>>4, i&15
|
37
|
+
tbl['%%%X%X' % [h, l]] = i.chr
|
38
|
+
tbl['%%%x%X' % [h, l]] = i.chr
|
39
|
+
tbl['%%%X%x' % [h, l]] = i.chr
|
40
|
+
tbl['%%%x%x' % [h, l]] = i.chr
|
41
|
+
end
|
42
|
+
tbl['+'] = ' '
|
43
|
+
begin
|
44
|
+
TBLDECWWWCOMP_.replace(tbl)
|
45
|
+
TBLDECWWWCOMP_.freeze
|
46
|
+
rescue
|
47
|
+
end
|
48
|
+
end
|
49
|
+
raise ArgumentError, "invalid %-encoding (#{str})" unless /\A[^%]*(?:%\h\h[^%]*)*\z/ =~ str
|
50
|
+
str.gsub(/\+|%\h\h/, TBLDECWWWCOMP_).force_encoding(enc)
|
51
|
+
end
|
52
|
+
|
53
|
+
WFKV_ = '(?:[^%#=;&]*(?:%\h\h[^%#=;&]*)*)' # :nodoc:
|
54
|
+
end
|
data/lib/rack/body_proxy.rb
CHANGED
@@ -9,13 +9,10 @@ module Rack
|
|
9
9
|
end
|
10
10
|
|
11
11
|
def close
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
@block.call
|
17
|
-
@closed = true
|
18
|
-
end
|
12
|
+
return if @closed
|
13
|
+
@closed = true
|
14
|
+
@body.close if @body.respond_to? :close
|
15
|
+
@block.call
|
19
16
|
end
|
20
17
|
|
21
18
|
def closed?
|
data/lib/rack/mime.rb
CHANGED
@@ -28,6 +28,9 @@ module Rack
|
|
28
28
|
# list = WEBrick::HTTPUtils.load_mime_types('/etc/mime.types')
|
29
29
|
# Rack::Mime::MIME_TYPES.merge!(list)
|
30
30
|
#
|
31
|
+
# N.B. On Ubuntu the mime.types file does not include the leading period, so
|
32
|
+
# users may need to modify the data before merging into the hash.
|
33
|
+
#
|
31
34
|
# To add the list mongrel provides, use:
|
32
35
|
#
|
33
36
|
# require 'mongrel/handlers'
|
data/lib/rack/utils.rb
CHANGED
@@ -6,9 +6,10 @@ require 'rack/multipart'
|
|
6
6
|
|
7
7
|
major, minor, patch = RUBY_VERSION.split('.').map { |v| v.to_i }
|
8
8
|
|
9
|
-
if
|
10
|
-
|
11
|
-
|
9
|
+
if major == 1 && minor < 9
|
10
|
+
require 'rack/backports/uri/common_18'
|
11
|
+
elsif major == 1 && minor == 9 && patch < 3
|
12
|
+
require 'rack/backports/uri/common_192'
|
12
13
|
else
|
13
14
|
require 'uri/common'
|
14
15
|
end
|
data/rack.gemspec
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
s.name = "rack"
|
3
|
-
s.version = "1.3.
|
3
|
+
s.version = "1.3.4"
|
4
4
|
s.platform = Gem::Platform::RUBY
|
5
5
|
s.summary = "a modular Ruby webserver interface"
|
6
6
|
|
@@ -32,6 +32,6 @@ EOF
|
|
32
32
|
|
33
33
|
s.add_development_dependency 'fcgi'
|
34
34
|
s.add_development_dependency 'memcache-client'
|
35
|
-
s.add_development_dependency 'mongrel'
|
35
|
+
s.add_development_dependency 'mongrel', '>= 1.2.0.pre2'
|
36
36
|
s.add_development_dependency 'thin'
|
37
37
|
end
|
data/test/spec_body_proxy.rb
CHANGED
@@ -35,9 +35,14 @@ describe Rack::BodyProxy do
|
|
35
35
|
should 'not close more than one time' do
|
36
36
|
count = 0
|
37
37
|
proxy = Rack::BodyProxy.new([]) { count += 1; raise "Block invoked more than 1 time!" if count > 1 }
|
38
|
+
2.times { proxy.close }
|
39
|
+
count.should.equal 1
|
40
|
+
end
|
41
|
+
|
42
|
+
should 'be closed when the callback is triggered' do
|
43
|
+
closed = false
|
44
|
+
proxy = Rack::BodyProxy.new([]) { closed = proxy.closed? }
|
38
45
|
proxy.close
|
39
|
-
|
40
|
-
proxy.close
|
41
|
-
}.should.raise(IOError)
|
46
|
+
closed.should.equal true
|
42
47
|
end
|
43
48
|
end
|
data/test/spec_utils.rb
CHANGED
@@ -58,6 +58,16 @@ describe Rack::Utils do
|
|
58
58
|
Rack::Utils.escape("ø".encode("ISO-8859-1")).should.equal "%F8"
|
59
59
|
end
|
60
60
|
end
|
61
|
+
|
62
|
+
should "not hang on escaping long strings that end in % (http://redmine.ruby-lang.org/issues/5149)" do
|
63
|
+
lambda {
|
64
|
+
timeout(1) do
|
65
|
+
lambda {
|
66
|
+
URI.decode_www_form_component "A string that causes catastrophic backtracking as it gets longer %"
|
67
|
+
}.should.raise(ArgumentError)
|
68
|
+
end
|
69
|
+
}.should.not.raise(Timeout::Error)
|
70
|
+
end
|
61
71
|
|
62
72
|
should "escape path spaces with %20" do
|
63
73
|
Rack::Utils.escape_path("foo bar").should.equal "foo%20bar"
|
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 19
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 1
|
8
8
|
- 3
|
9
|
-
-
|
10
|
-
version: 1.3.
|
9
|
+
- 4
|
10
|
+
version: 1.3.4
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Christian Neukirchen
|
@@ -15,7 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2011-
|
18
|
+
date: 2011-10-01 00:00:00 Z
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
21
21
|
name: bacon
|
@@ -81,10 +81,14 @@ dependencies:
|
|
81
81
|
requirements:
|
82
82
|
- - ">="
|
83
83
|
- !ruby/object:Gem::Version
|
84
|
-
hash:
|
84
|
+
hash: 1923831981
|
85
85
|
segments:
|
86
|
+
- 1
|
87
|
+
- 2
|
86
88
|
- 0
|
87
|
-
|
89
|
+
- pre
|
90
|
+
- 2
|
91
|
+
version: 1.2.0.pre2
|
88
92
|
type: :development
|
89
93
|
version_requirements: *id005
|
90
94
|
- !ruby/object:Gem::Dependency
|
@@ -131,7 +135,8 @@ files:
|
|
131
135
|
- lib/rack/auth/digest/nonce.rb
|
132
136
|
- lib/rack/auth/digest/params.rb
|
133
137
|
- lib/rack/auth/digest/request.rb
|
134
|
-
- lib/rack/backports/uri/
|
138
|
+
- lib/rack/backports/uri/common_18.rb
|
139
|
+
- lib/rack/backports/uri/common_192.rb
|
135
140
|
- lib/rack/body_proxy.rb
|
136
141
|
- lib/rack/builder.rb
|
137
142
|
- lib/rack/cascade.rb
|