rack 1.3.3 → 1.3.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (10) hide show
  1. data/README.rdoc +9 -0
  2. data/lib/rack/backports/uri/{common.rb → common_18.rb} +0 -0
  3. data/lib/rack/backports/uri/common_192.rb +54 -0
  4. data/lib/rack/body_proxy.rb +4 -7
  5. data/lib/rack/mime.rb +3 -0
  6. data/lib/rack/utils.rb +4 -3
  7. data/rack.gemspec +2 -2
  8. data/test/spec_body_proxy.rb +8 -3
  9. data/test/spec_utils.rb +10 -0
  10. metadata +12 -7
data/README.rdoc CHANGED
@@ -361,6 +361,15 @@ run on port 11211) and memcache-client installed.
361
361
  * Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
362
362
  * Rack::ConditionalGet handles broken If-Modified-Since helpers
363
363
 
364
+ * September 16, 2011: Eighteenth public release 1.2.4
365
+ * Fix a bug with MRI regex engine to prevent XSS by malformed unicode
366
+
367
+ * October 1, 2011: Nineteenth public release 1.3.4
368
+ * Backport security fix from 1.9.3, also fixes some roundtrip issues in URI
369
+ * Small documentation update
370
+ * Fix an issue where BodyProxy could cause an infinite recursion
371
+ * Add some supporting files for travis-ci
372
+
364
373
  == Contact
365
374
 
366
375
  Please post bugs, suggestions and patches to
data/lib/rack/backports/uri/common_192.rb ADDED
@@ -0,0 +1,54 @@
1
+ # :stopdoc:
2
+
3
+ # Stolen from ruby core's uri/common.rb @32618ba to fix DoS issues in 1.9.2
4
+ #
5
+ # https://github.com/ruby/ruby/blob/32618ba7438a2247042bba9b5d85b5d49070f5e5/lib/uri/common.rb
6
+ #
7
+ # Issue:
8
+ # http://redmine.ruby-lang.org/issues/5149
9
+ #
10
+ # Relevant Fixes:
11
+ # https://github.com/ruby/ruby/commit/b5f91deee04aa6ccbe07c23c8222b937c22a799b
12
+ # https://github.com/ruby/ruby/commit/93177c1e5c3906abf14472ae0b905d8b5c72ce1b
13
+ #
14
+ # This should probably be removed once there is a Ruby 1.9.2 patch level that
15
+ # includes this fix.
16
+
17
+ require 'uri/common'
18
+
19
+ module URI
20
+ def self.decode_www_form(str, enc=Encoding::UTF_8)
21
+ return [] if str.empty?
22
+ unless /\A#{WFKV_}=#{WFKV_}(?:[;&]#{WFKV_}=#{WFKV_})*\z/o =~ str
23
+ raise ArgumentError, "invalid data of application/x-www-form-urlencoded (#{str})"
24
+ end
25
+ ary = []
26
+ $&.scan(/([^=;&]+)=([^;&]*)/) do
27
+ ary << [decode_www_form_component($1, enc), decode_www_form_component($2, enc)]
28
+ end
29
+ ary
30
+ end
31
+
32
+ def self.decode_www_form_component(str, enc=Encoding::UTF_8)
33
+ if TBLDECWWWCOMP_.empty?
34
+ tbl = {}
35
+ 256.times do |i|
36
+ h, l = i>>4, i&15
37
+ tbl['%%%X%X' % [h, l]] = i.chr
38
+ tbl['%%%x%X' % [h, l]] = i.chr
39
+ tbl['%%%X%x' % [h, l]] = i.chr
40
+ tbl['%%%x%x' % [h, l]] = i.chr
41
+ end
42
+ tbl['+'] = ' '
43
+ begin
44
+ TBLDECWWWCOMP_.replace(tbl)
45
+ TBLDECWWWCOMP_.freeze
46
+ rescue
47
+ end
48
+ end
49
+ raise ArgumentError, "invalid %-encoding (#{str})" unless /\A[^%]*(?:%\h\h[^%]*)*\z/ =~ str
50
+ str.gsub(/\+|%\h\h/, TBLDECWWWCOMP_).force_encoding(enc)
51
+ end
52
+
53
+ WFKV_ = '(?:[^%#=;&]*(?:%\h\h[^%#=;&]*)*)' # :nodoc:
54
+ end
data/lib/rack/body_proxy.rb CHANGED
@@ -9,13 +9,10 @@ module Rack
9
9
  end
10
10
 
11
11
  def close
12
- raise IOError, "closed stream" if @closed
13
- begin
14
- @body.close if @body.respond_to? :close
15
- ensure
16
- @block.call
17
- @closed = true
18
- end
12
+ return if @closed
13
+ @closed = true
14
+ @body.close if @body.respond_to? :close
15
+ @block.call
19
16
  end
20
17
 
21
18
  def closed?
data/lib/rack/mime.rb CHANGED
@@ -28,6 +28,9 @@ module Rack
28
28
  # list = WEBrick::HTTPUtils.load_mime_types('/etc/mime.types')
29
29
  # Rack::Mime::MIME_TYPES.merge!(list)
30
30
  #
31
+ # N.B. On Ubuntu the mime.types file does not include the leading period, so
32
+ # users may need to modify the data before merging into the hash.
33
+ #
31
34
  # To add the list mongrel provides, use:
32
35
  #
33
36
  # require 'mongrel/handlers'
data/lib/rack/utils.rb CHANGED
@@ -6,9 +6,10 @@ require 'rack/multipart'
6
6
 
7
7
  major, minor, patch = RUBY_VERSION.split('.').map { |v| v.to_i }
8
8
 
9
- if (major == 1 && minor < 9) || (major == 1 && minor == 9 && patch < 2)
10
- # pull in backports
11
- require 'rack/backports/uri/common'
9
+ if major == 1 && minor < 9
10
+ require 'rack/backports/uri/common_18'
11
+ elsif major == 1 && minor == 9 && patch < 3
12
+ require 'rack/backports/uri/common_192'
12
13
  else
13
14
  require 'uri/common'
14
15
  end
data/rack.gemspec CHANGED
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = "rack"
3
- s.version = "1.3.3"
3
+ s.version = "1.3.4"
4
4
  s.platform = Gem::Platform::RUBY
5
5
  s.summary = "a modular Ruby webserver interface"
6
6
 
@@ -32,6 +32,6 @@ EOF
32
32
 
33
33
  s.add_development_dependency 'fcgi'
34
34
  s.add_development_dependency 'memcache-client'
35
- s.add_development_dependency 'mongrel'
35
+ s.add_development_dependency 'mongrel', '>= 1.2.0.pre2'
36
36
  s.add_development_dependency 'thin'
37
37
  end
data/test/spec_body_proxy.rb CHANGED
@@ -35,9 +35,14 @@ describe Rack::BodyProxy do
35
35
  should 'not close more than one time' do
36
36
  count = 0
37
37
  proxy = Rack::BodyProxy.new([]) { count += 1; raise "Block invoked more than 1 time!" if count > 1 }
38
+ 2.times { proxy.close }
39
+ count.should.equal 1
40
+ end
41
+
42
+ should 'be closed when the callback is triggered' do
43
+ closed = false
44
+ proxy = Rack::BodyProxy.new([]) { closed = proxy.closed? }
38
45
  proxy.close
39
- lambda {
40
- proxy.close
41
- }.should.raise(IOError)
46
+ closed.should.equal true
42
47
  end
43
48
  end
data/test/spec_utils.rb CHANGED
@@ -58,6 +58,16 @@ describe Rack::Utils do
58
58
  Rack::Utils.escape("ø".encode("ISO-8859-1")).should.equal "%F8"
59
59
  end
60
60
  end
61
+
62
+ should "not hang on escaping long strings that end in % (http://redmine.ruby-lang.org/issues/5149)" do
63
+ lambda {
64
+ timeout(1) do
65
+ lambda {
66
+ URI.decode_www_form_component "A string that causes catastrophic backtracking as it gets longer %"
67
+ }.should.raise(ArgumentError)
68
+ end
69
+ }.should.not.raise(Timeout::Error)
70
+ end
61
71
 
62
72
  should "escape path spaces with %20" do
63
73
  Rack::Utils.escape_path("foo bar").should.equal "foo%20bar"
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- hash: 29
4
+ hash: 19
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
8
  - 3
9
- - 3
10
- version: 1.3.3
9
+ - 4
10
+ version: 1.3.4
11
11
  platform: ruby
12
12
  authors:
13
13
  - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2011-09-16 00:00:00 Z
18
+ date: 2011-10-01 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: bacon
@@ -81,10 +81,14 @@ dependencies:
81
81
  requirements:
82
82
  - - ">="
83
83
  - !ruby/object:Gem::Version
84
- hash: 3
84
+ hash: 1923831981
85
85
  segments:
86
+ - 1
87
+ - 2
86
88
  - 0
87
- version: "0"
89
+ - pre
90
+ - 2
91
+ version: 1.2.0.pre2
88
92
  type: :development
89
93
  version_requirements: *id005
90
94
  - !ruby/object:Gem::Dependency
@@ -131,7 +135,8 @@ files:
131
135
  - lib/rack/auth/digest/nonce.rb
132
136
  - lib/rack/auth/digest/params.rb
133
137
  - lib/rack/auth/digest/request.rb
134
- - lib/rack/backports/uri/common.rb
138
+ - lib/rack/backports/uri/common_18.rb
139
+ - lib/rack/backports/uri/common_192.rb
135
140
  - lib/rack/body_proxy.rb
136
141
  - lib/rack/builder.rb
137
142
  - lib/rack/cascade.rb