rack 1.3.8 → 1.3.9

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack might be problematic. Click here for more details.

@@ -479,11 +479,21 @@ run on port 11211) and memcache-client installed.
479
479
  * January 7th, 2013: Thirty first public release 1.4.3
480
480
  * Security: Prevent unbounded reads in large multipart boundaries
481
481
 
482
+ * January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
483
+ * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
484
+ * Fixed erroneous test case in the 1.3.x series
485
+
482
486
  == Contact
483
487
 
484
488
  Please post bugs, suggestions and patches to
485
489
  the bug tracker at <http://github.com/rack/rack/issues>.
486
490
 
491
+ Please post security related bugs and suggestions to the core team at
492
+ <https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
493
+ to wide usage of the library, it is strongly preferred that we manage timing in
494
+ order to provide viable patches at the time of disclosure. Your assistance in
495
+ this matter is greatly appreciated.
496
+
487
497
  Mailing list archives are available at
488
498
  <http://groups.google.com/group/rack-devel>.
489
499
 
@@ -73,6 +73,18 @@ module Rack
73
73
  autoload :Params, "rack/auth/digest/params"
74
74
  autoload :Request, "rack/auth/digest/request"
75
75
  end
76
+
77
+ # Not all of the following schemes are "standards", but they are used often.
78
+ @schemes = %w[basic digest bearer mac token oauth oauth2]
79
+
80
+ def self.add_scheme scheme
81
+ @schemes << scheme
82
+ @schemes.uniq!
83
+ end
84
+
85
+ def self.schemes
86
+ @schemes.dup
87
+ end
76
88
  end
77
89
 
78
90
  module Session
@@ -21,7 +21,11 @@ module Rack
21
21
  end
22
22
 
23
23
  def scheme
24
- @scheme ||= parts.first.downcase.to_sym
24
+ @scheme ||=
25
+ begin
26
+ s = parts.first.downcase
27
+ Rack::Auth.schemes.include?(s) ? s.to_sym : s
28
+ end
25
29
  end
26
30
 
27
31
  def params
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = "rack"
3
- s.version = "1.3.8"
3
+ s.version = "1.3.9"
4
4
  s.platform = Gem::Platform::RUBY
5
5
  s.summary = "a modular Ruby webserver interface"
6
6
 
@@ -0,0 +1,57 @@
1
+ require 'rack'
2
+
3
+ describe Rack::Auth do
4
+ it "should have all common authentication schemes" do
5
+ Rack::Auth.schemes.should.include? 'basic'
6
+ Rack::Auth.schemes.should.include? 'digest'
7
+ Rack::Auth.schemes.should.include? 'bearer'
8
+ Rack::Auth.schemes.should.include? 'token'
9
+ end
10
+
11
+ it "should allow registration of new auth schemes" do
12
+ Rack::Auth.schemes.should.not.include "test"
13
+ Rack::Auth.add_scheme "test"
14
+ Rack::Auth.schemes.should.include "test"
15
+ end
16
+ end
17
+
18
+ describe Rack::Auth::AbstractRequest do
19
+ it "should symbolize known auth schemes" do
20
+ env = Rack::MockRequest.env_for('/')
21
+ env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
22
+ req = Rack::Auth::AbstractRequest.new(env)
23
+ req.scheme.should.equal :basic
24
+
25
+
26
+ env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
27
+ req = Rack::Auth::AbstractRequest.new(env)
28
+ req.scheme.should.equal :digest
29
+
30
+ env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
31
+ req = Rack::Auth::AbstractRequest.new(env)
32
+ req.scheme.should.equal :bearer
33
+
34
+ env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
35
+ req = Rack::Auth::AbstractRequest.new(env)
36
+ req.scheme.should.equal :mac
37
+
38
+ env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
39
+ req = Rack::Auth::AbstractRequest.new(env)
40
+ req.scheme.should.equal :token
41
+
42
+ env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
43
+ req = Rack::Auth::AbstractRequest.new(env)
44
+ req.scheme.should.equal :oauth
45
+
46
+ env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
47
+ req = Rack::Auth::AbstractRequest.new(env)
48
+ req.scheme.should.equal :oauth2
49
+ end
50
+
51
+ it "should not symbolize unknown auth schemes" do
52
+ env = Rack::MockRequest.env_for('/')
53
+ env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
54
+ req = Rack::Auth::AbstractRequest.new(env)
55
+ req.scheme.should == "magic"
56
+ end
57
+ end
@@ -262,12 +262,6 @@ describe Rack::Response do
262
262
  res.body.should.be.closed
263
263
  b.should.not == res.body
264
264
 
265
- res.body = StringIO.new
266
- res.status = 205
267
- _, _, b = res.finish
268
- res.body.should.be.closed
269
- b.should.not == res.body
270
-
271
265
  res.body = StringIO.new
272
266
  res.status = 304
273
267
  _, _, b = res.finish
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack
3
3
  version: !ruby/object:Gem::Version
4
- hash: 11
4
+ hash: 9
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
8
  - 3
9
- - 8
10
- version: 1.3.8
9
+ - 9
10
+ version: 1.3.9
11
11
  platform: ruby
12
12
  authors:
13
13
  - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2013-01-07 00:00:00 Z
18
+ date: 2013-01-13 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: bacon
@@ -81,7 +81,7 @@ dependencies:
81
81
  requirements:
82
82
  - - ">="
83
83
  - !ruby/object:Gem::Version
84
- hash: 4227346531
84
+ hash: -1582507482
85
85
  segments:
86
86
  - 1
87
87
  - 2
@@ -226,6 +226,7 @@ files:
226
226
  - test/multipart/webkit
227
227
  - test/rackup/config.ru
228
228
  - test/registering_handler/rack/handler/registering_myself.rb
229
+ - test/spec_auth.rb
229
230
  - test/spec_auth_basic.rb
230
231
  - test/spec_auth_digest.rb
231
232
  - test/spec_body_proxy.rb
@@ -315,6 +316,7 @@ signing_key:
315
316
  specification_version: 3
316
317
  summary: a modular Ruby webserver interface
317
318
  test_files:
319
+ - test/spec_auth.rb
318
320
  - test/spec_auth_basic.rb
319
321
  - test/spec_auth_digest.rb
320
322
  - test/spec_body_proxy.rb