RubyGems - rack - Versions diffs - 1.6.10 → 1.6.11 - Mend

rack 1.6.10 → 1.6.11

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (8) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 054e343b38a83a00ffc626cb6d3b92e21454c0fb
-  data.tar.gz: 1f4c8f6e31f4e368371392a63d5232203be385d4
+SHA256:
+  metadata.gz: b455a83d19e7b00bb4feb2287b28116434155cf52ea772cb9b532495f49938cc
+  data.tar.gz: 99a947eaf73e0207a642c92398e26062d5dc508455c72447e865a6aaec86dc5b
 SHA512:
-  metadata.gz: 534da9c1e081350058c84fb1a1cc0c12beb6512f36fbd8f0651d96c2de6f5a911b9bbd900f88b0ca373b8b7c86a5d61f32d8c1ce6ef5e3ea1afd2dbf1c356451
-  data.tar.gz: 973368cf843dcd7ff8854a4c9af6f9e48ffd1a30200a765c7a0102c475aa0adf1c469f43c4ef955234ed41d4e5f03d99305ec46aae3b07df901a7148eaaf179a
+  metadata.gz: ecc84a2788ac063238c547ea118a1e14624ace7ebc683cbf34842e57f5d4ac6fd843c4be0c3e717d7351da297a5e664f7b93255c2b37f3a73dc0939a4eb5596f
+  data.tar.gz: ff727aec584e743839a3a9c3fbe9f88d3c6c481b3f9fdf6f472a182b6caef19de7835c9a5222359fe5bb296eab79030df880e220756693fbc244b7fd5f05756c

data/lib/rack.rb CHANGED

@@ -20,7 +20,7 @@ module Rack
   # Return the Rack release as a dotted string.
   def self.release
-    "1.6.10"
+    "1.6.11"
   end
   PATH_INFO      = 'PATH_INFO'.freeze
   REQUEST_METHOD = 'REQUEST_METHOD'.freeze

data/lib/rack/request.rb CHANGED

@@ -13,6 +13,8 @@ module Rack
     # The environment of the request.
     attr_reader :env
+    SCHEME_WHITELIST = %w(https http).freeze
     def initialize(env)
       @env = env
     end
@@ -68,10 +70,8 @@ module Rack
         'https'
       elsif @env['HTTP_X_FORWARDED_SSL'] == 'on'
         'https'
-      elsif @env['HTTP_X_FORWARDED_SCHEME']
-        @env['HTTP_X_FORWARDED_SCHEME']
-      elsif @env['HTTP_X_FORWARDED_PROTO']
-        @env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
+      elsif forwarded_scheme
+        forwarded_scheme
       else
         @env["rack.url_scheme"]
       end
@@ -394,5 +394,18 @@ module Rack
         s
       end
     end
+    def forwarded_scheme
+      scheme_headers = [
+        @env['HTTP_X_FORWARDED_SCHEME'],
+        @env['HTTP_X_FORWARDED_PROTO'].to_s.split(',')[0]
+      ]
+      scheme_headers.each do |header|
+        return header if SCHEME_WHITELIST.include?(header)
+      end
+      nil
+    end
   end
 end

data/lib/rack/showexceptions.rb CHANGED

@@ -47,7 +47,7 @@ module Rack
     end
     def prefers_plaintext?(env)
-      !accepts_html(env)
+      !accepts_html?(env)
     end
     def accepts_html?(env)

data/rack.gemspec CHANGED

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.6.10"
+  s.version         = "1.6.11"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
   s.license         = "MIT"

data/test/spec_request.rb CHANGED

@@ -425,6 +425,11 @@ describe Rack::Request do
     request.should.be.ssl?
   end
+  should "prevent scheme abuse" do
+    request = Rack::Request.new(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>'))
+    request.scheme.should.not.equal 'a."><script>alert(1)</script>'
+  end
   should "parse cookies" do
     req = Rack::Request.new \
       Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m")

data/test/spec_showexceptions.rb CHANGED

@@ -82,4 +82,17 @@ describe Rack::ShowExceptions do
     res.should =~ /ShowExceptions/
     res.should =~ /unknown location/
   end
+  it "knows to prefer plaintext for non-html" do
+    # We don't need an app for this
+    exc = Rack::ShowExceptions.new(nil)
+    [
+      [{ "HTTP_ACCEPT" => "text/plain" }, true],
+      [{ "HTTP_ACCEPT" => "text/foo" }, true],
+      [{ "HTTP_ACCEPT" => "text/html" }, false]
+    ].each do |env, expected|
+      assert_equal(expected, exc.prefers_plaintext?(env))
+    end
+  end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 1.6.10
+  version: 1.6.11
 platform: ruby
 authors:
 - Christian Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-04-23 00:00:00.000000000 Z
+date: 2018-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bacon
@@ -256,57 +256,57 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: rack
-rubygems_version: 2.6.13
+rubygems_version: 2.7.6
 signing_key:
 specification_version: 4
 summary: a modular Ruby webserver interface
 test_files:
-- test/spec_auth_basic.rb
-- test/spec_auth_digest.rb
-- test/spec_body_proxy.rb
-- test/spec_builder.rb
-- test/spec_cascade.rb
-- test/spec_cgi.rb
-- test/spec_chunked.rb
-- test/spec_commonlogger.rb
-- test/spec_conditionalget.rb
-- test/spec_config.rb
-- test/spec_content_length.rb
-- test/spec_content_type.rb
+- test/spec_multipart.rb
 - test/spec_deflater.rb
-- test/spec_directory.rb
+- test/spec_static.rb
+- test/spec_session_cookie.rb
+- test/spec_commonlogger.rb
+- test/spec_session_pool.rb
+- test/spec_methodoverride.rb
 - test/spec_etag.rb
-- test/spec_fastcgi.rb
-- test/spec_file.rb
+- test/spec_version.rb
 - test/spec_handler.rb
-- test/spec_head.rb
-- test/spec_lint.rb
-- test/spec_lobster.rb
-- test/spec_lock.rb
-- test/spec_logger.rb
-- test/spec_methodoverride.rb
+- test/spec_thin.rb
+- test/spec_showexceptions.rb
+- test/spec_session_abstract_id.rb
 - test/spec_mime.rb
-- test/spec_mock.rb
-- test/spec_mongrel.rb
-- test/spec_multipart.rb
-- test/spec_nulllogger.rb
 - test/spec_recursive.rb
+- test/spec_cgi.rb
+- test/spec_content_type.rb
 - test/spec_request.rb
-- test/spec_response.rb
-- test/spec_rewindable_input.rb
+- test/spec_showstatus.rb
+- test/spec_chunked.rb
 - test/spec_runtime.rb
+- test/spec_fastcgi.rb
+- test/spec_builder.rb
+- test/spec_config.rb
+- test/spec_mongrel.rb
+- test/spec_utils.rb
 - test/spec_sendfile.rb
-- test/spec_server.rb
-- test/spec_session_abstract_id.rb
-- test/spec_session_cookie.rb
-- test/spec_session_memcache.rb
-- test/spec_session_pool.rb
-- test/spec_showexceptions.rb
-- test/spec_showstatus.rb
-- test/spec_static.rb
+- test/spec_lobster.rb
+- test/spec_lint.rb
 - test/spec_tempfile_reaper.rb
-- test/spec_thin.rb
-- test/spec_urlmap.rb
-- test/spec_utils.rb
-- test/spec_version.rb
+- test/spec_mock.rb
+- test/spec_conditionalget.rb
+- test/spec_server.rb
+- test/spec_directory.rb
 - test/spec_webrick.rb
+- test/spec_response.rb
+- test/spec_file.rb
+- test/spec_body_proxy.rb
+- test/spec_logger.rb
+- test/spec_auth_digest.rb
+- test/spec_urlmap.rb
+- test/spec_nulllogger.rb
+- test/spec_cascade.rb
+- test/spec_auth_basic.rb
+- test/spec_head.rb
+- test/spec_lock.rb
+- test/spec_rewindable_input.rb
+- test/spec_session_memcache.rb
+- test/spec_content_length.rb