rest-client 1.7.2-x64-mingw32 → 1.7.3-x64-mingw32

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: bc9b19f8abd8f264f4c7ac7acb61958e46a1cc42
+  data.tar.gz: bdaa911803deedb6cc50870ecc438f98fbd6ba8f
+SHA512:
+  metadata.gz: d44146b63bc834c1edf8ac916c5f8a6c8ff322ff471114699464778fcd37a27509e7dedc71120ddc5b02c20244fb2a6615b6cb0a3a637916a61ad8dbc2defeb7
+  data.tar.gz: 88be594b35a8c7eca659b553fd79c09ee6aec9411f1eaa176c9bf1bba95822c7283fb1cba78c5c9528ad97d7581475ee59d9dccd93cc06f5c2d1a53c4a8f3ecb

data/history.md

@@ -1,3 +1,9 @@
+# 1.7.3
+
+- Security: redact password in URI from logs (#349 / OSVDB-117461)
+- Drop monkey patch on MIME::Types (added `type_for_extension` method, use
+  the public interface instead.
+
 # 1.7.2
 
 - Ignore duplicate certificates in CA store on Windows

data/lib/restclient/exceptions.rb

@@ -195,8 +195,8 @@ module RestClient
   end
 end
 
-# backwards compatibility
 class RestClient::Request
+  # backwards compatibility
   Redirect = RestClient::Redirect
   Unauthorized = RestClient::Unauthorized
   RequestFailed = RestClient::RequestFailed

data/lib/restclient/platform.rb

@@ -4,7 +4,7 @@ module RestClient
     # be false for jruby even on OS X.
     #
     # @return [Boolean]
-    def self.mac?
+    def self.mac_mri?
       RUBY_PLATFORM.include?('darwin')
     end
 

data/lib/restclient/request.rb

@@ -334,7 +334,7 @@ module RestClient
 
     def print_verify_callback_warnings
       warned = false
-      if RestClient::Platform.mac?
+      if RestClient::Platform.mac_mri?
         warn('warning: ssl_verify_callback return code is ignored on OS X')
         warned = true
       end
@@ -519,7 +519,18 @@ module RestClient
       return unless RestClient.log
 
       out = []
-      out << "RestClient.#{method} #{url.inspect}"
+      sanitized_url = begin
+        uri = URI.parse(url)
+        uri.password = "REDACTED" if uri.password
+        uri.to_s
+      rescue URI::InvalidURIError
+        # An attacker may be able to manipulate the URL to be
+        # invalid, which could force discloure of a password if
+        # we show any of the un-parsed URL here.
+        "[invalid uri]"
+      end
+
+      out << "RestClient.#{method} #{sanitized_url.inspect}"
       out << payload.short_inspect if payload
       out << processed_headers.to_a.sort.map { |(k, v)| [k.inspect, v.inspect].join("=>") }.join(", ")
       RestClient.log << out.join(', ') + "\n"
@@ -544,8 +555,7 @@ module RestClient
           key = key.to_s.split(/_/).map { |w| w.capitalize }.join('-')
         end
         if 'CONTENT-TYPE' == key.upcase
-          target_value = value.to_s
-          result[key] = MIME::Types.type_for_extension target_value
+          result[key] = maybe_convert_extension(value.to_s)
         elsif 'ACCEPT' == key.upcase
           # Accept can be composed of several comma-separated values
           if value.is_a? Array
@@ -553,7 +563,9 @@ module RestClient
           else
             target_values = value.to_s.split ','
           end
-          result[key] = target_values.map { |ext| MIME::Types.type_for_extension(ext.to_s.strip) }.join(', ')
+          result[key] = target_values.map { |ext|
+            maybe_convert_extension(ext.to_s.strip)
+          }.join(', ')
         else
           result[key] = value.to_s
         end
@@ -571,21 +583,38 @@ module RestClient
       URI.const_defined?(:Parser) ? URI::Parser.new : URI
     end
 
-  end
-end
-
-module MIME
-  class Types
-
-    # Return the first found content-type for a value considered as an extension or the value itself
-    def type_for_extension ext
-      candidates = @extension_index[ext]
-      candidates.empty? ? ext : candidates[0].content_type
-    end
+    # Given a MIME type or file extension, return either a MIME type or, if
+    # none is found, the input unchanged.
+    #
+    #     >> maybe_convert_extension('json')
+    #     => 'application/json'
+    #
+    #     >> maybe_convert_extension('unknown')
+    #     => 'unknown'
+    #
+    #     >> maybe_convert_extension('application/xml')
+    #     => 'application/xml'
+    #
+    # @param ext [String]
+    #
+    # @return [String]
+    #
+    def maybe_convert_extension(ext)
+      unless ext =~ /\A[a-zA-Z0-9_@-]+\z/
+        # Don't look up strings unless they look like they could be a file
+        # extension known to mime-types.
+        #
+        # There currently isn't any API public way to look up extensions
+        # directly out of MIME::Types, but the type_for() method only strips
+        # off after a period anyway.
+        return ext
+      end
 
-    class << self
-      def type_for_extension ext
-        @__types__.type_for_extension ext
+      types = MIME::Types.type_for(ext)
+      if types.empty?
+        ext
+      else
+        types.first.content_type
       end
     end
   end

data/lib/restclient/version.rb

@@ -1,5 +1,5 @@
 module RestClient
-  VERSION = '1.7.2' unless defined?(self::VERSION)
+  VERSION = '1.7.3' unless defined?(self::VERSION)
 
   def self.version
     VERSION

data/spec/integration/request_spec.rb

@@ -34,7 +34,7 @@ describe RestClient::Request do
     #
     # On OS X, this test fails since Apple has patched OpenSSL to always fall
     # back on the system CA store.
-    it "is unsuccessful with an incorrect ca_file", :unless => RestClient::Platform.mac? do
+    it "is unsuccessful with an incorrect ca_file", :unless => RestClient::Platform.mac_mri? do
       request = RestClient::Request.new(
         :method => :get,
         :url => 'https://www.mozilla.org',
@@ -45,7 +45,7 @@ describe RestClient::Request do
 
     # On OS X, this test fails since Apple has patched OpenSSL to always fall
     # back on the system CA store.
-    it "is unsuccessful with an incorrect ca_path", :unless => RestClient::Platform.mac? do
+    it "is unsuccessful with an incorrect ca_path", :unless => RestClient::Platform.mac_mri? do
       request = RestClient::Request.new(
         :method => :get,
         :url => 'https://www.mozilla.org',
@@ -79,7 +79,7 @@ describe RestClient::Request do
     end
 
     it "fails verification when the callback returns false",
-       :unless => RestClient::Platform.mac? do
+       :unless => RestClient::Platform.mac_mri? do
       request = RestClient::Request.new(
         :method => :get,
         :url => 'https://www.mozilla.org',
@@ -90,7 +90,7 @@ describe RestClient::Request do
     end
 
     it "succeeds verification when the callback returns true",
-       :unless => RestClient::Platform.mac? do
+       :unless => RestClient::Platform.mac_mri? do
       request = RestClient::Request.new(
         :method => :get,
         :url => 'https://www.mozilla.org',

data/spec/unit/request_spec.rb

@@ -414,6 +414,18 @@ describe RestClient::Request do
       @request.log_response res
       log[0].should eq "# => 200 OK | text/html 0 bytes\n"
     end
+
+    it 'does not log request password' do
+      log = RestClient.log = []
+      RestClient::Request.new(:method => :get, :url => 'http://user:password@url', :headers => {:user_agent => 'rest-client', :accept => '*/*'}).log_request
+      log[0].should eq %Q{RestClient.get "http://user:REDACTED@url", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "User-Agent"=>"rest-client"\n}
+    end
+
+    it 'logs invalid URIs, even though they will fail elsewhere' do
+      log = RestClient.log = []
+      RestClient::Request.new(:method => :get, :url => 'http://a@b:c', :headers => {:user_agent => 'rest-client', :accept => '*/*'}).log_request
+      log[0].should eq %Q{RestClient.get "[invalid uri]", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "User-Agent"=>"rest-client"\n}
+    end
   end
 
   it "strips the charset from the response content type" do

metadata

@@ -1,157 +1,140 @@
 --- !ruby/object:Gem::Specification
 name: rest-client
 version: !ruby/object:Gem::Version
-  version: 1.7.2
-  prerelease: 
+  version: 1.7.3
 platform: x64-mingw32
 authors:
 - REST Client Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-07-14 00:00:00.000000000 Z
+date: 2015-02-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.4'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: pry-doc
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.4.2
-    - - <
+    - - "<"
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.4.2
-    - - <
+    - - "<"
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: mime-types
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.16'
-    - - <
+    - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.16'
-    - - <
+    - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
   name: netrc
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.7'
 - !ruby/object:Gem::Dependency
   name: ffi
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.9'
-description: ! 'A simple HTTP and REST client for Ruby, inspired by the Sinatra microframework
+description: 'A simple HTTP and REST client for Ruby, inspired by the Sinatra microframework
   style of specifying actions: get, put, post, delete.'
 email: rest.client@librelist.com
 executables:
@@ -161,9 +144,9 @@ extra_rdoc_files:
 - README.rdoc
 - history.md
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - AUTHORS
 - Gemfile
 - LICENSE
@@ -214,30 +197,26 @@ files:
 homepage: https://github.com/rest-client/rest-client
 licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.2
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: -4055888376059287478
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 2.2.2
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Simple HTTP and REST client for Ruby, inspired by microframework syntax for
   specifying actions.
 test_files: