ruby-openid 2.2.1 → 2.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ruby-openid might be problematic. Click here for more details.
- data/CHANGELOG.md +14 -1
- data/lib/openid/fetchers.rb +17 -5
- data/lib/openid/version.rb +1 -1
- data/lib/openid/yadis/xrds.rb +22 -12
- metadata +4 -4
    
        data/CHANGELOG.md
    CHANGED
    
    | @@ -1,5 +1,18 @@ | |
| 1 1 | 
             
            # Changelog
         | 
| 2 2 |  | 
| 3 | 
            +
            ## 2.2.2
         | 
| 4 | 
            +
             | 
| 5 | 
            +
            * Limit fetching file size & disable XML entity expansion - be2bab5c21f04735045e071411b349afb790078f
         | 
| 6 | 
            +
             | 
| 7 | 
            +
              Avoid DoS attack to RPs using large XRDS / too many XML entity expansion in XRDS.
         | 
| 8 | 
            +
             | 
| 9 | 
            +
            ## 2.2.1
         | 
| 10 | 
            +
             | 
| 11 | 
            +
            * Make bundle exec rake work - 2100f281172427d1557ebe76afbd24072a22d04f
         | 
| 12 | 
            +
            * State license in gemspec for automated tools / rubygems.org page - 2d5c3cd8f2476b28d60609822120c79d71919b7b
         | 
| 13 | 
            +
            * Use default-external encoding instead of ascii for badly encoded pages - a68d2591ac350459c874da10108e6ff5a8c08750
         | 
| 14 | 
            +
            * Colorize output and reveal tests that never ran - 4b0143f0a3b10060d5f52346954219bba3375039
         | 
| 15 | 
            +
             | 
| 3 16 | 
             
            ## 2.2.0
         | 
| 4 17 |  | 
| 5 18 | 
             
            * Bundler compatibility and bundler gem tasks - 72d551945f9577bf5d0e516c673c648791b0e795
         | 
| @@ -10,4 +23,4 @@ | |
| 10 23 | 
             
            * Encode form inputs - c9e9b5b52f8a23df3159c2387b6330d5df40f35b
         | 
| 11 24 | 
             
            * Fixed cleanup AR associations whose expiry is past, not upcoming - 2265179a6d5c8b51ccc741180db46b618dd3caf9
         | 
| 12 25 | 
             
            * Fixed issue with Memcache store and Dalli - ef84bf73da9c99c67b0632252bf0349e2360cbc7
         | 
| 13 | 
            -
            * Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880
         | 
| 26 | 
            +
            * Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880
         | 
    
        data/lib/openid/fetchers.rb
    CHANGED
    
    | @@ -10,7 +10,7 @@ rescue LoadError | |
| 10 10 | 
             
              require 'net/http'
         | 
| 11 11 | 
             
            end
         | 
| 12 12 |  | 
| 13 | 
            -
            MAX_RESPONSE_KB =  | 
| 13 | 
            +
            MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
         | 
| 14 14 |  | 
| 15 15 | 
             
            module Net
         | 
| 16 16 | 
             
              class HTTP
         | 
| @@ -192,6 +192,16 @@ module OpenID | |
| 192 192 | 
             
                    conn = make_connection(url)
         | 
| 193 193 | 
             
                    response = nil
         | 
| 194 194 |  | 
| 195 | 
            +
                    whole_body = ''
         | 
| 196 | 
            +
                    body_size_limitter = lambda do |r|
         | 
| 197 | 
            +
                      r.read_body do |partial|   # read body now
         | 
| 198 | 
            +
                        whole_body << partial
         | 
| 199 | 
            +
                        if whole_body.length > MAX_RESPONSE_KB
         | 
| 200 | 
            +
                          raise FetchingError.new("Response Too Large")
         | 
| 201 | 
            +
                        end
         | 
| 202 | 
            +
                      end
         | 
| 203 | 
            +
                      whole_body
         | 
| 204 | 
            +
                    end
         | 
| 195 205 | 
             
                    response = conn.start {
         | 
| 196 206 | 
             
                      # Check the certificate against the URL's hostname
         | 
| 197 207 | 
             
                      if supports_ssl?(conn) and conn.use_ssl?
         | 
| @@ -199,13 +209,12 @@ module OpenID | |
| 199 209 | 
             
                      end
         | 
| 200 210 |  | 
| 201 211 | 
             
                      if body.nil?
         | 
| 202 | 
            -
                        conn.request_get(url.request_uri, headers)
         | 
| 212 | 
            +
                        conn.request_get(url.request_uri, headers, &body_size_limitter)
         | 
| 203 213 | 
             
                      else
         | 
| 204 214 | 
             
                        headers["Content-type"] ||= "application/x-www-form-urlencoded"
         | 
| 205 | 
            -
                        conn.request_post(url.request_uri, body, headers)
         | 
| 215 | 
            +
                        conn.request_post(url.request_uri, body, headers, &body_size_limitter)
         | 
| 206 216 | 
             
                      end
         | 
| 207 217 | 
             
                    }
         | 
| 208 | 
            -
                    setup_encoding(response)
         | 
| 209 218 | 
             
                  rescue Timeout::Error => why
         | 
| 210 219 | 
             
                    raise FetchingError, "Error fetching #{url}: #{why}"
         | 
| 211 220 | 
             
                  rescue RuntimeError => why
         | 
| @@ -232,7 +241,10 @@ module OpenID | |
| 232 241 | 
             
                      raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
         | 
| 233 242 | 
             
                    end
         | 
| 234 243 | 
             
                  else
         | 
| 235 | 
            -
                     | 
| 244 | 
            +
                    response = HTTPResponse._from_net_response(response, unparsed_url)
         | 
| 245 | 
            +
                    response.body = whole_body
         | 
| 246 | 
            +
                    setup_encoding(response)
         | 
| 247 | 
            +
                    return response
         | 
| 236 248 | 
             
                  end
         | 
| 237 249 | 
             
                end
         | 
| 238 250 |  | 
    
        data/lib/openid/version.rb
    CHANGED
    
    
    
        data/lib/openid/yadis/xrds.rb
    CHANGED
    
    | @@ -88,23 +88,33 @@ module OpenID | |
| 88 88 | 
             
                end
         | 
| 89 89 |  | 
| 90 90 | 
             
                def Yadis::parseXRDS(text)
         | 
| 91 | 
            -
                   | 
| 92 | 
            -
                     | 
| 93 | 
            -
             | 
| 91 | 
            +
                  disable_entity_expansion do
         | 
| 92 | 
            +
                    if text.nil?
         | 
| 93 | 
            +
                      raise XRDSError.new("Not an XRDS document.")
         | 
| 94 | 
            +
                    end
         | 
| 94 95 |  | 
| 95 | 
            -
             | 
| 96 | 
            -
             | 
| 97 | 
            -
             | 
| 98 | 
            -
             | 
| 99 | 
            -
             | 
| 96 | 
            +
                    begin
         | 
| 97 | 
            +
                      d = REXML::Document.new(text)
         | 
| 98 | 
            +
                    rescue RuntimeError => why
         | 
| 99 | 
            +
                      raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
         | 
| 100 | 
            +
                    end
         | 
| 100 101 |  | 
| 101 | 
            -
             | 
| 102 | 
            -
             | 
| 103 | 
            -
             | 
| 104 | 
            -
             | 
| 102 | 
            +
                    if is_xrds?(d)
         | 
| 103 | 
            +
                      return d
         | 
| 104 | 
            +
                    else
         | 
| 105 | 
            +
                      raise XRDSError.new("Not an XRDS document.")
         | 
| 106 | 
            +
                    end
         | 
| 105 107 | 
             
                  end
         | 
| 106 108 | 
             
                end
         | 
| 107 109 |  | 
| 110 | 
            +
                def Yadis::disable_entity_expansion
         | 
| 111 | 
            +
                  _previous_ = REXML::Document::entity_expansion_limit
         | 
| 112 | 
            +
                  REXML::Document::entity_expansion_limit = 0
         | 
| 113 | 
            +
                  yield
         | 
| 114 | 
            +
                ensure
         | 
| 115 | 
            +
                  REXML::Document::entity_expansion_limit = _previous_
         | 
| 116 | 
            +
                end
         | 
| 117 | 
            +
             | 
| 108 118 | 
             
                def Yadis::is_xrds?(xrds_tree)
         | 
| 109 119 | 
             
                  xrds_root = xrds_tree.root
         | 
| 110 120 | 
             
                  return (!xrds_root.nil? and
         | 
    
        metadata
    CHANGED
    
    | @@ -1,7 +1,7 @@ | |
| 1 1 | 
             
            --- !ruby/object:Gem::Specification
         | 
| 2 2 | 
             
            name: ruby-openid
         | 
| 3 3 | 
             
            version: !ruby/object:Gem::Version
         | 
| 4 | 
            -
              version: 2.2. | 
| 4 | 
            +
              version: 2.2.2
         | 
| 5 5 | 
             
              prerelease: 
         | 
| 6 6 | 
             
            platform: ruby
         | 
| 7 7 | 
             
            authors:
         | 
| @@ -9,7 +9,7 @@ authors: | |
| 9 9 | 
             
            autorequire: openid
         | 
| 10 10 | 
             
            bindir: bin
         | 
| 11 11 | 
             
            cert_chain: []
         | 
| 12 | 
            -
            date: 2012- | 
| 12 | 
            +
            date: 2012-10-23 00:00:00.000000000 Z
         | 
| 13 13 | 
             
            dependencies: []
         | 
| 14 14 | 
             
            description: 
         | 
| 15 15 | 
             
            email: openid@janrain.com
         | 
| @@ -234,7 +234,7 @@ required_ruby_version: !ruby/object:Gem::Requirement | |
| 234 234 | 
             
                  version: '0'
         | 
| 235 235 | 
             
                  segments:
         | 
| 236 236 | 
             
                  - 0
         | 
| 237 | 
            -
                  hash:  | 
| 237 | 
            +
                  hash: 94044718274269500
         | 
| 238 238 | 
             
            required_rubygems_version: !ruby/object:Gem::Requirement
         | 
| 239 239 | 
             
              none: false
         | 
| 240 240 | 
             
              requirements:
         | 
| @@ -243,7 +243,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement | |
| 243 243 | 
             
                  version: '0'
         | 
| 244 244 | 
             
                  segments:
         | 
| 245 245 | 
             
                  - 0
         | 
| 246 | 
            -
                  hash:  | 
| 246 | 
            +
                  hash: 94044718274269500
         | 
| 247 247 | 
             
            requirements: []
         | 
| 248 248 | 
             
            rubyforge_project: 
         | 
| 249 249 | 
             
            rubygems_version: 1.8.23
         |