ruby-openid 2.2.1 → 2.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ruby-openid might be problematic. Click here for more details.
- data/CHANGELOG.md +14 -1
- data/lib/openid/fetchers.rb +17 -5
- data/lib/openid/version.rb +1 -1
- data/lib/openid/yadis/xrds.rb +22 -12
- metadata +4 -4
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,18 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 2.2.2
|
4
|
+
|
5
|
+
* Limit fetching file size & disable XML entity expansion - be2bab5c21f04735045e071411b349afb790078f
|
6
|
+
|
7
|
+
Avoid DoS attack to RPs using large XRDS / too many XML entity expansion in XRDS.
|
8
|
+
|
9
|
+
## 2.2.1
|
10
|
+
|
11
|
+
* Make bundle exec rake work - 2100f281172427d1557ebe76afbd24072a22d04f
|
12
|
+
* State license in gemspec for automated tools / rubygems.org page - 2d5c3cd8f2476b28d60609822120c79d71919b7b
|
13
|
+
* Use default-external encoding instead of ascii for badly encoded pages - a68d2591ac350459c874da10108e6ff5a8c08750
|
14
|
+
* Colorize output and reveal tests that never ran - 4b0143f0a3b10060d5f52346954219bba3375039
|
15
|
+
|
3
16
|
## 2.2.0
|
4
17
|
|
5
18
|
* Bundler compatibility and bundler gem tasks - 72d551945f9577bf5d0e516c673c648791b0e795
|
@@ -10,4 +23,4 @@
|
|
10
23
|
* Encode form inputs - c9e9b5b52f8a23df3159c2387b6330d5df40f35b
|
11
24
|
* Fixed cleanup AR associations whose expiry is past, not upcoming - 2265179a6d5c8b51ccc741180db46b618dd3caf9
|
12
25
|
* Fixed issue with Memcache store and Dalli - ef84bf73da9c99c67b0632252bf0349e2360cbc7
|
13
|
-
* Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880
|
26
|
+
* Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880
|
data/lib/openid/fetchers.rb
CHANGED
@@ -10,7 +10,7 @@ rescue LoadError
|
|
10
10
|
require 'net/http'
|
11
11
|
end
|
12
12
|
|
13
|
-
MAX_RESPONSE_KB =
|
13
|
+
MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
|
14
14
|
|
15
15
|
module Net
|
16
16
|
class HTTP
|
@@ -192,6 +192,16 @@ module OpenID
|
|
192
192
|
conn = make_connection(url)
|
193
193
|
response = nil
|
194
194
|
|
195
|
+
whole_body = ''
|
196
|
+
body_size_limitter = lambda do |r|
|
197
|
+
r.read_body do |partial| # read body now
|
198
|
+
whole_body << partial
|
199
|
+
if whole_body.length > MAX_RESPONSE_KB
|
200
|
+
raise FetchingError.new("Response Too Large")
|
201
|
+
end
|
202
|
+
end
|
203
|
+
whole_body
|
204
|
+
end
|
195
205
|
response = conn.start {
|
196
206
|
# Check the certificate against the URL's hostname
|
197
207
|
if supports_ssl?(conn) and conn.use_ssl?
|
@@ -199,13 +209,12 @@ module OpenID
|
|
199
209
|
end
|
200
210
|
|
201
211
|
if body.nil?
|
202
|
-
conn.request_get(url.request_uri, headers)
|
212
|
+
conn.request_get(url.request_uri, headers, &body_size_limitter)
|
203
213
|
else
|
204
214
|
headers["Content-type"] ||= "application/x-www-form-urlencoded"
|
205
|
-
conn.request_post(url.request_uri, body, headers)
|
215
|
+
conn.request_post(url.request_uri, body, headers, &body_size_limitter)
|
206
216
|
end
|
207
217
|
}
|
208
|
-
setup_encoding(response)
|
209
218
|
rescue Timeout::Error => why
|
210
219
|
raise FetchingError, "Error fetching #{url}: #{why}"
|
211
220
|
rescue RuntimeError => why
|
@@ -232,7 +241,10 @@ module OpenID
|
|
232
241
|
raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
|
233
242
|
end
|
234
243
|
else
|
235
|
-
|
244
|
+
response = HTTPResponse._from_net_response(response, unparsed_url)
|
245
|
+
response.body = whole_body
|
246
|
+
setup_encoding(response)
|
247
|
+
return response
|
236
248
|
end
|
237
249
|
end
|
238
250
|
|
data/lib/openid/version.rb
CHANGED
data/lib/openid/yadis/xrds.rb
CHANGED
@@ -88,23 +88,33 @@ module OpenID
|
|
88
88
|
end
|
89
89
|
|
90
90
|
def Yadis::parseXRDS(text)
|
91
|
-
|
92
|
-
|
93
|
-
|
91
|
+
disable_entity_expansion do
|
92
|
+
if text.nil?
|
93
|
+
raise XRDSError.new("Not an XRDS document.")
|
94
|
+
end
|
94
95
|
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
96
|
+
begin
|
97
|
+
d = REXML::Document.new(text)
|
98
|
+
rescue RuntimeError => why
|
99
|
+
raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
|
100
|
+
end
|
100
101
|
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
102
|
+
if is_xrds?(d)
|
103
|
+
return d
|
104
|
+
else
|
105
|
+
raise XRDSError.new("Not an XRDS document.")
|
106
|
+
end
|
105
107
|
end
|
106
108
|
end
|
107
109
|
|
110
|
+
def Yadis::disable_entity_expansion
|
111
|
+
_previous_ = REXML::Document::entity_expansion_limit
|
112
|
+
REXML::Document::entity_expansion_limit = 0
|
113
|
+
yield
|
114
|
+
ensure
|
115
|
+
REXML::Document::entity_expansion_limit = _previous_
|
116
|
+
end
|
117
|
+
|
108
118
|
def Yadis::is_xrds?(xrds_tree)
|
109
119
|
xrds_root = xrds_tree.root
|
110
120
|
return (!xrds_root.nil? and
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ruby-openid
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.2.
|
4
|
+
version: 2.2.2
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire: openid
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2012-
|
12
|
+
date: 2012-10-23 00:00:00.000000000 Z
|
13
13
|
dependencies: []
|
14
14
|
description:
|
15
15
|
email: openid@janrain.com
|
@@ -234,7 +234,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
234
234
|
version: '0'
|
235
235
|
segments:
|
236
236
|
- 0
|
237
|
-
hash:
|
237
|
+
hash: 94044718274269500
|
238
238
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
239
239
|
none: false
|
240
240
|
requirements:
|
@@ -243,7 +243,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
243
243
|
version: '0'
|
244
244
|
segments:
|
245
245
|
- 0
|
246
|
-
hash:
|
246
|
+
hash: 94044718274269500
|
247
247
|
requirements: []
|
248
248
|
rubyforge_project:
|
249
249
|
rubygems_version: 1.8.23
|