RubyGems - ruby-openid - Versions diffs - 2.2.1 → 2.2.2 - Mend

ruby-openid 2.2.1 → 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ruby-openid might be problematic. Click here for more details.

Files changed (5) hide show

data/CHANGELOG.md CHANGED

@@ -1,5 +1,18 @@
 # Changelog
+## 2.2.2
+* Limit fetching file size & disable XML entity expansion - be2bab5c21f04735045e071411b349afb790078f
+  Avoid DoS attack to RPs using large XRDS / too many XML entity expansion in XRDS.
+## 2.2.1
+* Make bundle exec rake work - 2100f281172427d1557ebe76afbd24072a22d04f
+* State license in gemspec for automated tools / rubygems.org page - 2d5c3cd8f2476b28d60609822120c79d71919b7b
+* Use default-external encoding instead of ascii for badly encoded pages - a68d2591ac350459c874da10108e6ff5a8c08750
+* Colorize output and reveal tests that never ran - 4b0143f0a3b10060d5f52346954219bba3375039
 ## 2.2.0
 * Bundler compatibility and bundler gem tasks - 72d551945f9577bf5d0e516c673c648791b0e795
@@ -10,4 +23,4 @@
 * Encode form inputs - c9e9b5b52f8a23df3159c2387b6330d5df40f35b
 * Fixed cleanup AR associations whose expiry is past, not upcoming - 2265179a6d5c8b51ccc741180db46b618dd3caf9
 * Fixed issue with Memcache store and Dalli - ef84bf73da9c99c67b0632252bf0349e2360cbc7
-* Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880
+* Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880

data/lib/openid/fetchers.rb CHANGED

@@ -10,7 +10,7 @@ rescue LoadError
   require 'net/http'
 end
-MAX_RESPONSE_KB = 1024
+MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
 module Net
   class HTTP
@@ -192,6 +192,16 @@ module OpenID
         conn = make_connection(url)
         response = nil
+        whole_body = ''
+        body_size_limitter = lambda do |r|
+          r.read_body do |partial|   # read body now
+            whole_body << partial
+            if whole_body.length > MAX_RESPONSE_KB
+              raise FetchingError.new("Response Too Large")
+            end
+          end
+          whole_body
+        end
         response = conn.start {
           # Check the certificate against the URL's hostname
           if supports_ssl?(conn) and conn.use_ssl?
@@ -199,13 +209,12 @@ module OpenID
           end
           if body.nil?
-            conn.request_get(url.request_uri, headers)
+            conn.request_get(url.request_uri, headers, &body_size_limitter)
           else
             headers["Content-type"] ||= "application/x-www-form-urlencoded"
-            conn.request_post(url.request_uri, body, headers)
+            conn.request_post(url.request_uri, body, headers, &body_size_limitter)
           end
         }
-        setup_encoding(response)
       rescue Timeout::Error => why
         raise FetchingError, "Error fetching #{url}: #{why}"
       rescue RuntimeError => why
@@ -232,7 +241,10 @@ module OpenID
           raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
         end
       else
-        return HTTPResponse._from_net_response(response, unparsed_url)
+        response = HTTPResponse._from_net_response(response, unparsed_url)
+        response.body = whole_body
+        setup_encoding(response)
+        return response
       end
     end

data/lib/openid/version.rb CHANGED

@@ -1,3 +1,3 @@
 module OpenID
-  VERSION = "2.2.1"
+  VERSION = "2.2.2"
 end

data/lib/openid/yadis/xrds.rb CHANGED

@@ -88,23 +88,33 @@ module OpenID
     end
     def Yadis::parseXRDS(text)
-      if text.nil?
-        raise XRDSError.new("Not an XRDS document.")
-      end
+      disable_entity_expansion do
+        if text.nil?
+          raise XRDSError.new("Not an XRDS document.")
+        end
-      begin
-        d = REXML::Document.new(text)
-      rescue RuntimeError => why
-        raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
-      end
+        begin
+          d = REXML::Document.new(text)
+        rescue RuntimeError => why
+          raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
+        end
-      if is_xrds?(d)
-        return d
-      else
-        raise XRDSError.new("Not an XRDS document.")
+        if is_xrds?(d)
+          return d
+        else
+          raise XRDSError.new("Not an XRDS document.")
+        end
       end
     end
+    def Yadis::disable_entity_expansion
+      _previous_ = REXML::Document::entity_expansion_limit
+      REXML::Document::entity_expansion_limit = 0
+      yield
+    ensure
+      REXML::Document::entity_expansion_limit = _previous_
+    end
     def Yadis::is_xrds?(xrds_tree)
       xrds_root = xrds_tree.root
       return (!xrds_root.nil? and

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby-openid
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.2.2
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: openid
 bindir: bin
 cert_chain: []
-date: 2012-09-27 00:00:00.000000000 Z
+date: 2012-10-23 00:00:00.000000000 Z
 dependencies: []
 description:
 email: openid@janrain.com
@@ -234,7 +234,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2604511254745544054
+      hash: 94044718274269500
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -243,7 +243,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2604511254745544054
+      hash: 94044718274269500
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.23