ruby-openid 2.2.1 → 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of ruby-openid might be problematic. Click here for more details.

@@ -1,5 +1,18 @@
1
1
  # Changelog
2
2
 
3
+ ## 2.2.2
4
+
5
+ * Limit fetching file size & disable XML entity expansion - be2bab5c21f04735045e071411b349afb790078f
6
+
7
+ Avoid DoS attack to RPs using large XRDS / too many XML entity expansion in XRDS.
8
+
9
+ ## 2.2.1
10
+
11
+ * Make bundle exec rake work - 2100f281172427d1557ebe76afbd24072a22d04f
12
+ * State license in gemspec for automated tools / rubygems.org page - 2d5c3cd8f2476b28d60609822120c79d71919b7b
13
+ * Use default-external encoding instead of ascii for badly encoded pages - a68d2591ac350459c874da10108e6ff5a8c08750
14
+ * Colorize output and reveal tests that never ran - 4b0143f0a3b10060d5f52346954219bba3375039
15
+
3
16
  ## 2.2.0
4
17
 
5
18
  * Bundler compatibility and bundler gem tasks - 72d551945f9577bf5d0e516c673c648791b0e795
@@ -10,4 +23,4 @@
10
23
  * Encode form inputs - c9e9b5b52f8a23df3159c2387b6330d5df40f35b
11
24
  * Fixed cleanup AR associations whose expiry is past, not upcoming - 2265179a6d5c8b51ccc741180db46b618dd3caf9
12
25
  * Fixed issue with Memcache store and Dalli - ef84bf73da9c99c67b0632252bf0349e2360cbc7
13
- * Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880
26
+ * Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880
@@ -10,7 +10,7 @@ rescue LoadError
10
10
  require 'net/http'
11
11
  end
12
12
 
13
- MAX_RESPONSE_KB = 1024
13
+ MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
14
14
 
15
15
  module Net
16
16
  class HTTP
@@ -192,6 +192,16 @@ module OpenID
192
192
  conn = make_connection(url)
193
193
  response = nil
194
194
 
195
+ whole_body = ''
196
+ body_size_limitter = lambda do |r|
197
+ r.read_body do |partial| # read body now
198
+ whole_body << partial
199
+ if whole_body.length > MAX_RESPONSE_KB
200
+ raise FetchingError.new("Response Too Large")
201
+ end
202
+ end
203
+ whole_body
204
+ end
195
205
  response = conn.start {
196
206
  # Check the certificate against the URL's hostname
197
207
  if supports_ssl?(conn) and conn.use_ssl?
@@ -199,13 +209,12 @@ module OpenID
199
209
  end
200
210
 
201
211
  if body.nil?
202
- conn.request_get(url.request_uri, headers)
212
+ conn.request_get(url.request_uri, headers, &body_size_limitter)
203
213
  else
204
214
  headers["Content-type"] ||= "application/x-www-form-urlencoded"
205
- conn.request_post(url.request_uri, body, headers)
215
+ conn.request_post(url.request_uri, body, headers, &body_size_limitter)
206
216
  end
207
217
  }
208
- setup_encoding(response)
209
218
  rescue Timeout::Error => why
210
219
  raise FetchingError, "Error fetching #{url}: #{why}"
211
220
  rescue RuntimeError => why
@@ -232,7 +241,10 @@ module OpenID
232
241
  raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
233
242
  end
234
243
  else
235
- return HTTPResponse._from_net_response(response, unparsed_url)
244
+ response = HTTPResponse._from_net_response(response, unparsed_url)
245
+ response.body = whole_body
246
+ setup_encoding(response)
247
+ return response
236
248
  end
237
249
  end
238
250
 
@@ -1,3 +1,3 @@
1
1
  module OpenID
2
- VERSION = "2.2.1"
2
+ VERSION = "2.2.2"
3
3
  end
@@ -88,23 +88,33 @@ module OpenID
88
88
  end
89
89
 
90
90
  def Yadis::parseXRDS(text)
91
- if text.nil?
92
- raise XRDSError.new("Not an XRDS document.")
93
- end
91
+ disable_entity_expansion do
92
+ if text.nil?
93
+ raise XRDSError.new("Not an XRDS document.")
94
+ end
94
95
 
95
- begin
96
- d = REXML::Document.new(text)
97
- rescue RuntimeError => why
98
- raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
99
- end
96
+ begin
97
+ d = REXML::Document.new(text)
98
+ rescue RuntimeError => why
99
+ raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
100
+ end
100
101
 
101
- if is_xrds?(d)
102
- return d
103
- else
104
- raise XRDSError.new("Not an XRDS document.")
102
+ if is_xrds?(d)
103
+ return d
104
+ else
105
+ raise XRDSError.new("Not an XRDS document.")
106
+ end
105
107
  end
106
108
  end
107
109
 
110
+ def Yadis::disable_entity_expansion
111
+ _previous_ = REXML::Document::entity_expansion_limit
112
+ REXML::Document::entity_expansion_limit = 0
113
+ yield
114
+ ensure
115
+ REXML::Document::entity_expansion_limit = _previous_
116
+ end
117
+
108
118
  def Yadis::is_xrds?(xrds_tree)
109
119
  xrds_root = xrds_tree.root
110
120
  return (!xrds_root.nil? and
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-openid
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.1
4
+ version: 2.2.2
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire: openid
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-09-27 00:00:00.000000000 Z
12
+ date: 2012-10-23 00:00:00.000000000 Z
13
13
  dependencies: []
14
14
  description:
15
15
  email: openid@janrain.com
@@ -234,7 +234,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
234
234
  version: '0'
235
235
  segments:
236
236
  - 0
237
- hash: -2604511254745544054
237
+ hash: 94044718274269500
238
238
  required_rubygems_version: !ruby/object:Gem::Requirement
239
239
  none: false
240
240
  requirements:
@@ -243,7 +243,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
243
243
  version: '0'
244
244
  segments:
245
245
  - 0
246
- hash: -2604511254745544054
246
+ hash: 94044718274269500
247
247
  requirements: []
248
248
  rubyforge_project:
249
249
  rubygems_version: 1.8.23