ruby-openid 2.2.1 → 2.2.2

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 2.2.2
+
+* Limit fetching file size & disable XML entity expansion - be2bab5c21f04735045e071411b349afb790078f
+
+  Avoid DoS attack to RPs using large XRDS / too many XML entity expansion in XRDS.
+
+## 2.2.1
+
+* Make bundle exec rake work - 2100f281172427d1557ebe76afbd24072a22d04f
+* State license in gemspec for automated tools / rubygems.org page - 2d5c3cd8f2476b28d60609822120c79d71919b7b
+* Use default-external encoding instead of ascii for badly encoded pages - a68d2591ac350459c874da10108e6ff5a8c08750
+* Colorize output and reveal tests that never ran - 4b0143f0a3b10060d5f52346954219bba3375039
+
 ## 2.2.0
 
 * Bundler compatibility and bundler gem tasks - 72d551945f9577bf5d0e516c673c648791b0e795
@@ -10,4 +23,4 @@
 * Encode form inputs - c9e9b5b52f8a23df3159c2387b6330d5df40f35b
 * Fixed cleanup AR associations whose expiry is past, not upcoming - 2265179a6d5c8b51ccc741180db46b618dd3caf9
 * Fixed issue with Memcache store and Dalli - ef84bf73da9c99c67b0632252bf0349e2360cbc7
-* Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880
+* Improvements to ActiveRecordStore's gc rake task - 847e19bf60a6b8163c1e0d2e96dbd805c64e2880

data/lib/openid/fetchers.rb

@@ -10,7 +10,7 @@ rescue LoadError
   require 'net/http'
 end
 
-MAX_RESPONSE_KB = 1024
+MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
 
 module Net
   class HTTP
@@ -192,6 +192,16 @@ module OpenID
         conn = make_connection(url)
         response = nil
 
+        whole_body = ''
+        body_size_limitter = lambda do |r|
+          r.read_body do |partial|   # read body now
+            whole_body << partial
+            if whole_body.length > MAX_RESPONSE_KB
+              raise FetchingError.new("Response Too Large")
+            end
+          end
+          whole_body
+        end
         response = conn.start {
           # Check the certificate against the URL's hostname
           if supports_ssl?(conn) and conn.use_ssl?
@@ -199,13 +209,12 @@ module OpenID
           end
 
           if body.nil?
-            conn.request_get(url.request_uri, headers)
+            conn.request_get(url.request_uri, headers, &body_size_limitter)
           else
             headers["Content-type"] ||= "application/x-www-form-urlencoded"
-            conn.request_post(url.request_uri, body, headers)
+            conn.request_post(url.request_uri, body, headers, &body_size_limitter)
           end
         }
-        setup_encoding(response)
       rescue Timeout::Error => why
         raise FetchingError, "Error fetching #{url}: #{why}"
       rescue RuntimeError => why
@@ -232,7 +241,10 @@ module OpenID
           raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
         end
       else
-        return HTTPResponse._from_net_response(response, unparsed_url)
+        response = HTTPResponse._from_net_response(response, unparsed_url)
+        response.body = whole_body
+        setup_encoding(response)
+        return response
       end
     end
 

data/lib/openid/version.rb

@@ -1,3 +1,3 @@
 module OpenID
-  VERSION = "2.2.1"
+  VERSION = "2.2.2"
 end

data/lib/openid/yadis/xrds.rb

@@ -88,23 +88,33 @@ module OpenID
     end
 
     def Yadis::parseXRDS(text)
-      if text.nil?
-        raise XRDSError.new("Not an XRDS document.")
-      end
+      disable_entity_expansion do
+        if text.nil?
+          raise XRDSError.new("Not an XRDS document.")
+        end
 
-      begin
-        d = REXML::Document.new(text)
-      rescue RuntimeError => why
-        raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
-      end
+        begin
+          d = REXML::Document.new(text)
+        rescue RuntimeError => why
+          raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
+        end
 
-      if is_xrds?(d)
-        return d
-      else
-        raise XRDSError.new("Not an XRDS document.")
+        if is_xrds?(d)
+          return d
+        else
+          raise XRDSError.new("Not an XRDS document.")
+        end
       end
     end
 
+    def Yadis::disable_entity_expansion
+      _previous_ = REXML::Document::entity_expansion_limit
+      REXML::Document::entity_expansion_limit = 0
+      yield
+    ensure
+      REXML::Document::entity_expansion_limit = _previous_
+    end
+
     def Yadis::is_xrds?(xrds_tree)
       xrds_root = xrds_tree.root
       return (!xrds_root.nil? and

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby-openid
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.2.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: openid
 bindir: bin
 cert_chain: []
-date: 2012-09-27 00:00:00.000000000 Z
+date: 2012-10-23 00:00:00.000000000 Z
 dependencies: []
 description: 
 email: openid@janrain.com
@@ -234,7 +234,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2604511254745544054
+      hash: 94044718274269500
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -243,7 +243,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2604511254745544054
+      hash: 94044718274269500
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.23