webrick 1.3.1 → 1.4.3

data/lib/webrick/httpauth.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth.rb -- HTTP access authentication
 #
@@ -8,11 +9,11 @@
 #
 # $IPR: httpauth.rb,v 1.14 2003/07/22 19:20:42 gotoyuzo Exp $
 
-require 'webrick/httpauth/basicauth'
-require 'webrick/httpauth/digestauth'
-require 'webrick/httpauth/htpasswd'
-require 'webrick/httpauth/htdigest'
-require 'webrick/httpauth/htgroup'
+require_relative 'httpauth/basicauth'
+require_relative 'httpauth/digestauth'
+require_relative 'httpauth/htpasswd'
+require_relative 'httpauth/htdigest'
+require_relative 'httpauth/htgroup'
 
 module WEBrick
 

data/lib/webrick/httpauth/authenticator.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #--
 # httpauth/authenticator.rb -- Authenticator mix-in module.
 #
@@ -16,10 +17,10 @@ module WEBrick
 
     module Authenticator
 
-      RequestField      = "Authorization"
-      ResponseField     = "WWW-Authenticate"
-      ResponseInfoField = "Authentication-Info"
-      AuthException     = HTTPStatus::Unauthorized
+      RequestField      = "Authorization" # :nodoc:
+      ResponseField     = "WWW-Authenticate" # :nodoc:
+      ResponseInfoField = "Authentication-Info" # :nodoc:
+      AuthException     = HTTPStatus::Unauthorized # :nodoc:
 
       ##
       # Method of authentication, must be overridden by the including class
@@ -43,6 +44,8 @@ module WEBrick
 
       private
 
+      # :stopdoc:
+
       ##
       # Initializes the authenticator from +config+
 
@@ -96,6 +99,8 @@ module WEBrick
           log(:info, fmt, *args)
         end
       end
+
+      # :startdoc:
     end
 
     ##
@@ -103,10 +108,10 @@ module WEBrick
     # authentication schemes for proxies.
 
     module ProxyAuthenticator
-      RequestField  = "Proxy-Authorization"
-      ResponseField = "Proxy-Authenticate"
-      InfoField     = "Proxy-Authentication-Info"
-      AuthException = HTTPStatus::ProxyAuthenticationRequired
+      RequestField  = "Proxy-Authorization" # :nodoc:
+      ResponseField = "Proxy-Authenticate" # :nodoc:
+      InfoField     = "Proxy-Authentication-Info" # :nodoc:
+      AuthException = HTTPStatus::ProxyAuthenticationRequired # :nodoc:
     end
   end
 end

data/lib/webrick/httpauth/basicauth.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth/basicauth.rb -- HTTP basic access authentication
 #
@@ -7,9 +8,9 @@
 #
 # $IPR: basicauth.rb,v 1.5 2003/02/20 07:15:47 gotoyuzo Exp $
 
-require 'webrick/config'
-require 'webrick/httpstatus'
-require 'webrick/httpauth/authenticator'
+require_relative '../config'
+require_relative '../httpstatus'
+require_relative 'authenticator'
 
 module WEBrick
   module HTTPAuth
@@ -23,7 +24,7 @@ module WEBrick
     #
     #   config = { :Realm => 'BasicAuth example realm' }
     #
-    #   htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file'
+    #   htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file', password_hash: :bcrypt
     #   htpasswd.set_passwd config[:Realm], 'username', 'password'
     #   htpasswd.flush
     #
@@ -34,7 +35,7 @@ module WEBrick
     class BasicAuth
       include Authenticator
 
-      AuthScheme = "Basic"
+      AuthScheme = "Basic" # :nodoc:
 
       ##
       # Used by UserDB to create a basic password entry
@@ -80,7 +81,15 @@ module WEBrick
           error("%s: the user is not allowed.", userid)
           challenge(req, res)
         end
-        if password.crypt(encpass) != encpass
+
+        case encpass
+        when /\A\$2[aby]\$/
+          password_matches = BCrypt::Password.new(encpass.sub(/\A\$2[aby]\$/, '$2a$')) == password
+        else
+          password_matches = password.crypt(encpass) == encpass
+        end
+
+        unless password_matches
           error("%s: password unmatch.", userid)
           challenge(req, res)
         end
@@ -89,8 +98,7 @@ module WEBrick
       end
 
       ##
-      # Returns a challenge response which asks for for authentication
-      # information
+      # Returns a challenge response which asks for authentication information
 
       def challenge(req, res)
         res[@response_field] = "#{@auth_scheme} realm=\"#{@realm}\""

data/lib/webrick/httpauth/digestauth.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth/digestauth.rb -- HTTP digest access authentication
 #
@@ -11,9 +12,9 @@
 #
 # $IPR: digestauth.rb,v 1.5 2003/02/20 07:15:47 gotoyuzo Exp $
 
-require 'webrick/config'
-require 'webrick/httpstatus'
-require 'webrick/httpauth/authenticator'
+require_relative '../config'
+require_relative '../httpstatus'
+require_relative 'authenticator'
 require 'digest/md5'
 require 'digest/sha1'
 
@@ -45,9 +46,22 @@ module WEBrick
     class DigestAuth
       include Authenticator
 
-      AuthScheme = "Digest"
-      OpaqueInfo = Struct.new(:time, :nonce, :nc)
-      attr_reader :algorithm, :qop
+      AuthScheme = "Digest" # :nodoc:
+
+      ##
+      # Struct containing the opaque portion of the digest authentication
+
+      OpaqueInfo = Struct.new(:time, :nonce, :nc) # :nodoc:
+
+      ##
+      # Digest authentication algorithm
+
+      attr_reader :algorithm
+
+      ##
+      # Quality of protection.  RFC 2617 defines "auth" and "auth-int"
+
+      attr_reader :qop
 
       ##
       # Used by UserDB to create a digest password entry
@@ -97,7 +111,7 @@ module WEBrick
         @instance_key = hexdigest(self.__id__, Time.now.to_i, Process.pid)
         @opaques = {}
         @last_nonce_expire = Time.now
-        @mutex = Mutex.new
+        @mutex = Thread::Mutex.new
       end
 
       ##
@@ -115,8 +129,7 @@ module WEBrick
       end
 
       ##
-      # Returns a challenge response which asks for for authentication
-      # information
+      # Returns a challenge response which asks for authentication information
 
       def challenge(req, res, stale=false)
         nonce = generate_next_nonce(req)
@@ -142,6 +155,8 @@ module WEBrick
 
       private
 
+      # :stopdoc:
+
       MustParams = ['username','realm','nonce','uri','response']
       MustParamsAuth = ['cnonce','nc']
 
@@ -189,7 +204,7 @@ module WEBrick
 
         password = @userdb.get_passwd(@realm, auth_req['username'], @reload_db)
         unless password
-          error('%s: the user is not allowd.', auth_req['username'])
+          error('%s: the user is not allowed.', auth_req['username'])
           return false
         end
 
@@ -220,9 +235,11 @@ module WEBrick
           ha2 = hexdigest(req.request_method, auth_req['uri'])
           ha2_res = hexdigest("", auth_req['uri'])
         elsif auth_req['qop'] == "auth-int"
-          ha2 = hexdigest(req.request_method, auth_req['uri'],
-                          hexdigest(req.body))
-          ha2_res = hexdigest("", auth_req['uri'], hexdigest(res.body))
+          body_digest = @h.new
+          req.body { |chunk| body_digest.update(chunk) }
+          body_digest = body_digest.hexdigest
+          ha2 = hexdigest(req.request_method, auth_req['uri'], body_digest)
+          ha2_res = hexdigest("", auth_req['uri'], body_digest)
         end
 
         if auth_req['qop'] == "auth" || auth_req['qop'] == "auth-int"
@@ -273,23 +290,8 @@ module WEBrick
 
       def split_param_value(string)
         ret = {}
-        while string.bytesize != 0
-          case string
-          when /^\s*([\w\-\.\*\%\!]+)=\s*\"((\\.|[^\"])*)\"\s*,?/
-            key = $1
-            matched = $2
-            string = $'
-            ret[key] = matched.gsub(/\\(.)/, "\\1")
-          when /^\s*([\w\-\.\*\%\!]+)=\s*([^,\"]*),?/
-            key = $1
-            matched = $2
-            string = $'
-            ret[key] = matched.clone
-          when /^s*^,/
-            string = $'
-          else
-            break
-          end
+        string.scan(/\G\s*([\w\-.*%!]+)=\s*(?:\"((?>\\.|[^\"])*)\"|([^,\"]*))\s*,?/) do
+          ret[$1] = $3 || $2.gsub(/\\(.)/, "\\1")
         end
         ret
       end
@@ -297,7 +299,7 @@ module WEBrick
       def generate_next_nonce(req)
         now = "%012d" % req.request_time.to_i
         pk  = hexdigest(now, @instance_key)[0,32]
-        nonce = [now + ":" + pk].pack("m*").chop # it has 60 length of chars.
+        nonce = [now + ":" + pk].pack("m0") # it has 60 length of chars.
         nonce
       end
 
@@ -375,6 +377,7 @@ module WEBrick
         @h.hexdigest(args.join(":"))
       end
 
+      # :startdoc:
     end
 
     ##
@@ -384,7 +387,7 @@ module WEBrick
       include ProxyAuthenticator
 
       private
-      def check_uri(req, auth_req)
+      def check_uri(req, auth_req) # :nodoc:
         return true
       end
     end

data/lib/webrick/httpauth/htdigest.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth/htdigest.rb -- Apache compatible htdigest file
 #
@@ -7,8 +8,8 @@
 #
 # $IPR: htdigest.rb,v 1.4 2003/07/22 19:20:45 gotoyuzo Exp $
 
-require 'webrick/httpauth/userdb'
-require 'webrick/httpauth/digestauth'
+require_relative 'userdb'
+require_relative 'digestauth'
 require 'tempfile'
 
 module WEBrick
@@ -37,9 +38,9 @@ module WEBrick
         @path = path
         @mtime = Time.at(0)
         @digest = Hash.new
-        @mutex = Mutex::new
+        @mutex = Thread::Mutex::new
         @auth_type = DigestAuth
-        open(@path,"a").close unless File::exist?(@path)
+        File.open(@path,"a").close unless File.exist?(@path)
         reload
       end
 
@@ -50,7 +51,7 @@ module WEBrick
         mtime = File::mtime(@path)
         if mtime > @mtime
           @digest.clear
-          open(@path){|io|
+          File.open(@path){|io|
             while line = io.gets
               line.chomp!
               user, realm, pass = line.split(/:/, 3)
@@ -70,13 +71,16 @@ module WEBrick
 
       def flush(output=nil)
         output ||= @path
-        tmp = Tempfile.new("htpasswd", File::dirname(output))
+        tmp = Tempfile.create("htpasswd", File::dirname(output))
+        renamed = false
         begin
           each{|item| tmp.puts(item.join(":")) }
           tmp.close
           File::rename(tmp.path, output)
-        rescue
-          tmp.close(true)
+          renamed = true
+        ensure
+          tmp.close
+          File.unlink(tmp.path) if !renamed
         end
       end
 

data/lib/webrick/httpauth/htgroup.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth/htgroup.rb -- Apache compatible htgroup file
 #
@@ -35,7 +36,7 @@ module WEBrick
         @path = path
         @mtime = Time.at(0)
         @group = Hash.new
-        open(@path,"a").close unless File::exist?(@path)
+        File.open(@path,"a").close unless File.exist?(@path)
         reload
       end
 
@@ -45,7 +46,7 @@ module WEBrick
       def reload
         if (mtime = File::mtime(@path)) > @mtime
           @group.clear
-          open(@path){|io|
+          File.open(@path){|io|
             while line = io.gets
               line.chomp!
               group, members = line.split(/:\s*/)
@@ -62,15 +63,18 @@ module WEBrick
 
       def flush(output=nil)
         output ||= @path
-        tmp = Tempfile.new("htgroup", File::dirname(output))
+        tmp = Tempfile.create("htgroup", File::dirname(output))
         begin
           @group.keys.sort.each{|group|
             tmp.puts(format("%s: %s", group, self.members(group).join(" ")))
           }
+        ensure
           tmp.close
-          File::rename(tmp.path, output)
-        rescue
-          tmp.close(true)
+          if $!
+            File.unlink(tmp.path)
+          else
+            return File.rename(tmp.path, output)
+          end
         end
       end
 

data/lib/webrick/httpauth/htpasswd.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth/htpasswd -- Apache compatible htpasswd file
 #
@@ -7,8 +8,8 @@
 #
 # $IPR: htpasswd.rb,v 1.4 2003/07/22 19:20:45 gotoyuzo Exp $
 
-require 'webrick/httpauth/userdb'
-require 'webrick/httpauth/basicauth'
+require_relative 'userdb'
+require_relative 'basicauth'
 require 'tempfile'
 
 module WEBrick
@@ -34,12 +35,30 @@ module WEBrick
       ##
       # Open a password database at +path+
 
-      def initialize(path)
+      def initialize(path, password_hash: nil)
         @path = path
         @mtime = Time.at(0)
         @passwd = Hash.new
         @auth_type = BasicAuth
-        open(@path,"a").close unless File::exist?(@path)
+        @password_hash = password_hash
+
+        case @password_hash
+        when nil
+          # begin
+          #   require "string/crypt"
+          # rescue LoadError
+          #   warn("Unable to load string/crypt, proceeding with deprecated use of String#crypt, consider using password_hash: :bcrypt")
+          # end
+          @password_hash = :crypt
+        when :crypt
+          # require "string/crypt"
+        when :bcrypt
+          require "bcrypt"
+        else
+          raise ArgumentError, "only :crypt and :bcrypt are supported for password_hash keyword argument"
+        end
+
+        File.open(@path,"a").close unless File.exist?(@path)
         reload
       end
 
@@ -50,11 +69,19 @@ module WEBrick
         mtime = File::mtime(@path)
         if mtime > @mtime
           @passwd.clear
-          open(@path){|io|
+          File.open(@path){|io|
             while line = io.gets
               line.chomp!
               case line
               when %r!\A[^:]+:[a-zA-Z0-9./]{13}\z!
+                if @password_hash == :bcrypt
+                  raise StandardError, ".htpasswd file contains crypt password, only bcrypt passwords supported"
+                end
+                user, pass = line.split(":")
+              when %r!\A[^:]+:\$2[aby]\$\d{2}\$.{53}\z!
+                if @password_hash == :crypt
+                  raise StandardError, ".htpasswd file contains bcrypt password, only crypt passwords supported"
+                end
                 user, pass = line.split(":")
               when /:\$/, /:{SHA}/
                 raise NotImplementedError,
@@ -75,13 +102,16 @@ module WEBrick
 
       def flush(output=nil)
         output ||= @path
-        tmp = Tempfile.new("htpasswd", File::dirname(output))
+        tmp = Tempfile.create("htpasswd", File::dirname(output))
+        renamed = false
         begin
           each{|item| tmp.puts(item.join(":")) }
           tmp.close
           File::rename(tmp.path, output)
-        rescue
-          tmp.close(true)
+          renamed = true
+        ensure
+          tmp.close
+          File.unlink(tmp.path) if !renamed
         end
       end
 
@@ -98,7 +128,14 @@ module WEBrick
       # Sets a password in the database for +user+ in +realm+ to +pass+.
 
       def set_passwd(realm, user, pass)
-        @passwd[user] = make_passwd(realm, user, pass)
+        if @password_hash == :bcrypt
+          # Cost of 5 to match Apache default, and because the
+          # bcrypt default of 10 will introduce significant delays
+          # for every request.
+          @passwd[user] = BCrypt::Password.create(pass, :cost=>5)
+        else
+          @passwd[user] = make_passwd(realm, user, pass)
+        end
       end
 
       ##