webrick 1.4.2 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 679fbeaf42fd0e9df98934eacf8573238f0b32a5bdcab66cb6ded69c3031ca8d
-  data.tar.gz: 77811219317b65fdbc1a3f703d98dc63c9c6d936ef29775cbef7e1aa1f707007
+  metadata.gz: 800e0427bf3a5f03799b0615f21888ef4827fde35a89663bcf90c055bf4e2221
+  data.tar.gz: ea2b6bdee1ae775c2946e6b16e73a3dbcd18ab27d910cc11eeb72f6eafdc3242
 SHA512:
-  metadata.gz: 4bce582ecef05a51ae39d331f6cf2a3a1f35bd5bde35ea69be01374ec9dc851a536fbb37ea276d37f137d86d8af2258b0caf34b30dce83f3a79d36e88b2cfefc
-  data.tar.gz: 1c4fa49ececffec80b3d3ab8013960379d157202ba4b81959d6bcd91f0dcc978fcc55d60628d2383b8b80c7d1c4ce6b4dc5ca067ea548d0e20ce643d3cb26067
+  metadata.gz: 5d5511564c5ea1ff1eaf936af515acdaff9b157b767093b13e873a38596470bc42cab4a6be97770856e87d91b069ee05716e73dfea88d165a435737e332fb0f4
+  data.tar.gz: a2eaabfc8c4e16303a59cf45de503aaf71577824a8fb92dc2ad60cc4f5fc2478e707635062ed9abc138e260fbc7bea0cc999f8033e5a0f59deeb0e697ec47c1a

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.

data/README.md

@@ -0,0 +1,61 @@
+# Webrick
+
+WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.
+
+WEBrick features complete logging of both server operations and HTTP access.
+
+WEBrick supports both basic and digest authentication in addition to algorithms not in RFC 2617.
+
+A WEBrick server can be composed of multiple WEBrick servers or servlets to provide differing behavior on a per-host or per-path basis. WEBrick includes servlets for handling CGI scripts, ERB pages, Ruby blocks and directory listings.
+
+WEBrick also includes tools for daemonizing a process and starting a process at a higher privilege level and dropping permissions.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'webrick'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install webrick
+
+## Usage
+
+To create a new WEBrick::HTTPServer that will listen to connections on port 8000 and serve documents from the current user's public_html folder:
+
+```ruby
+require 'webrick'
+
+root = File.expand_path '~/public_html'
+server = WEBrick::HTTPServer.new :Port => 8000, :DocumentRoot => root
+```
+
+To run the server you will need to provide a suitable shutdown hook as
+starting the server blocks the current thread:
+
+```ruby
+trap 'INT' do server.shutdown end
+
+server.start
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and Patch are welcome on https://bugs.ruby-lang.org/.
+
+## License
+
+The gem is available as open source under the terms of the [2-Clause BSD License](https://opensource.org/licenses/BSD-2-Clause).

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test" << "test/lib"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/test_*.rb']
+end
+
+task :default => :test

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "webrick"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/webrick.rb

@@ -15,6 +15,11 @@
 # WEBrick also includes tools for daemonizing a process and starting a process
 # at a higher privilege level and dropping permissions.
 #
+# == Security
+#
+# *Warning:* WEBrick is not recommended for production.  It only implements
+# basic security checks.
+#
 # == Starting an HTTP server
 #
 # To create a new WEBrick::HTTPServer that will listen to connections on port
@@ -139,9 +144,9 @@
 # servers.  See WEBrick::HTTPAuth, WEBrick::HTTPAuth::BasicAuth and
 # WEBrick::HTTPAuth::DigestAuth.
 #
-# == WEBrick as a Production Web Server
+# == WEBrick as a daemonized Web Server
 #
-# WEBrick can be run as a production server for small loads.
+# WEBrick can be run as a daemonized server for small loads.
 #
 # === Daemonizing
 #
@@ -212,7 +217,7 @@ require 'webrick/version.rb'
 require 'webrick/config.rb'
 require 'webrick/log.rb'
 require 'webrick/server.rb'
-require 'webrick/utils.rb'
+require_relative 'webrick/utils.rb'
 require 'webrick/accesslog'
 
 require 'webrick/htmlutils.rb'

data/lib/webrick/accesslog.rb

@@ -149,11 +149,9 @@ module WEBrick
     # Escapes control characters in +data+
 
     def escape(data)
-      if data.tainted?
-        data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
-      else
-        data
-      end
+      data = data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}
+      data.untaint if RUBY_VERSION < '2.7'
+      data
     end
   end
 end

data/lib/webrick/cgi.rb

@@ -8,9 +8,9 @@
 #
 # $Id$
 
-require "webrick/httprequest"
-require "webrick/httpresponse"
-require "webrick/config"
+require_relative "httprequest"
+require_relative "httpresponse"
+require_relative "config"
 require "stringio"
 
 module WEBrick
@@ -265,6 +265,10 @@ module WEBrick
         @out_port << data
       end
 
+      def write(data)
+        @out_port.write(data)
+      end
+
       def cert
         return nil unless defined?(OpenSSL)
         if pem = @env["SSL_SERVER_CERT"]

data/lib/webrick/config.rb

@@ -9,11 +9,11 @@
 #
 # $IPR: config.rb,v 1.52 2003/07/22 19:20:42 gotoyuzo Exp $
 
-require 'webrick/version'
-require 'webrick/httpversion'
-require 'webrick/httputils'
-require 'webrick/utils'
-require 'webrick/log'
+require_relative 'version'
+require_relative 'httpversion'
+require_relative 'httputils'
+require_relative 'utils'
+require_relative 'log'
 
 module WEBrick
   module Config

data/lib/webrick/cookie.rb

@@ -10,7 +10,7 @@
 # $IPR: cookie.rb,v 1.16 2002/09/21 12:23:35 gotoyuzo Exp $
 
 require 'time'
-require 'webrick/httputils'
+require_relative 'httputils'
 
 module WEBrick
 

data/lib/webrick/httpauth.rb

@@ -9,11 +9,11 @@
 #
 # $IPR: httpauth.rb,v 1.14 2003/07/22 19:20:42 gotoyuzo Exp $
 
-require 'webrick/httpauth/basicauth'
-require 'webrick/httpauth/digestauth'
-require 'webrick/httpauth/htpasswd'
-require 'webrick/httpauth/htdigest'
-require 'webrick/httpauth/htgroup'
+require_relative 'httpauth/basicauth'
+require_relative 'httpauth/digestauth'
+require_relative 'httpauth/htpasswd'
+require_relative 'httpauth/htdigest'
+require_relative 'httpauth/htgroup'
 
 module WEBrick
 

data/lib/webrick/httpauth/authenticator.rb

@@ -85,7 +85,7 @@ module WEBrick
       def log(meth, fmt, *args)
         msg = format("%s %s: ", @auth_scheme, @realm)
         msg << fmt % args
-        @logger.send(meth, msg)
+        @logger.__send__(meth, msg)
       end
 
       def error(fmt, *args)

data/lib/webrick/httpauth/basicauth.rb

@@ -8,9 +8,9 @@
 #
 # $IPR: basicauth.rb,v 1.5 2003/02/20 07:15:47 gotoyuzo Exp $
 
-require 'webrick/config'
-require 'webrick/httpstatus'
-require 'webrick/httpauth/authenticator'
+require_relative '../config'
+require_relative '../httpstatus'
+require_relative 'authenticator'
 
 module WEBrick
   module HTTPAuth
@@ -24,7 +24,7 @@ module WEBrick
     #
     #   config = { :Realm => 'BasicAuth example realm' }
     #
-    #   htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file'
+    #   htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file', password_hash: :bcrypt
     #   htpasswd.set_passwd config[:Realm], 'username', 'password'
     #   htpasswd.flush
     #
@@ -81,7 +81,15 @@ module WEBrick
           error("%s: the user is not allowed.", userid)
           challenge(req, res)
         end
-        if password.crypt(encpass) != encpass
+
+        case encpass
+        when /\A\$2[aby]\$/
+          password_matches = BCrypt::Password.new(encpass.sub(/\A\$2[aby]\$/, '$2a$')) == password
+        else
+          password_matches = password.crypt(encpass) == encpass
+        end
+
+        unless password_matches
           error("%s: password unmatch.", userid)
           challenge(req, res)
         end

data/lib/webrick/httpauth/digestauth.rb

@@ -12,9 +12,9 @@
 #
 # $IPR: digestauth.rb,v 1.5 2003/02/20 07:15:47 gotoyuzo Exp $
 
-require 'webrick/config'
-require 'webrick/httpstatus'
-require 'webrick/httpauth/authenticator'
+require_relative '../config'
+require_relative '../httpstatus'
+require_relative 'authenticator'
 require 'digest/md5'
 require 'digest/sha1'
 
@@ -235,9 +235,11 @@ module WEBrick
           ha2 = hexdigest(req.request_method, auth_req['uri'])
           ha2_res = hexdigest("", auth_req['uri'])
         elsif auth_req['qop'] == "auth-int"
-          ha2 = hexdigest(req.request_method, auth_req['uri'],
-                          hexdigest(req.body))
-          ha2_res = hexdigest("", auth_req['uri'], hexdigest(res.body))
+          body_digest = @h.new
+          req.body { |chunk| body_digest.update(chunk) }
+          body_digest = body_digest.hexdigest
+          ha2 = hexdigest(req.request_method, auth_req['uri'], body_digest)
+          ha2_res = hexdigest("", auth_req['uri'], body_digest)
         end
 
         if auth_req['qop'] == "auth" || auth_req['qop'] == "auth-int"
@@ -288,23 +290,8 @@ module WEBrick
 
       def split_param_value(string)
         ret = {}
-        while string.bytesize != 0
-          case string
-          when /^\s*([\w\-\.\*\%\!]+)=\s*\"((\\.|[^\"])*)\"\s*,?/
-            key = $1
-            matched = $2
-            string = $'
-            ret[key] = matched.gsub(/\\(.)/, "\\1")
-          when /^\s*([\w\-\.\*\%\!]+)=\s*([^,\"]*),?/
-            key = $1
-            matched = $2
-            string = $'
-            ret[key] = matched.clone
-          when /^s*^,/
-            string = $'
-          else
-            break
-          end
+        string.scan(/\G\s*([\w\-.*%!]+)=\s*(?:\"((?>\\.|[^\"])*)\"|([^,\"]*))\s*,?/) do
+          ret[$1] = $3 || $2.gsub(/\\(.)/, "\\1")
         end
         ret
       end

data/lib/webrick/httpauth/htdigest.rb

@@ -8,8 +8,8 @@
 #
 # $IPR: htdigest.rb,v 1.4 2003/07/22 19:20:45 gotoyuzo Exp $
 
-require 'webrick/httpauth/userdb'
-require 'webrick/httpauth/digestauth'
+require_relative 'userdb'
+require_relative 'digestauth'
 require 'tempfile'
 
 module WEBrick

data/lib/webrick/httpauth/htgroup.rb

@@ -63,15 +63,18 @@ module WEBrick
 
       def flush(output=nil)
         output ||= @path
-        tmp = Tempfile.new("htgroup", File::dirname(output))
+        tmp = Tempfile.create("htgroup", File::dirname(output))
         begin
           @group.keys.sort.each{|group|
             tmp.puts(format("%s: %s", group, self.members(group).join(" ")))
           }
+        ensure
           tmp.close
-          File::rename(tmp.path, output)
-        rescue
-          tmp.close(true)
+          if $!
+            File.unlink(tmp.path)
+          else
+            return File.rename(tmp.path, output)
+          end
         end
       end
 

data/lib/webrick/httpauth/htpasswd.rb

@@ -8,8 +8,8 @@
 #
 # $IPR: htpasswd.rb,v 1.4 2003/07/22 19:20:45 gotoyuzo Exp $
 
-require 'webrick/httpauth/userdb'
-require 'webrick/httpauth/basicauth'
+require_relative 'userdb'
+require_relative 'basicauth'
 require 'tempfile'
 
 module WEBrick
@@ -35,11 +35,29 @@ module WEBrick
       ##
       # Open a password database at +path+
 
-      def initialize(path)
+      def initialize(path, password_hash: nil)
         @path = path
         @mtime = Time.at(0)
         @passwd = Hash.new
         @auth_type = BasicAuth
+        @password_hash = password_hash
+
+        case @password_hash
+        when nil
+          # begin
+          #   require "string/crypt"
+          # rescue LoadError
+          #   warn("Unable to load string/crypt, proceeding with deprecated use of String#crypt, consider using password_hash: :bcrypt")
+          # end
+          @password_hash = :crypt
+        when :crypt
+          # require "string/crypt"
+        when :bcrypt
+          require "bcrypt"
+        else
+          raise ArgumentError, "only :crypt and :bcrypt are supported for password_hash keyword argument"
+        end
+
         File.open(@path,"a").close unless File.exist?(@path)
         reload
       end
@@ -56,6 +74,14 @@ module WEBrick
               line.chomp!
               case line
               when %r!\A[^:]+:[a-zA-Z0-9./]{13}\z!
+                if @password_hash == :bcrypt
+                  raise StandardError, ".htpasswd file contains crypt password, only bcrypt passwords supported"
+                end
+                user, pass = line.split(":")
+              when %r!\A[^:]+:\$2[aby]\$\d{2}\$.{53}\z!
+                if @password_hash == :crypt
+                  raise StandardError, ".htpasswd file contains bcrypt password, only crypt passwords supported"
+                end
                 user, pass = line.split(":")
               when /:\$/, /:{SHA}/
                 raise NotImplementedError,
@@ -102,7 +128,14 @@ module WEBrick
       # Sets a password in the database for +user+ in +realm+ to +pass+.
 
       def set_passwd(realm, user, pass)
-        @passwd[user] = make_passwd(realm, user, pass)
+        if @password_hash == :bcrypt
+          # Cost of 5 to match Apache default, and because the
+          # bcrypt default of 10 will introduce significant delays
+          # for every request.
+          @passwd[user] = BCrypt::Password.create(pass, :cost=>5)
+        else
+          @passwd[user] = make_passwd(realm, user, pass)
+        end
       end
 
       ##