websocket-extensions 0.1.0 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: b1c44128d3db51c789832e4c9c8a69f23dd8b477
-  data.tar.gz: 5214cf7259a10a9a6d252b4fa6febaf75d8d8727
+SHA256:
+  metadata.gz: f36fd7e2c8bc73038cff930e7872156bf85804e80c3fe87510373b9093ede11c
+  data.tar.gz: 755d19c6d59b56001a3e2afa5b2397324d69ebbdea730738c13b4cfe212a3f31
 SHA512:
-  metadata.gz: 0f2189d6fae9bad78b6b5ec275f17435b09345e3113416b0ae2196d262e91ac20e20928a7692d2b448a7a6dac35a4db0091a1214538d50c24d0a25259e2e169c
-  data.tar.gz: fdba7d6246380d2088c62837e6ffc84164d188f9d7c0e0a04d00412be766429ed5aca7382c7b8273f1c0f317fdca1d4d6ab5f158f66728d92dc46e80fcbee587
+  metadata.gz: d658c00d7d482283fa112e5a86d798f0ad3972ec4b4558462e05e54137bac6f8a898038f1c185ab13b3c282557fe0b80932c2e66a5a2d0bf7f2a09b5f614760e
+  data.tar.gz: f2dba49a2ea8a8f6b6de80a749ce115fe926dd5785971653e5075bf3bea1d6c39d8ade728bcb5048c60f0ef93bd75ed39cc01a1d6d50ccf4e83061dde278d5a7

data/CHANGELOG.md

@@ -0,0 +1,24 @@
+### 0.1.5 / 2020-06-02
+
+- Remove a ReDoS vulnerability in the header parser (CVE-2020-7663)
+
+### 0.1.4 / 2019-06-10
+
+- Fix a deprecation warning for using the `=~` operator on `true`
+- Change license from MIT to Apache 2.0
+
+### 0.1.3 / 2017-11-11
+
+- Accept extension names and parameters including uppercase letters
+
+### 0.1.2 / 2015-02-19
+
+- Make it safe to call `Extensions#close` if the handshake is not complete
+
+### 0.1.1 / 2014-12-14
+
+- Explicitly require `strscan` which is not loaded in a vanilla Ruby environment
+
+### 0.1.0 / 2014-12-13
+
+- Initial release

data/LICENSE.md

@@ -0,0 +1,12 @@
+Copyright 2014-2020 James Coglan
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this file except in compliance with the License. You may obtain a copy of the
+License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.

data/README.md

@@ -227,8 +227,8 @@ then the `permessage-deflate` extension will receive the call:
 
 ```rb
 ext.create_server_session([
-  {'server_no_context_takeover' => true, 'server_max_window_bits' => 8},
-  {'server_max_window_bits' => 15}
+  { 'server_no_context_takeover' => true, 'server_max_window_bits' => 8 },
+  { 'server_max_window_bits' => 15 }
 ])
 ```
 
@@ -244,8 +244,8 @@ implement the following methods, as well as the *Session* API listed below.
 ```rb
 client_session.generate_offer
 # e.g.  -> [
-#            {'server_no_context_takeover' => true, 'server_max_window_bits' => 8},
-#            {'server_max_window_bits' => 15}
+#            { 'server_no_context_takeover' => true, 'server_max_window_bits' => 8 },
+#            { 'server_max_window_bits' => 15 }
 #          ]
 ```
 
@@ -270,7 +270,7 @@ must implement the following methods, as well as the *Session* API listed below.
 
 ```rb
 server_session.generate_response
-# e.g.  -> {'server_max_window_bits' => 8}
+# e.g.  -> { 'server_max_window_bits' => 8 }
 ```
 
 This returns the set of parameters the server session wants to send in its
@@ -309,29 +309,5 @@ the session to release any resources it's using.
 
 ## Examples
 
-* Consumer: [websocket-driver](https://github.com/faye/websocket-driver-ruby)
-* Provider: [permessage-deflate](https://github.com/faye/permessage-deflate-ruby)
-
-## License
-
-(The MIT License)
-
-Copyright (c) 2014 James Coglan
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the 'Software'), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
-of the Software, and to permit persons to whom the Software is furnished to do
-so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+- Consumer: [websocket-driver](https://github.com/faye/websocket-driver-ruby)
+- Provider: [permessage-deflate](https://github.com/faye/permessage-deflate-ruby)

data/lib/websocket/extensions.rb

@@ -38,7 +38,7 @@ module WebSocket
       end
 
       if @by_name.has_key?(ext.name)
-        raise TypeError, %Q{An extension with name "#{ext.name}" is already registered}
+        raise TypeError, %Q{An extension with name "#{ ext.name }" is already registered}
       end
 
       @by_name[ext.name] = ext
@@ -78,18 +78,18 @@ module WebSocket
 
       responses.each_offer do |name, params|
         unless record = @index[name]
-          raise ExtensionError, %Q{Server sent am extension response for unknown extension "#{name}"}
+          raise ExtensionError, %Q{Server sent am extension response for unknown extension "#{ name } }
         end
 
         ext, session = *record
 
         if reserved = reserved?(ext)
-          raise ExtensionError, %Q{Server sent two extension responses that use the RSV#{reserved[0]} } +
-                               %Q{ bit: "#{reserved[1]}" and "#{ext.name}"}
+          raise ExtensionError, %Q{Server sent two extension responses that use the RSV#{ reserved[0] }} +
+                                %Q{bit: "#{ reserved[1] }" and "#{ ext.name }"}
         end
 
         unless session.activate(params) == true
-          raise ExtensionError, %Q{Server send unacceptable extension parameters: #{Parser.serialize_params(name, params)}}
+          raise ExtensionError, %Q{Server send unacceptable extension parameters: #{ Parser.serialize_params(name, params) }}
         end
 
         reserve(ext)
@@ -98,9 +98,9 @@ module WebSocket
     end
 
     def generate_response(header)
-      offers   = Parser.parse_header(header)
       sessions = []
       response = []
+      offers   = Parser.parse_header(header)
 
       @in_order.each do |ext|
         offer = offers.by_name(ext.name)
@@ -118,7 +118,7 @@ module WebSocket
     end
 
     def valid_frame_rsv(frame)
-      allowed = {:rsv1 => false, :rsv2 => false, :rsv3 => false}
+      allowed = { :rsv1 => false, :rsv2 => false, :rsv3 => false }
 
       if MESSAGE_OPCODES.include?(frame.opcode)
         @sessions.each do |ext, session|
@@ -155,6 +155,8 @@ module WebSocket
     end
 
     def close
+      return unless @sessions
+
       @sessions.each do |ext, session|
         session.close rescue nil
       end

data/lib/websocket/extensions/parser.rb

@@ -1,13 +1,15 @@
+require 'strscan'
+
 module WebSocket
   class Extensions
 
     class Parser
-      TOKEN    = /([!#\$%&'\*\+\-\.\^_`\|~0-9a-z]+)/
-      NOTOKEN  = /([^!#\$%&'\*\+\-\.\^_`\|~0-9a-z])/
-      QUOTED   = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/
-      PARAM    = %r{#{TOKEN.source}(?:=(?:#{TOKEN.source}|#{QUOTED.source}))?}
-      EXT      = %r{#{TOKEN.source}(?: *; *#{PARAM.source})*}
-      EXT_LIST = %r{^#{EXT.source}(?: *, *#{EXT.source})*$}
+      TOKEN    = /([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)/
+      NOTOKEN  = /([^!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z])/
+      QUOTED   = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/
+      PARAM    = %r{#{ TOKEN.source }(?:=(?:#{ TOKEN.source }|#{ QUOTED.source }))?}
+      EXT      = %r{#{ TOKEN.source }(?: *; *#{ PARAM.source })*}
+      EXT_LIST = %r{^#{ EXT.source }(?: *, *#{ EXT.source })*$}
       NUMBER   = /^-?(0|[1-9][0-9]*)(\.[0-9]+)?$/
 
       ParseError = Class.new(ArgumentError)
@@ -17,7 +19,7 @@ module WebSocket
         return offers if header == '' or header.nil?
 
         unless header =~ EXT_LIST
-          raise ParseError, "Invalid Sec-WebSocket-Extensions header: #{header}"
+          raise ParseError, "Invalid Sec-WebSocket-Extensions header: #{ header }"
         end
 
         scanner = StringScanner.new(header)
@@ -36,7 +38,7 @@ module WebSocket
             else
               data = true
             end
-            if data =~ NUMBER
+            if data != true and data =~ NUMBER
               data = data =~ /\./ ? data.to_f : data.to_i(10)
             end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: websocket-extensions
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.5
 platform: ruby
 authors:
 - James Coglan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-13 00:00:00.000000000 Z
+date: 2020-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -31,12 +31,14 @@ extensions: []
 extra_rdoc_files:
 - README.md
 files:
+- CHANGELOG.md
+- LICENSE.md
 - README.md
 - lib/websocket/extensions.rb
 - lib/websocket/extensions/parser.rb
-homepage: http://github.com/faye/websocket-extensions-ruby
+homepage: https://github.com/faye/websocket-extensions-ruby
 licenses:
-- MIT
+- Apache-2.0
 metadata: {}
 post_install_message: 
 rdoc_options:
@@ -57,8 +59,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Generic extension manager for WebSocket connections