Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rack-protection for
openSUSE:Factory checked in at 2022-02-24 18:20:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack-protection (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack-protection.new.1958 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-protection"
Thu Feb 24 18:20:33 2022 rev:9 rq:956452 version:2.2.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-rack-protection/rubygem-rack-protection.changes
2020-10-05 19:33:04.277188003 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-rack-protection.new.1958/rubygem-rack-protection.changes
2022-02-24 18:23:48.250652994 +0100
@@ -1,0 +2,6 @@
+Mon Feb 21 11:35:01 UTC 2022 - Stephan Kulow <[email protected]>
+
+updated to version 2.2.0
+ no changelog found
+
+-------------------------------------------------------------------
Old:
----
rack-protection-2.1.0.gem
New:
----
rack-protection-2.2.0.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack-protection.spec ++++++
--- /var/tmp/diff_new_pack.G6qJoD/_old 2022-02-24 18:23:48.638652893 +0100
+++ /var/tmp/diff_new_pack.G6qJoD/_new 2022-02-24 18:23:48.642652892 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rack-protection
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-rack-protection
-Version: 2.1.0
+Version: 2.2.0
Release: 0
%define mod_name rack-protection
%define mod_full_name %{mod_name}-%{version}
++++++ rack-protection-2.1.0.gem -> rack-protection-2.2.0.gem ++++++
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/protection/authenticity_token.rb
new/lib/rack/protection/authenticity_token.rb
--- old/lib/rack/protection/authenticity_token.rb 2020-09-04
20:46:28.000000000 +0200
+++ new/lib/rack/protection/authenticity_token.rb 2022-02-15
17:23:55.000000000 +0100
@@ -1,5 +1,6 @@
require 'rack/protection'
require 'securerandom'
+require 'openssl'
require 'base64'
module Rack
@@ -24,6 +25,13 @@
# the token on a request. Default value:
# <tt>"authenticity_token"</tt>
#
+ # [<tt>:key</tt>] the name of the param that should contain
+ # the token in the session. Default value:
+ # <tt>:csrf</tt>
+ #
+ # [<tt>:allow_if</tt>] a proc for custom allow/deny logic. Default value:
+ # <tt>nil</tt>
+ #
# == Example: Forms application
#
# To show what the AuthenticityToken does, this section includes a sample
@@ -85,42 +93,57 @@
TOKEN_LENGTH = 32
default_options :authenticity_param => 'authenticity_token',
+ :key => :csrf,
:allow_if => nil
- def self.token(session)
- self.new(nil).mask_authenticity_token(session)
+ def self.token(session, path: nil, method: :post)
+ self.new(nil).mask_authenticity_token(session, path: path, method:
method)
end
def self.random_token
- SecureRandom.base64(TOKEN_LENGTH)
+ SecureRandom.urlsafe_base64(TOKEN_LENGTH, padding: false)
end
def accepts?(env)
- session = session env
+ session = session(env)
set_token(session)
safe?(env) ||
- valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
- valid_token?(session,
Request.new(env).params[options[:authenticity_param]]) ||
+ valid_token?(env, env['HTTP_X_CSRF_TOKEN']) ||
+ valid_token?(env,
Request.new(env).params[options[:authenticity_param]]) ||
( options[:allow_if] && options[:allow_if].call(env) )
+ rescue
+ false
end
- def mask_authenticity_token(session)
- token = set_token(session)
+ def mask_authenticity_token(session, path: nil, method: :post)
+ set_token(session)
+
+ token = if path && method
+ per_form_token(session, path, method)
+ else
+ global_token(session)
+ end
+
mask_token(token)
end
+ GLOBAL_TOKEN_IDENTIFIER = '!real_csrf_token'
+ private_constant :GLOBAL_TOKEN_IDENTIFIER
+
private
def set_token(session)
- session[:csrf] ||= self.class.random_token
+ session[options[:key]] ||= self.class.random_token
end
# Checks the client's masked token to see if it matches the
# session token.
- def valid_token?(session, token)
+ def valid_token?(env, token)
return false if token.nil? || token.empty?
+ session = session(env)
+
begin
token = decode_token(token)
rescue ArgumentError # encoded_masked_token is invalid Base64
@@ -131,13 +154,13 @@
# to handle any unmasked tokens that we've issued without error.
if unmasked_token?(token)
- compare_with_real_token token, session
-
+ compare_with_real_token(token, session)
elsif masked_token?(token)
token = unmask_token(token)
- compare_with_real_token token, session
-
+ compare_with_global_token(token, session) ||
+ compare_with_real_token(token, session) ||
+ compare_with_per_form_token(token, session, Request.new(env))
else
false # Token is malformed
end
@@ -147,7 +170,6 @@
# on each request. The masking is used to mitigate SSL attacks
# like BREACH.
def mask_token(token)
- token = decode_token(token)
one_time_pad = SecureRandom.random_bytes(token.length)
encrypted_token = xor_byte_strings(one_time_pad, token)
masked_token = one_time_pad + encrypted_token
@@ -176,16 +198,42 @@
secure_compare(token, real_token(session))
end
+ def compare_with_global_token(token, session)
+ secure_compare(token, global_token(session))
+ end
+
+ def compare_with_per_form_token(token, session, request)
+ secure_compare(token,
+ per_form_token(session, request.path.chomp('/'),
request.request_method)
+ )
+ end
+
def real_token(session)
- decode_token(session[:csrf])
+ decode_token(session[options[:key]])
+ end
+
+ def global_token(session)
+ token_hmac(session, GLOBAL_TOKEN_IDENTIFIER)
+ end
+
+ def per_form_token(session, path, method)
+ token_hmac(session, "#{path}##{method.downcase}")
end
def encode_token(token)
- Base64.strict_encode64(token)
+ Base64.urlsafe_encode64(token)
end
def decode_token(token)
- Base64.strict_decode64(token)
+ Base64.urlsafe_decode64(token)
+ end
+
+ def token_hmac(session, identifier)
+ OpenSSL::HMAC.digest(
+ OpenSSL::Digest::SHA256.new,
+ real_token(session),
+ identifier
+ )
end
def xor_byte_strings(s1, s2)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/protection/http_origin.rb
new/lib/rack/protection/http_origin.rb
--- old/lib/rack/protection/http_origin.rb 2020-09-04 20:46:28.000000000
+0200
+++ new/lib/rack/protection/http_origin.rb 2022-02-15 17:23:55.000000000
+0100
@@ -34,7 +34,7 @@
return true if options[:allow_if] && options[:allow_if].call(env)
if options.key? :origin_whitelist
- warn "Rack::Protection origin_whitelist option is deprecated and
will be removed, " \
+ warn env, "Rack::Protection origin_whitelist option is deprecated
and will be removed, " \
"use permitted_origins instead.\n"
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/protection/version.rb
new/lib/rack/protection/version.rb
--- old/lib/rack/protection/version.rb 2020-09-04 20:46:28.000000000 +0200
+++ new/lib/rack/protection/version.rb 2022-02-15 17:23:55.000000000 +0100
@@ -1,5 +1,5 @@
module Rack
module Protection
- VERSION = '2.1.0'
+ VERSION = '2.2.0'
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-09-04 20:46:28.000000000 +0200
+++ new/metadata 2022-02-15 17:23:55.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: rack-protection
version: !ruby/object:Gem::Version
- version: 2.1.0
+ version: 2.2.0
platform: ruby
authors:
- https://github.com/sinatra/sinatra/graphs/contributors
autorequire:
bindir: bin
cert_chain: []
-date: 2020-09-04 00:00:00.000000000 Z
+date: 2022-02-15 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: rack
