Hello community, here is the log from the commit of package rubygem-rack-1_6 for openSUSE:Factory checked in at 2016-11-14 20:13:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-rack-1_6 (Old) and /work/SRC/openSUSE:Factory/.rubygem-rack-1_6.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-1_6" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-rack-1_6/rubygem-rack-1_6.changes 2016-07-21 07:55:36.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-rack-1_6.new/rubygem-rack-1_6.changes 2016-11-14 20:14:00.000000000 +0100 @@ -1,0 +2,26 @@ +Fri Nov 11 05:49:18 UTC 2016 - co...@suse.com + +- updated to version 1.6.5 + see installed HISTORY.md + + Sun Dec 4 18:48:03 2015 Jeremy Daer <jeremyd...@gmail.com> + + * First-party "SameSite" cookies. Browsers omit SameSite cookies + from third-party requests, closing the door on many CSRF attacks. + + Pass `same_site: true` (or `:strict`) to enable: + response.set_cookie 'foo', value: 'bar', same_site: true + or `same_site: :lax` to use Lax enforcement: + response.set_cookie 'foo', value: 'bar', same_site: :lax + + Based on version 7 of the Same-site Cookies internet draft: + https://tools.ietf.org/html/draft-west-first-party-cookies-07 + + Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for + updating to drafts 5 and 7. + + Wed Jun 24 12:13:37 2015 Aaron Patterson <tenderl...@ruby-lang.org> + + * Fix Ruby 1.8 backwards compatibility + +------------------------------------------------------------------- Old: ---- rack-1.6.4.gem New: ---- rack-1.6.5.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rack-1_6.spec ++++++ --- /var/tmp/diff_new_pack.ngPL8x/_old 2016-11-14 20:14:02.000000000 +0100 +++ /var/tmp/diff_new_pack.ngPL8x/_new 2016-11-14 20:14:02.000000000 +0100 @@ -24,7 +24,7 @@ # Name: rubygem-rack-1_6 -Version: 1.6.4 +Version: 1.6.5 Release: 0 %define mod_name rack %define mod_full_name %{mod_name}-%{version} ++++++ rack-1.6.4.gem -> rack-1.6.5.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HISTORY.md new/HISTORY.md --- old/HISTORY.md 2015-06-18 23:51:22.000000000 +0200 +++ new/HISTORY.md 2016-11-10 22:54:15.000000000 +0100 @@ -1,3 +1,23 @@ +Sun Dec 4 18:48:03 2015 Jeremy Daer <jeremyd...@gmail.com> + + * First-party "SameSite" cookies. Browsers omit SameSite cookies + from third-party requests, closing the door on many CSRF attacks. + + Pass `same_site: true` (or `:strict`) to enable: + response.set_cookie 'foo', value: 'bar', same_site: true + or `same_site: :lax` to use Lax enforcement: + response.set_cookie 'foo', value: 'bar', same_site: :lax + + Based on version 7 of the Same-site Cookies internet draft: + https://tools.ietf.org/html/draft-west-first-party-cookies-07 + + Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for + updating to drafts 5 and 7. + +Wed Jun 24 12:13:37 2015 Aaron Patterson <tenderl...@ruby-lang.org> + + * Fix Ruby 1.8 backwards compatibility + Fri Jun 19 07:14:50 2015 Matthew Draper <matt...@trebex.net> * Work around a Rails incompatibility in our private API Files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/handler.rb new/lib/rack/handler.rb --- old/lib/rack/handler.rb 2015-06-18 23:51:22.000000000 +0200 +++ new/lib/rack/handler.rb 2016-11-10 22:54:15.000000000 +0100 @@ -19,13 +19,25 @@ if klass = @handlers[server] klass.split("::").inject(Object) { |o, x| o.const_get(x) } else - const_get(server, false) + _const_get(server, false) end rescue NameError => name_error raise load_error || name_error end + begin + ::Object.const_get("Object", false) + def self._const_get(str, inherit = true) + const_get(str, inherit) + end + rescue + def self._const_get(str, inherit = true) + const_get(str) + end + end + + # Select first available Rack handler given an `Array` of server names. # Raises `LoadError` if no handler was found. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/reloader.rb new/lib/rack/reloader.rb --- old/lib/rack/reloader.rb 2015-06-18 23:51:22.000000000 +0200 +++ new/lib/rack/reloader.rb 2016-11-10 22:54:16.000000000 +0100 @@ -26,6 +26,7 @@ @last = (Time.now - cooldown) @cache = {} @mtimes = {} + @reload_mutex = Mutex.new extend backend end @@ -33,7 +34,7 @@ def call(env) if @cooldown and Time.now > @last + @cooldown if Thread.list.size > 1 - Thread.exclusive{ reload! } + @reload_mutex.synchronize{ reload! } else reload! end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/utils.rb new/lib/rack/utils.rb --- old/lib/rack/utils.rb 2015-06-18 23:51:22.000000000 +0200 +++ new/lib/rack/utils.rb 2016-11-10 22:54:16.000000000 +0100 @@ -311,12 +311,23 @@ rfc2822(value[:expires].clone.gmtime) if value[:expires] secure = "; secure" if value[:secure] httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only]) + same_site = + case value[:same_site] + when false, nil + nil + when :lax, 'Lax', :Lax + '; SameSite=Lax'.freeze + when true, :strict, 'Strict', :Strict + '; SameSite=Strict'.freeze + else + raise ArgumentError, "Invalid SameSite value: #{value[:same_site].inspect}" + end value = value[:value] end value = [value] unless Array === value cookie = escape(key) + "=" + value.map { |v| escape v }.join("&") + - "#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}" + "#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}" case header["Set-Cookie"] when nil, '' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack.rb new/lib/rack.rb --- old/lib/rack.rb 2015-06-18 23:51:22.000000000 +0200 +++ new/lib/rack.rb 2016-11-10 22:54:15.000000000 +0100 @@ -20,7 +20,7 @@ # Return the Rack release as a dotted string. def self.release - "1.6.4" + "1.6.5" end PATH_INFO = 'PATH_INFO'.freeze REQUEST_METHOD = 'REQUEST_METHOD'.freeze diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2015-06-18 23:51:22.000000000 +0200 +++ new/metadata 2016-11-10 22:54:15.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: rack version: !ruby/object:Gem::Version - version: 1.6.4 + version: 1.6.5 platform: ruby authors: - Christian Neukirchen autorequire: bindir: bin cert_chain: [] -date: 2015-06-18 00:00:00.000000000 Z +date: 2016-11-10 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: bacon @@ -148,7 +148,6 @@ - test/cgi/assets/javascripts/app.js - test/cgi/assets/stylesheets/app.css - test/cgi/lighttpd.conf -- test/cgi/lighttpd.errors - test/cgi/rackup_stub.rb - test/cgi/sample_rackup.ru - test/cgi/test @@ -256,7 +255,7 @@ version: '0' requirements: [] rubyforge_project: rack -rubygems_version: 2.4.5 +rubygems_version: 2.5.1 signing_key: specification_version: 4 summary: a modular Ruby webserver interface @@ -310,3 +309,4 @@ - test/spec_utils.rb - test/spec_version.rb - test/spec_webrick.rb +has_rdoc: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rack.gemspec new/rack.gemspec --- old/rack.gemspec 2015-06-18 23:51:22.000000000 +0200 +++ new/rack.gemspec 2016-11-10 22:54:16.000000000 +0100 @@ -1,6 +1,6 @@ Gem::Specification.new do |s| s.name = "rack" - s.version = "1.6.4" + s.version = "1.6.5" s.platform = Gem::Platform::RUBY s.summary = "a modular Ruby webserver interface" s.license = "MIT" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/cgi/lighttpd.errors new/test/cgi/lighttpd.errors --- old/test/cgi/lighttpd.errors 2015-06-18 23:51:22.000000000 +0200 +++ new/test/cgi/lighttpd.errors 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -2015-06-16 14:11:43: (log.c.164) server started diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_handler.rb new/test/spec_handler.rb --- old/test/spec_handler.rb 2015-06-18 23:51:22.000000000 +0200 +++ new/test/spec_handler.rb 2016-11-10 22:54:16.000000000 +0100 @@ -23,10 +23,19 @@ lambda { Rack::Handler.get('boom') }.should.raise(LoadError) + end - lambda { - Rack::Handler.get('Object') - }.should.raise(LoadError) + should "raise LoadError if handler isn't nested under Rack::Handler" do + # Feature-detect whether Ruby can do non-inherited const lookups. + # If it can't, then Rack::Handler may lookup non-handler toplevel + # constants, so the best we can do is no-op here and not test it. + begin + Rack::Handler._const_get('Object', false) + rescue NameError + lambda { + Rack::Handler.get('Object') + }.should.raise(LoadError) + end end should "get unregistered, but already required, handler by name" do diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_response.rb new/test/spec_response.rb --- old/test/spec_response.rb 2015-06-18 23:51:22.000000000 +0200 +++ new/test/spec_response.rb 2016-11-10 22:54:16.000000000 +0100 @@ -97,6 +97,70 @@ response["Set-Cookie"].should.equal "foo=bar" end + it "can set SameSite cookies with symbol value :lax" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => :lax} + response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax" + end + + it "can set SameSite cookies with symbol value :Lax" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => :lax} + response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax" + end + + it "can set SameSite cookies with string value 'Lax'" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => "Lax"} + response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax" + end + + it "can set SameSite cookies with boolean value true" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => true} + response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict" + end + + it "can set SameSite cookies with symbol value :strict" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => :strict} + response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict" + end + + it "can set SameSite cookies with symbol value :Strict" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => :Strict} + response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict" + end + + it "can set SameSite cookies with string value 'Strict'" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => "Strict"} + response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict" + end + + it "validates the SameSite option value" do + response = Rack::Response.new + lambda { + response.set_cookie "foo", {:value => "bar", :same_site => "Foo"} + }.should.raise(ArgumentError). + message.should.match(/Invalid SameSite value: "Foo"/) + end + + it "can set SameSite cookies with symbol value" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => :Strict} + response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict" + end + + [ nil, false ].each do |non_truthy| + it "omits SameSite attribute given a #{non_truthy.inspect} value" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => non_truthy} + response["Set-Cookie"].should.equal "foo=bar" + end + end + it "can delete cookies" do response = Rack::Response.new response.set_cookie "foo", "bar"