Hello community, here is the log from the commit of package rubygem-rack for openSUSE:Factory checked in at 2015-06-23 11:58:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-rack (Old) and /work/SRC/openSUSE:Factory/.rubygem-rack.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-rack/rubygem-rack.changes 2015-05-10 10:46:01.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-rack.new/rubygem-rack.changes 2015-06-23 11:58:04.000000000 +0200 @@ -1,0 +2,20 @@ +Fri Jun 19 04:32:19 UTC 2015 - co...@suse.com + +- updated to version 1.6.4 + see installed HISTORY.md + + Fri Jun 19 07:14:50 2015 Matthew Draper <matt...@trebex.net> + + * Work around a Rails incompatibility in our private API + +------------------------------------------------------------------- +Wed Jun 17 04:37:32 UTC 2015 - co...@suse.com + +- updated to version 1.6.2 + see installed HISTORY.md + + Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderl...@ruby-lang.org> + + * Prevent extremely deep parameters from being parsed. CVE-2015-3225 + +------------------------------------------------------------------- Old: ---- rack-1.6.1.gem New: ---- rack-1.6.4.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rack.spec ++++++ --- /var/tmp/diff_new_pack.toAuqT/_old 2015-06-23 11:58:04.000000000 +0200 +++ /var/tmp/diff_new_pack.toAuqT/_new 2015-06-23 11:58:04.000000000 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-rack -Version: 1.6.1 +Version: 1.6.4 Release: 0 %define mod_name rack %define mod_full_name %{mod_name}-%{version} ++++++ rack-1.6.1.gem -> rack-1.6.4.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HISTORY.md new/HISTORY.md --- old/HISTORY.md 2015-05-06 20:37:07.000000000 +0200 +++ new/HISTORY.md 2015-06-18 23:51:22.000000000 +0200 @@ -1,5 +1,12 @@ +Fri Jun 19 07:14:50 2015 Matthew Draper <matt...@trebex.net> + + * Work around a Rails incompatibility in our private API + +Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderl...@ruby-lang.org> + + * Prevent extremely deep parameters from being parsed. CVE-2015-3225 + ### December 18th, Thirty sixth public release 1.6.0 - - TODO ### February 7th, Thirty fifth public release 1.5.2 - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie Files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/handler/webrick.rb new/lib/rack/handler/webrick.rb --- old/lib/rack/handler/webrick.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/lib/rack/handler/webrick.rb 2015-06-18 23:51:22.000000000 +0200 @@ -28,7 +28,6 @@ options[:BindAddress] = options.delete(:Host) || default_host options[:Port] ||= 8080 - options[:OutputBufferSize] = 5 @server = ::WEBrick::HTTPServer.new(options) @server.mount "/", Rack::Handler::WEBrick, app yield @server if block_given? diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/handler.rb new/lib/rack/handler.rb --- old/lib/rack/handler.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/lib/rack/handler.rb 2015-06-18 23:51:22.000000000 +0200 @@ -19,7 +19,7 @@ if klass = @handlers[server] klass.split("::").inject(Object) { |o, x| o.const_get(x) } else - const_get(server) + const_get(server, false) end rescue NameError => name_error diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/methodoverride.rb new/lib/rack/methodoverride.rb --- old/lib/rack/methodoverride.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/lib/rack/methodoverride.rb 2015-06-18 23:51:22.000000000 +0200 @@ -37,6 +37,7 @@ def method_override_param(req) req.POST[METHOD_OVERRIDE_PARAM_KEY] + rescue Utils::InvalidParameterError, Utils::ParameterTypeError end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/mime.rb new/lib/rack/mime.rb --- old/lib/rack/mime.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/lib/rack/mime.rb 2015-06-18 23:51:22.000000000 +0200 @@ -614,6 +614,7 @@ ".wmx" => "video/x-ms-wmx", ".wmz" => "application/x-ms-wmz", ".woff" => "application/font-woff", + ".woff2" => "application/font-woff2", ".wpd" => "application/vnd.wordperfect", ".wpl" => "application/vnd.ms-wpl", ".wps" => "application/vnd.ms-works", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/multipart/parser.rb new/lib/rack/multipart/parser.rb --- old/lib/rack/multipart/parser.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/lib/rack/multipart/parser.rb 2015-06-18 23:51:22.000000000 +0200 @@ -54,14 +54,15 @@ opened_files = 0 loop do - if Utils.multipart_part_limit > 0 - raise MultipartPartLimitError, 'Maximum file multiparts in content reached' if opened_files >= Utils.multipart_part_limit - opened_files += 1 - end head, filename, content_type, name, body = get_current_head_and_filename_and_content_type_and_name_and_body + if Utils.multipart_part_limit > 0 + opened_files += 1 if filename + raise MultipartPartLimitError, 'Maximum file multiparts in content reached' if opened_files >= Utils.multipart_part_limit + end + # Save the rest. if i = @buf.index(rx) body << @buf.slice!(0, i) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/request.rb new/lib/rack/request.rb --- old/lib/rack/request.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/lib/rack/request.rb 2015-06-18 23:51:22.000000000 +0200 @@ -188,7 +188,7 @@ if @env["rack.request.query_string"] == query_string @env["rack.request.query_hash"] else - p = parse_query(query_string) + p = parse_query({ :query => query_string, :separator => '&;' }) @env["rack.request.query_string"] = query_string @env["rack.request.query_hash"] = p end @@ -212,7 +212,7 @@ form_vars.slice!(-1) if form_vars[-1] == ?\0 @env["rack.request.form_vars"] = form_vars - @env["rack.request.form_hash"] = parse_query(form_vars) + @env["rack.request.form_hash"] = parse_query({ :query => form_vars, :separator => '&' }) @env["rack.input"].rewind end @@ -366,7 +366,9 @@ end def parse_query(qs) - Utils.parse_nested_query(qs, '&') + d = '&' + qs, d = qs[:query], qs[:separator] if Hash === qs + Utils.parse_nested_query(qs, d) end def parse_multipart(env) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/static.rb new/lib/rack/static.rb --- old/lib/rack/static.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/lib/rack/static.rb 2015-06-18 23:51:22.000000000 +0200 @@ -53,8 +53,8 @@ # 4) Regular Expressions / Regexp # Provide a regular expression # %r{\.(?:css|js)\z} => Matches files ending in .css or .js - # /\.(?:eot|ttf|otf|woff|svg)\z/ => Matches files ending in - # the most common web font formats (.eot, .ttf, .otf, .woff, .svg) + # /\.(?:eot|ttf|otf|woff2|woff|svg)\z/ => Matches files ending in + # the most common web font formats (.eot, .ttf, .otf, .woff2, .woff, .svg) # Note: This Regexp is available as a shortcut, using the :fonts rule # # 5) Font Shortcut @@ -132,7 +132,7 @@ when :all true when :fonts - path =~ /\.(?:ttf|otf|eot|woff|svg)\z/ + path =~ /\.(?:ttf|otf|eot|woff2|woff|svg)\z/ when String path = ::Rack::Utils.unescape(path) path.start_with?(rule) || path.start_with?('/' + rule) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/utils.rb new/lib/rack/utils.rb --- old/lib/rack/utils.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/lib/rack/utils.rb 2015-06-18 23:51:22.000000000 +0200 @@ -61,6 +61,7 @@ class << self attr_accessor :key_space_limit + attr_accessor :param_depth_limit attr_accessor :multipart_part_limit end @@ -68,6 +69,10 @@ # This helps prevent a rogue client from flooding a Request. self.key_space_limit = 65536 + # Default depth at which the parameter parser will raise an exception for + # being too deep. This helps prevent SystemStackErrors + self.param_depth_limit = 100 + # The maximum number of parts a request can contain. Accepting too many part # can lead to the server running out of file handles. # Set to `0` for no limit. @@ -126,7 +131,9 @@ # normalize_params recursively expands parameters into structural types. If # the structural types represented by two different parameter names are in # conflict, a ParameterTypeError is raised. - def normalize_params(params, name, v = nil) + def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit) + raise RangeError if depth <= 0 + name =~ %r(\A[\[\]]*([^\[\]]+)\]*) k = $1 || '' after = $' || '' @@ -146,14 +153,14 @@ params[k] ||= [] raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array) if params_hash_type?(params[k].last) && !params[k].last.key?(child_key) - normalize_params(params[k].last, child_key, v) + normalize_params(params[k].last, child_key, v, depth - 1) else - params[k] << normalize_params(params.class.new, child_key, v) + params[k] << normalize_params(params.class.new, child_key, v, depth - 1) end else params[k] ||= params.class.new raise ParameterTypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k]) - params[k] = normalize_params(params[k], after, v) + params[k] = normalize_params(params[k], after, v, depth - 1) end return params diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack.rb new/lib/rack.rb --- old/lib/rack.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/lib/rack.rb 2015-06-18 23:51:22.000000000 +0200 @@ -20,7 +20,7 @@ # Return the Rack release as a dotted string. def self.release - "1.6.1" + "1.6.4" end PATH_INFO = 'PATH_INFO'.freeze REQUEST_METHOD = 'REQUEST_METHOD'.freeze diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2015-05-06 20:37:07.000000000 +0200 +++ new/metadata 2015-06-18 23:51:22.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: rack version: !ruby/object:Gem::Version - version: 1.6.1 + version: 1.6.4 platform: ruby authors: - Christian Neukirchen autorequire: bindir: bin cert_chain: [] -date: 2015-05-06 00:00:00.000000000 Z +date: 2015-06-18 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: bacon @@ -148,6 +148,7 @@ - test/cgi/assets/javascripts/app.js - test/cgi/assets/stylesheets/app.css - test/cgi/lighttpd.conf +- test/cgi/lighttpd.errors - test/cgi/rackup_stub.rb - test/cgi/sample_rackup.ru - test/cgi/test @@ -177,6 +178,7 @@ - test/multipart/none - test/multipart/semicolon - test/multipart/text +- test/multipart/three_files_three_fields - test/multipart/webkit - test/rackup/config.ru - test/registering_handler/rack/handler/registering_myself.rb @@ -254,7 +256,7 @@ version: '0' requirements: [] rubyforge_project: rack -rubygems_version: 2.4.6 +rubygems_version: 2.4.5 signing_key: specification_version: 4 summary: a modular Ruby webserver interface @@ -308,4 +310,3 @@ - test/spec_utils.rb - test/spec_version.rb - test/spec_webrick.rb -has_rdoc: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rack.gemspec new/rack.gemspec --- old/rack.gemspec 2015-05-06 20:37:07.000000000 +0200 +++ new/rack.gemspec 2015-06-18 23:51:22.000000000 +0200 @@ -1,6 +1,6 @@ Gem::Specification.new do |s| s.name = "rack" - s.version = "1.6.1" + s.version = "1.6.4" s.platform = Gem::Platform::RUBY s.summary = "a modular Ruby webserver interface" s.license = "MIT" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/cgi/lighttpd.errors new/test/cgi/lighttpd.errors --- old/test/cgi/lighttpd.errors 1970-01-01 01:00:00.000000000 +0100 +++ new/test/cgi/lighttpd.errors 2015-06-18 23:51:22.000000000 +0200 @@ -0,0 +1 @@ +2015-06-16 14:11:43: (log.c.164) server started diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/multipart/three_files_three_fields new/test/multipart/three_files_three_fields --- old/test/multipart/three_files_three_fields 1970-01-01 01:00:00.000000000 +0100 +++ new/test/multipart/three_files_three_fields 2015-06-18 23:51:22.000000000 +0200 @@ -0,0 +1,31 @@ +--AaB03x +content-disposition: form-data; name="reply" + +yes +--AaB03x +content-disposition: form-data; name="to" + +people +--AaB03x +content-disposition: form-data; name="from" + +others +--AaB03x +content-disposition: form-data; name="fileupload1"; filename="file1.jpg" +Content-Type: image/jpeg +Content-Transfer-Encoding: base64 + +/9j/4AAQSkZJRgABAQAAAQABAAD//gA+Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcg +--AaB03x +content-disposition: form-data; name="fileupload2"; filename="file2.jpg" +Content-Type: image/jpeg +Content-Transfer-Encoding: base64 + +/9j/4AAQSkZJRgABAQAAAQABAAD//gA+Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcg +--AaB03x +content-disposition: form-data; name="fileupload3"; filename="file3.jpg" +Content-Type: image/jpeg +Content-Transfer-Encoding: base64 + +/9j/4AAQSkZJRgABAQAAAQABAAD//gA+Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcg +--AaB03x-- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_handler.rb new/test/spec_handler.rb --- old/test/spec_handler.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/test/spec_handler.rb 2015-06-18 23:51:22.000000000 +0200 @@ -23,6 +23,10 @@ lambda { Rack::Handler.get('boom') }.should.raise(LoadError) + + lambda { + Rack::Handler.get('Object') + }.should.raise(LoadError) end should "get unregistered, but already required, handler by name" do diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_methodoverride.rb new/test/spec_methodoverride.rb --- old/test/spec_methodoverride.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/test/spec_methodoverride.rb 2015-06-18 23:51:22.000000000 +0200 @@ -72,4 +72,11 @@ env["REQUEST_METHOD"].should.equal "POST" end + + should "not modify REQUEST_METHOD for POST requests when the params are unparseable" do + env = Rack::MockRequest.env_for("/", :method => "POST", :input => "(%bad-params%)") + app.call env + + env["REQUEST_METHOD"].should.equal "POST" + end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_multipart.rb new/test/spec_multipart.rb --- old/test/spec_multipart.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/test/spec_multipart.rb 2015-06-18 23:51:22.000000000 +0200 @@ -476,6 +476,33 @@ end end + should "not reach a multi-part limit" do + begin + previous_limit = Rack::Utils.multipart_part_limit + Rack::Utils.multipart_part_limit = 4 + + env = Rack::MockRequest.env_for '/', multipart_fixture(:three_files_three_fields) + params = Rack::Multipart.parse_multipart(env) + params['reply'].should.equal 'yes' + params['to'].should.equal 'people' + params['from'].should.equal 'others' + ensure + Rack::Utils.multipart_part_limit = previous_limit + end + end + + should "reach a multipart limit" do + begin + previous_limit = Rack::Utils.multipart_part_limit + Rack::Utils.multipart_part_limit = 3 + + env = Rack::MockRequest.env_for '/', multipart_fixture(:three_files_three_fields) + lambda { Rack::Multipart.parse_multipart(env) }.should.raise(Rack::Multipart::MultipartPartLimitError) + ensure + Rack::Utils.multipart_part_limit = previous_limit + end + end + should "return nil if no UploadedFiles were used" do data = Rack::Multipart.build_multipart("people" => [{"submit-name" => "Larry", "files" => "contents"}]) data.should.equal nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_request.rb new/test/spec_request.rb --- old/test/spec_request.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/test/spec_request.rb 2015-06-18 23:51:22.000000000 +0200 @@ -134,12 +134,23 @@ req.params.should.equal "foo" => "bar", "quux" => "bla" end - should "not truncate query strings containing semi-colons #543" do - req = Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la")) - req.query_string.should.equal "foo=bar&quux=b;la" - req.GET.should.equal "foo" => "bar", "quux" => "b;la" + should "not truncate query strings containing semi-colons #543 only in POST" do + mr = Rack::MockRequest.env_for("/", + "REQUEST_METHOD" => 'POST', + :input => "foo=bar&quux=b;la") + req = Rack::Request.new mr + req.query_string.should.equal "" + req.GET.should.be.empty + req.POST.should.equal "foo" => "bar", "quux" => "b;la" + req.params.should.equal req.GET.merge(req.POST) + end + + should "use semi-colons as separators for query strings in GET" do + req = Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la;wun=duh")) + req.query_string.should.equal "foo=bar&quux=b;la;wun=duh" + req.GET.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun" => "duh" req.POST.should.be.empty - req.params.should.equal "foo" => "bar", "quux" => "b;la" + req.params.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun" => "duh" end should "limit the keys from the GET query string" do diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_utils.rb new/test/spec_utils.rb --- old/test/spec_utils.rb 2015-05-06 20:37:07.000000000 +0200 +++ new/test/spec_utils.rb 2015-06-18 23:51:22.000000000 +0200 @@ -134,6 +134,18 @@ }.should.not.raise end + should "raise an exception if the params are too deep" do + len = Rack::Utils.param_depth_limit + + lambda { + Rack::Utils.parse_nested_query("foo#{"[a]" * len}=bar") + }.should.raise(RangeError) + + lambda { + Rack::Utils.parse_nested_query("foo#{"[a]" * (len - 1)}=bar") + }.should.not.raise + end + should "parse nested query strings correctly" do Rack::Utils.parse_nested_query("foo"). should.equal "foo" => nil