Hello community,
here is the log from the commit of package rubygem-rack for openSUSE:Factory
checked in at 2015-06-23 11:58:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack"
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-rack/rubygem-rack.changes
2015-05-10 10:46:01.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.rubygem-rack.new/rubygem-rack.changes
2015-06-23 11:58:04.000000000 +0200
@@ -1,0 +2,20 @@
+Fri Jun 19 04:32:19 UTC 2015 - co...@suse.com
+
+- updated to version 1.6.4
+ see installed HISTORY.md
+
+ Fri Jun 19 07:14:50 2015 Matthew Draper <matt...@trebex.net>
+
+ * Work around a Rails incompatibility in our private API
+
+-------------------------------------------------------------------
+Wed Jun 17 04:37:32 UTC 2015 - co...@suse.com
+
+- updated to version 1.6.2
+ see installed HISTORY.md
+
+ Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderl...@ruby-lang.org>
+
+ * Prevent extremely deep parameters from being parsed. CVE-2015-3225
+
+-------------------------------------------------------------------
Old:
----
rack-1.6.1.gem
New:
----
rack-1.6.4.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack.spec ++++++
--- /var/tmp/diff_new_pack.toAuqT/_old 2015-06-23 11:58:04.000000000 +0200
+++ /var/tmp/diff_new_pack.toAuqT/_new 2015-06-23 11:58:04.000000000 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-rack
-Version: 1.6.1
+Version: 1.6.4
Release: 0
%define mod_name rack
%define mod_full_name %{mod_name}-%{version}
++++++ rack-1.6.1.gem -> rack-1.6.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/HISTORY.md new/HISTORY.md
--- old/HISTORY.md 2015-05-06 20:37:07.000000000 +0200
+++ new/HISTORY.md 2015-06-18 23:51:22.000000000 +0200
@@ -1,5 +1,12 @@
+Fri Jun 19 07:14:50 2015 Matthew Draper <matt...@trebex.net>
+
+ * Work around a Rails incompatibility in our private API
+
+Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderl...@ruby-lang.org>
+
+ * Prevent extremely deep parameters from being parsed. CVE-2015-3225
+
### December 18th, Thirty sixth public release 1.6.0
- - TODO
### February 7th, Thirty fifth public release 1.5.2
- Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
Files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/handler/webrick.rb
new/lib/rack/handler/webrick.rb
--- old/lib/rack/handler/webrick.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/lib/rack/handler/webrick.rb 2015-06-18 23:51:22.000000000 +0200
@@ -28,7 +28,6 @@
options[:BindAddress] = options.delete(:Host) || default_host
options[:Port] ||= 8080
- options[:OutputBufferSize] = 5
@server = ::WEBrick::HTTPServer.new(options)
@server.mount "/", Rack::Handler::WEBrick, app
yield @server if block_given?
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/handler.rb new/lib/rack/handler.rb
--- old/lib/rack/handler.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/lib/rack/handler.rb 2015-06-18 23:51:22.000000000 +0200
@@ -19,7 +19,7 @@
if klass = @handlers[server]
klass.split("::").inject(Object) { |o, x| o.const_get(x) }
else
- const_get(server)
+ const_get(server, false)
end
rescue NameError => name_error
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/methodoverride.rb
new/lib/rack/methodoverride.rb
--- old/lib/rack/methodoverride.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/lib/rack/methodoverride.rb 2015-06-18 23:51:22.000000000 +0200
@@ -37,6 +37,7 @@
def method_override_param(req)
req.POST[METHOD_OVERRIDE_PARAM_KEY]
+ rescue Utils::InvalidParameterError, Utils::ParameterTypeError
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/mime.rb new/lib/rack/mime.rb
--- old/lib/rack/mime.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/lib/rack/mime.rb 2015-06-18 23:51:22.000000000 +0200
@@ -614,6 +614,7 @@
".wmx" => "video/x-ms-wmx",
".wmz" => "application/x-ms-wmz",
".woff" => "application/font-woff",
+ ".woff2" => "application/font-woff2",
".wpd" => "application/vnd.wordperfect",
".wpl" => "application/vnd.ms-wpl",
".wps" => "application/vnd.ms-works",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/multipart/parser.rb
new/lib/rack/multipart/parser.rb
--- old/lib/rack/multipart/parser.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/lib/rack/multipart/parser.rb 2015-06-18 23:51:22.000000000 +0200
@@ -54,14 +54,15 @@
opened_files = 0
loop do
- if Utils.multipart_part_limit > 0
- raise MultipartPartLimitError, 'Maximum file multiparts in content
reached' if opened_files >= Utils.multipart_part_limit
- opened_files += 1
- end
head, filename, content_type, name, body =
get_current_head_and_filename_and_content_type_and_name_and_body
+ if Utils.multipart_part_limit > 0
+ opened_files += 1 if filename
+ raise MultipartPartLimitError, 'Maximum file multiparts in content
reached' if opened_files >= Utils.multipart_part_limit
+ end
+
# Save the rest.
if i = @buf.index(rx)
body << @buf.slice!(0, i)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/request.rb new/lib/rack/request.rb
--- old/lib/rack/request.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/lib/rack/request.rb 2015-06-18 23:51:22.000000000 +0200
@@ -188,7 +188,7 @@
if @env["rack.request.query_string"] == query_string
@env["rack.request.query_hash"]
else
- p = parse_query(query_string)
+ p = parse_query({ :query => query_string, :separator => '&;' })
@env["rack.request.query_string"] = query_string
@env["rack.request.query_hash"] = p
end
@@ -212,7 +212,7 @@
form_vars.slice!(-1) if form_vars[-1] == ?\0
@env["rack.request.form_vars"] = form_vars
- @env["rack.request.form_hash"] = parse_query(form_vars)
+ @env["rack.request.form_hash"] = parse_query({ :query => form_vars,
:separator => '&' })
@env["rack.input"].rewind
end
@@ -366,7 +366,9 @@
end
def parse_query(qs)
- Utils.parse_nested_query(qs, '&')
+ d = '&'
+ qs, d = qs[:query], qs[:separator] if Hash === qs
+ Utils.parse_nested_query(qs, d)
end
def parse_multipart(env)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/static.rb new/lib/rack/static.rb
--- old/lib/rack/static.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/lib/rack/static.rb 2015-06-18 23:51:22.000000000 +0200
@@ -53,8 +53,8 @@
# 4) Regular Expressions / Regexp
# Provide a regular expression
# %r{\.(?:css|js)\z} => Matches files ending in .css or .js
- # /\.(?:eot|ttf|otf|woff|svg)\z/ => Matches files ending in
- # the most common web font formats (.eot, .ttf, .otf, .woff, .svg)
+ # /\.(?:eot|ttf|otf|woff2|woff|svg)\z/ => Matches files ending in
+ # the most common web font formats (.eot, .ttf, .otf, .woff2, .woff,
.svg)
# Note: This Regexp is available as a shortcut, using the :fonts rule
#
# 5) Font Shortcut
@@ -132,7 +132,7 @@
when :all
true
when :fonts
- path =~ /\.(?:ttf|otf|eot|woff|svg)\z/
+ path =~ /\.(?:ttf|otf|eot|woff2|woff|svg)\z/
when String
path = ::Rack::Utils.unescape(path)
path.start_with?(rule) || path.start_with?('/' + rule)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/utils.rb new/lib/rack/utils.rb
--- old/lib/rack/utils.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/lib/rack/utils.rb 2015-06-18 23:51:22.000000000 +0200
@@ -61,6 +61,7 @@
class << self
attr_accessor :key_space_limit
+ attr_accessor :param_depth_limit
attr_accessor :multipart_part_limit
end
@@ -68,6 +69,10 @@
# This helps prevent a rogue client from flooding a Request.
self.key_space_limit = 65536
+ # Default depth at which the parameter parser will raise an exception for
+ # being too deep. This helps prevent SystemStackErrors
+ self.param_depth_limit = 100
+
# The maximum number of parts a request can contain. Accepting too many
part
# can lead to the server running out of file handles.
# Set to `0` for no limit.
@@ -126,7 +131,9 @@
# normalize_params recursively expands parameters into structural types. If
# the structural types represented by two different parameter names are in
# conflict, a ParameterTypeError is raised.
- def normalize_params(params, name, v = nil)
+ def normalize_params(params, name, v = nil, depth =
Utils.param_depth_limit)
+ raise RangeError if depth <= 0
+
name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
k = $1 || ''
after = $' || ''
@@ -146,14 +153,14 @@
params[k] ||= []
raise ParameterTypeError, "expected Array (got
#{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
- normalize_params(params[k].last, child_key, v)
+ normalize_params(params[k].last, child_key, v, depth - 1)
else
- params[k] << normalize_params(params.class.new, child_key, v)
+ params[k] << normalize_params(params.class.new, child_key, v, depth
- 1)
end
else
params[k] ||= params.class.new
raise ParameterTypeError, "expected Hash (got #{params[k].class.name})
for param `#{k}'" unless params_hash_type?(params[k])
- params[k] = normalize_params(params[k], after, v)
+ params[k] = normalize_params(params[k], after, v, depth - 1)
end
return params
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack.rb new/lib/rack.rb
--- old/lib/rack.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/lib/rack.rb 2015-06-18 23:51:22.000000000 +0200
@@ -20,7 +20,7 @@
# Return the Rack release as a dotted string.
def self.release
- "1.6.1"
+ "1.6.4"
end
PATH_INFO = 'PATH_INFO'.freeze
REQUEST_METHOD = 'REQUEST_METHOD'.freeze
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2015-05-06 20:37:07.000000000 +0200
+++ new/metadata 2015-06-18 23:51:22.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: rack
version: !ruby/object:Gem::Version
- version: 1.6.1
+ version: 1.6.4
platform: ruby
authors:
- Christian Neukirchen
autorequire:
bindir: bin
cert_chain: []
-date: 2015-05-06 00:00:00.000000000 Z
+date: 2015-06-18 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: bacon
@@ -148,6 +148,7 @@
- test/cgi/assets/javascripts/app.js
- test/cgi/assets/stylesheets/app.css
- test/cgi/lighttpd.conf
+- test/cgi/lighttpd.errors
- test/cgi/rackup_stub.rb
- test/cgi/sample_rackup.ru
- test/cgi/test
@@ -177,6 +178,7 @@
- test/multipart/none
- test/multipart/semicolon
- test/multipart/text
+- test/multipart/three_files_three_fields
- test/multipart/webkit
- test/rackup/config.ru
- test/registering_handler/rack/handler/registering_myself.rb
@@ -254,7 +256,7 @@
version: '0'
requirements: []
rubyforge_project: rack
-rubygems_version: 2.4.6
+rubygems_version: 2.4.5
signing_key:
specification_version: 4
summary: a modular Ruby webserver interface
@@ -308,4 +310,3 @@
- test/spec_utils.rb
- test/spec_version.rb
- test/spec_webrick.rb
-has_rdoc:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rack.gemspec new/rack.gemspec
--- old/rack.gemspec 2015-05-06 20:37:07.000000000 +0200
+++ new/rack.gemspec 2015-06-18 23:51:22.000000000 +0200
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = "rack"
- s.version = "1.6.1"
+ s.version = "1.6.4"
s.platform = Gem::Platform::RUBY
s.summary = "a modular Ruby webserver interface"
s.license = "MIT"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/cgi/lighttpd.errors new/test/cgi/lighttpd.errors
--- old/test/cgi/lighttpd.errors 1970-01-01 01:00:00.000000000 +0100
+++ new/test/cgi/lighttpd.errors 2015-06-18 23:51:22.000000000 +0200
@@ -0,0 +1 @@
+2015-06-16 14:11:43: (log.c.164) server started
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/multipart/three_files_three_fields
new/test/multipart/three_files_three_fields
--- old/test/multipart/three_files_three_fields 1970-01-01 01:00:00.000000000
+0100
+++ new/test/multipart/three_files_three_fields 2015-06-18 23:51:22.000000000
+0200
@@ -0,0 +1,31 @@
+--AaB03x
+content-disposition: form-data; name="reply"
+
+yes
+--AaB03x
+content-disposition: form-data; name="to"
+
+people
+--AaB03x
+content-disposition: form-data; name="from"
+
+others
+--AaB03x
+content-disposition: form-data; name="fileupload1"; filename="file1.jpg"
+Content-Type: image/jpeg
+Content-Transfer-Encoding: base64
+
+/9j/4AAQSkZJRgABAQAAAQABAAD//gA+Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcg
+--AaB03x
+content-disposition: form-data; name="fileupload2"; filename="file2.jpg"
+Content-Type: image/jpeg
+Content-Transfer-Encoding: base64
+
+/9j/4AAQSkZJRgABAQAAAQABAAD//gA+Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcg
+--AaB03x
+content-disposition: form-data; name="fileupload3"; filename="file3.jpg"
+Content-Type: image/jpeg
+Content-Transfer-Encoding: base64
+
+/9j/4AAQSkZJRgABAQAAAQABAAD//gA+Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcg
+--AaB03x--
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/spec_handler.rb new/test/spec_handler.rb
--- old/test/spec_handler.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/test/spec_handler.rb 2015-06-18 23:51:22.000000000 +0200
@@ -23,6 +23,10 @@
lambda {
Rack::Handler.get('boom')
}.should.raise(LoadError)
+
+ lambda {
+ Rack::Handler.get('Object')
+ }.should.raise(LoadError)
end
should "get unregistered, but already required, handler by name" do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/spec_methodoverride.rb
new/test/spec_methodoverride.rb
--- old/test/spec_methodoverride.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/test/spec_methodoverride.rb 2015-06-18 23:51:22.000000000 +0200
@@ -72,4 +72,11 @@
env["REQUEST_METHOD"].should.equal "POST"
end
+
+ should "not modify REQUEST_METHOD for POST requests when the params are
unparseable" do
+ env = Rack::MockRequest.env_for("/", :method => "POST", :input =>
"(%bad-params%)")
+ app.call env
+
+ env["REQUEST_METHOD"].should.equal "POST"
+ end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/spec_multipart.rb new/test/spec_multipart.rb
--- old/test/spec_multipart.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/test/spec_multipart.rb 2015-06-18 23:51:22.000000000 +0200
@@ -476,6 +476,33 @@
end
end
+ should "not reach a multi-part limit" do
+ begin
+ previous_limit = Rack::Utils.multipart_part_limit
+ Rack::Utils.multipart_part_limit = 4
+
+ env = Rack::MockRequest.env_for '/',
multipart_fixture(:three_files_three_fields)
+ params = Rack::Multipart.parse_multipart(env)
+ params['reply'].should.equal 'yes'
+ params['to'].should.equal 'people'
+ params['from'].should.equal 'others'
+ ensure
+ Rack::Utils.multipart_part_limit = previous_limit
+ end
+ end
+
+ should "reach a multipart limit" do
+ begin
+ previous_limit = Rack::Utils.multipart_part_limit
+ Rack::Utils.multipart_part_limit = 3
+
+ env = Rack::MockRequest.env_for '/',
multipart_fixture(:three_files_three_fields)
+ lambda { Rack::Multipart.parse_multipart(env)
}.should.raise(Rack::Multipart::MultipartPartLimitError)
+ ensure
+ Rack::Utils.multipart_part_limit = previous_limit
+ end
+ end
+
should "return nil if no UploadedFiles were used" do
data = Rack::Multipart.build_multipart("people" => [{"submit-name" =>
"Larry", "files" => "contents"}])
data.should.equal nil
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/spec_request.rb new/test/spec_request.rb
--- old/test/spec_request.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/test/spec_request.rb 2015-06-18 23:51:22.000000000 +0200
@@ -134,12 +134,23 @@
req.params.should.equal "foo" => "bar", "quux" => "bla"
end
- should "not truncate query strings containing semi-colons #543" do
- req = Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la"))
- req.query_string.should.equal "foo=bar&quux=b;la"
- req.GET.should.equal "foo" => "bar", "quux" => "b;la"
+ should "not truncate query strings containing semi-colons #543 only in POST"
do
+ mr = Rack::MockRequest.env_for("/",
+ "REQUEST_METHOD" => 'POST',
+ :input => "foo=bar&quux=b;la")
+ req = Rack::Request.new mr
+ req.query_string.should.equal ""
+ req.GET.should.be.empty
+ req.POST.should.equal "foo" => "bar", "quux" => "b;la"
+ req.params.should.equal req.GET.merge(req.POST)
+ end
+
+ should "use semi-colons as separators for query strings in GET" do
+ req =
Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la;wun=duh"))
+ req.query_string.should.equal "foo=bar&quux=b;la;wun=duh"
+ req.GET.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun" =>
"duh"
req.POST.should.be.empty
- req.params.should.equal "foo" => "bar", "quux" => "b;la"
+ req.params.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun"
=> "duh"
end
should "limit the keys from the GET query string" do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/spec_utils.rb new/test/spec_utils.rb
--- old/test/spec_utils.rb 2015-05-06 20:37:07.000000000 +0200
+++ new/test/spec_utils.rb 2015-06-18 23:51:22.000000000 +0200
@@ -134,6 +134,18 @@
}.should.not.raise
end
+ should "raise an exception if the params are too deep" do
+ len = Rack::Utils.param_depth_limit
+
+ lambda {
+ Rack::Utils.parse_nested_query("foo#{"[a]" * len}=bar")
+ }.should.raise(RangeError)
+
+ lambda {
+ Rack::Utils.parse_nested_query("foo#{"[a]" * (len - 1)}=bar")
+ }.should.not.raise
+ end
+
should "parse nested query strings correctly" do
Rack::Utils.parse_nested_query("foo").
should.equal "foo" => nil
