[DRE-commits] [ruby-rack] 07/10: all patches already applied upstream
Antonio Terceiro
terceiro at alioth.debian.org
Sun Oct 20 19:14:59 UTC 2013
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch master-1.4
in repository ruby-rack.
commit 8d42b5fe095f90373e5a0da17bc9e8a178d6baf2
Author: Antonio Terceiro <terceiro at debian.org>
Date: Sun Oct 20 13:02:37 2013 -0300
all patches already applied upstream
---
debian/changelog | 1 +
...arsing-performance-for-unquoted-filenames.patch | 67 ----------
...tipart-parser-avoid-unbounded-gets-method.patch | 104 ----------------
.../patches/0003-Reimplement-auth-scheme-fix.patch | 131 --------------------
.../0004-Prevent-symlink-path-traversals.patch | 40 ------
...05-Use-secure_compare-for-hmac-comparison.patch | 65 ----------
debian/patches/series | 5 -
7 files changed, 1 insertion(+), 412 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index d3e7d43..2c8d059 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ ruby-rack (1:1.4.5-1) UNRELEASED; urgency=low
+ Fixes session management breakage that affects rails3 and redmine.
Closes: #711236
* New upstream release in the 1.4.x series.
+ + debian/patches: all already applied upstream and removed
-- Antonio Terceiro <terceiro at debian.org> Sun, 20 Oct 2013 12:52:06 -0300
diff --git a/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch b/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch
deleted file mode 100644
index 3bebe87..0000000
--- a/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From: James Tucker <jftucker at gmail.com>
-Date: Sun, 13 May 2012 15:02:17 -0700
-Subject: Fix parsing performance for unquoted filenames
-
-Special thanks to Paul Rogers & Eric Wong
-
-Origin: upstream, https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e
-Bug: https://security-tracker.debian.org/tracker/CVE-2012-6109
-Bug-Debian: http://bugs.debian.org/698440
-
----
- lib/rack/multipart.rb | 4 ++--
- test/spec_multipart.rb | 21 +++++++++++++++++++++
- 2 files changed, 23 insertions(+), 2 deletions(-)
-
-diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
-index 3777106..6849248 100644
---- a/lib/rack/multipart.rb
-+++ b/lib/rack/multipart.rb
-@@ -12,7 +12,7 @@ module Rack
- MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|n
- TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
- CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
-- DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})*/
-+ DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})/
- RFC2183 = /^#{CONDISP}(#{DISPPARM})+$/i
- BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
- BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
-@@ -31,4 +31,4 @@ module Rack
- end
-
- end
--end
-\ No newline at end of file
-+end
-diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
-index b0bf57c..e4e5981 100644
---- a/test/spec_multipart.rb
-+++ b/test/spec_multipart.rb
-@@ -48,6 +48,27 @@ describe Rack::Multipart do
- params['profile']['bio'].should.include 'hello'
- end
-
-+ should "parse very long unquoted multipart file names" do
-+ data = <<-EOF
-+--AaB03x\r
-+Content-Type: text/plain\r
-+Content-Disposition: attachment; name=file; filename=#{'long' * 100}\r
-+\r
-+contents\r
-+--AaB03x--\r
-+ EOF
-+
-+ options = {
-+ "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
-+ "CONTENT_LENGTH" => data.length.to_s,
-+ :input => StringIO.new(data)
-+ }
-+ env = Rack::MockRequest.env_for("/", options)
-+ params = Rack::Utils::Multipart.parse_multipart(env)
-+
-+ params["file"][:filename].should.equal('long' * 100)
-+ end
-+
- should "parse multipart upload with text file" do
- env = Rack::MockRequest.env_for("/", multipart_fixture(:text))
- params = Rack::Multipart.parse_multipart(env)
diff --git a/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch b/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch
deleted file mode 100644
index 324d342..0000000
--- a/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From: Eric Wong <normalperson at yhbt.net>
-Date: Wed, 22 Aug 2012 22:48:23 +0000
-Subject: multipart/parser: avoid unbounded #gets method
-
-Malicious clients may send excessively long lines
-to trigger out-of-memory errors in a Rack web server.
-
-Origin: upstream, https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18
-Bug: https://security-tracker.debian.org/tracker/CVE-2013-0183
-Bug-Debian: http://bugs.debian.org/698440
-
----
- lib/rack/multipart/parser.rb | 13 ++++++++---
- test/spec_multipart.rb | 53 ++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 63 insertions(+), 3 deletions(-)
-
-diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb
-index 98eceaa..3773de7 100644
---- a/lib/rack/multipart/parser.rb
-+++ b/lib/rack/multipart/parser.rb
-@@ -68,9 +68,16 @@ module Rack
-
- def fast_forward_to_first_boundary
- loop do
-- read_buffer = @io.gets
-- break if read_buffer == full_boundary
-- raise EOFError, "bad content body" if read_buffer.nil?
-+ content = @io.read(BUFSIZE)
-+ raise EOFError, "bad content body" unless content
-+ @buf << content
-+
-+ while @buf.gsub!(/\A([^\n]*\n)/, '')
-+ read_buffer = $1
-+ return if read_buffer == full_boundary
-+ end
-+
-+ raise EOFError, "bad content body" if Utils.bytesize(@buf) >= BUFSIZE
- end
- end
-
-diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
-index e4e5981..1c50d9a 100644
---- a/test/spec_multipart.rb
-+++ b/test/spec_multipart.rb
-@@ -69,6 +69,59 @@ contents\r
- params["file"][:filename].should.equal('long' * 100)
- end
-
-+ should "reject insanely long boundaries" do
-+ # using a pipe since a tempfile can use up too much space
-+ rd, wr = IO.pipe
-+
-+ # we only call rewind once at start, so make sure it succeeds
-+ # and doesn't hit ESPIPE
-+ def rd.rewind; end
-+ wr.sync = true
-+
-+ # mock out length to make this pipe look like a Tempfile
-+ def rd.length
-+ 1024 * 1024 * 8
-+ end
-+
-+ # write to a pipe in a background thread, this will write a lot
-+ # unless Rack (properly) shuts down the read end
-+ thr = Thread.new do
-+ begin
-+ wr.write("--AaB03x")
-+
-+ # make the initial boundary a few gigs long
-+ longer = "0123456789" * 1024 * 1024
-+ (1024 * 1024).times { wr.write(longer) }
-+
-+ wr.write("\r\n")
-+ wr.write('Content-Disposition: form-data; name="a"; filename="a.txt"')
-+ wr.write("\r\n")
-+ wr.write("Content-Type: text/plain\r\n")
-+ wr.write("\r\na")
-+ wr.write("--AaB03x--\r\n")
-+ wr.close
-+ rescue => err # this is EPIPE if Rack shuts us down
-+ err
-+ end
-+ end
-+
-+ fixture = {
-+ "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
-+ "CONTENT_LENGTH" => rd.length.to_s,
-+ :input => rd,
-+ }
-+
-+ env = Rack::MockRequest.env_for '/', fixture
-+ lambda {
-+ Rack::Multipart.parse_multipart(env)
-+ }.should.raise(EOFError)
-+ rd.close
-+
-+ err = thr.value
-+ err.should.be.instance_of Errno::EPIPE
-+ wr.close
-+ end
-+
- should "parse multipart upload with text file" do
- env = Rack::MockRequest.env_for("/", multipart_fixture(:text))
- params = Rack::Multipart.parse_multipart(env)
diff --git a/debian/patches/0003-Reimplement-auth-scheme-fix.patch b/debian/patches/0003-Reimplement-auth-scheme-fix.patch
deleted file mode 100644
index 472cbf5..0000000
--- a/debian/patches/0003-Reimplement-auth-scheme-fix.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From: James Tucker <jftucker at gmail.com>
-Date: Sun, 13 Jan 2013 13:10:20 -0800
-Subject: Reimplement auth scheme fix
-
- * Add Rack::Auth.add_scheme to enable folks to fix anything that breaks
- * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely
- * Checked Rails - they don't use our authorization code
- * Checked Warden - uses rails
- * Checked Omniauth - uses rails
- * Checked doorkeeper - users rails
- * Checked rack-authentication - does it's own thing
- * Checked warden-oauth - doesn't do headers
- * Checked devise - uses rails
- * Checked oauth2-rack - header creation only
- * Checked rack-oauth2-server - does it's own thing
- * Probably missed a bunch, but that'll have to do
-
-Origin: upstream, https://github.com/rack/rack/commit/87df8796a6e4555ec8fd3817c419c6b44b7ca459
-Bug: https://security-tracker.debian.org/tracker/CVE-2013-0184
-Bug-Debian: http://bugs.debian.org/698440
-
----
- lib/rack.rb | 12 ++++++++
- lib/rack/auth/abstract/request.rb | 6 +++-
- test/spec_auth.rb | 57 +++++++++++++++++++++++++++++++++++++
- 3 files changed, 74 insertions(+), 1 deletion(-)
- create mode 100644 test/spec_auth.rb
-
-diff --git a/lib/rack.rb b/lib/rack.rb
-index acfcb5a..18d5097 100644
---- a/lib/rack.rb
-+++ b/lib/rack.rb
-@@ -73,6 +73,18 @@ module Rack
- autoload :Params, "rack/auth/digest/params"
- autoload :Request, "rack/auth/digest/request"
- end
-+
-+ # Not all of the following schemes are "standards", but they are used often.
-+ @schemes = %w[basic digest bearer mac token oauth oauth2]
-+
-+ def self.add_scheme scheme
-+ @schemes << scheme
-+ @schemes.uniq!
-+ end
-+
-+ def self.schemes
-+ @schemes.dup
-+ end
- end
-
- module Session
-diff --git a/lib/rack/auth/abstract/request.rb b/lib/rack/auth/abstract/request.rb
-index 9e15c72..c1553bf 100644
---- a/lib/rack/auth/abstract/request.rb
-+++ b/lib/rack/auth/abstract/request.rb
-@@ -21,7 +21,11 @@ module Rack
- end
-
- def scheme
-- @scheme ||= parts.first.downcase.to_sym
-+ @scheme ||=
-+ begin
-+ s = parts.first.downcase
-+ Rack::Auth.schemes.include?(s) ? s.to_sym : s
-+ end
- end
-
- def params
-diff --git a/test/spec_auth.rb b/test/spec_auth.rb
-new file mode 100644
-index 0000000..6588bd1
---- /dev/null
-+++ b/test/spec_auth.rb
-@@ -0,0 +1,57 @@
-+require 'rack'
-+
-+describe Rack::Auth do
-+ it "should have all common authentication schemes" do
-+ Rack::Auth.schemes.should.include? 'basic'
-+ Rack::Auth.schemes.should.include? 'digest'
-+ Rack::Auth.schemes.should.include? 'bearer'
-+ Rack::Auth.schemes.should.include? 'token'
-+ end
-+
-+ it "should allow registration of new auth schemes" do
-+ Rack::Auth.schemes.should.not.include "test"
-+ Rack::Auth.add_scheme "test"
-+ Rack::Auth.schemes.should.include "test"
-+ end
-+end
-+
-+describe Rack::Auth::AbstractRequest do
-+ it "should symbolize known auth schemes" do
-+ env = Rack::MockRequest.env_for('/')
-+ env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
-+ req = Rack::Auth::AbstractRequest.new(env)
-+ req.scheme.should == :basic
-+
-+
-+ env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
-+ req = Rack::Auth::AbstractRequest.new(env)
-+ req.scheme.should == :digest
-+
-+ env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
-+ req = Rack::Auth::AbstractRequest.new(env)
-+ req.scheme.should == :bearer
-+
-+ env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
-+ req = Rack::Auth::AbstractRequest.new(env)
-+ req.scheme.should == :mac
-+
-+ env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
-+ req = Rack::Auth::AbstractRequest.new(env)
-+ req.scheme.should == :token
-+
-+ env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
-+ req = Rack::Auth::AbstractRequest.new(env)
-+ req.scheme.should == :oauth
-+
-+ env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
-+ req = Rack::Auth::AbstractRequest.new(env)
-+ req.scheme.should == :oauth2
-+ end
-+
-+ it "should not symbolize unknown auth schemes" do
-+ env = Rack::MockRequest.env_for('/')
-+ env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
-+ req = Rack::Auth::AbstractRequest.new(env)
-+ req.scheme.should == "magic"
-+ end
-+end
diff --git a/debian/patches/0004-Prevent-symlink-path-traversals.patch b/debian/patches/0004-Prevent-symlink-path-traversals.patch
deleted file mode 100644
index 3708946..0000000
--- a/debian/patches/0004-Prevent-symlink-path-traversals.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Description: Prevent symlink path traversals
- rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5
- allows attackers to access arbitrary files outside the intended root
- directory via a crafted PATH_INFO environment variable, probably a directory
- traversal vulnerability that is remotely exploitable, aka "symlink path traversals."
-
-Origin: upstream, https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30
-Bug: https://security-tracker.debian.org/tracker/CVE-2013-0262
-Bug-Debian: http://bugs.debian.org/700173
-
-Index: ruby-rack/lib/rack/file.rb
-===================================================================
---- ruby-rack.orig/lib/rack/file.rb 2013-02-20 21:36:40.000000000 +0900
-+++ ruby-rack/lib/rack/file.rb 2013-02-20 21:39:58.265999186 +0900
-@@ -40,19 +40,14 @@
- @path_info = Utils.unescape(env["PATH_INFO"])
- parts = @path_info.split SEPS
-
-- parts.inject(0) do |depth, part|
-- case part
-- when '', '.'
-- depth
-- when '..'
-- return fail(404, "Not Found") if depth - 1 < 0
-- depth - 1
-- else
-- depth + 1
-- end
-+ clean = []
-+
-+ parts.each do |part|
-+ next if part.empty? || part == '.'
-+ part == '..' ? clean.pop : clean << part
- end
-
-- @path = F.join(@root, *parts)
-+ @path = F.join(@root, *clean)
-
- available = begin
- F.file?(@path) && F.readable?(@path)
diff --git a/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch b/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch
deleted file mode 100644
index 15905b1..0000000
--- a/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-Description: Use secure compare for hmac comparison
- Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5,
- 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows
- remote attackers to guess the session cookie, gain privileges, and
- execute arbitrary code via a timing attack involving am HMAC
- comparison function that does not run in constant time.
-
-Origin: upstream,
- https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07,
- https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
-Bug: https://security-tracker.debian.org/tracker/CVE-2013-0263
-Bug-Debian: http://bugs.debian.org/700226
-
-Index: ruby-rack/lib/rack/session/cookie.rb
-===================================================================
---- ruby-rack.orig/lib/rack/session/cookie.rb 2013-02-11 15:09:25.000000000 +0900
-+++ ruby-rack/lib/rack/session/cookie.rb 2013-02-20 23:11:19.091085974 +0900
-@@ -108,7 +108,7 @@
-
- if session_data && digest
- ok = @secrets.any? do |secret|
-- secret && digest == generate_hmac(session_data, secret)
-+ secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
- end
- end
-
-Index: ruby-rack/lib/rack/utils.rb
-===================================================================
---- ruby-rack.orig/lib/rack/utils.rb 2013-02-11 15:09:25.000000000 +0900
-+++ ruby-rack/lib/rack/utils.rb 2013-02-20 23:12:39.171087876 +0900
-@@ -336,6 +336,18 @@
- end
- module_function :byte_ranges
-
-+ # Constant time string comparison.
-+ def secure_compare(a, b)
-+ return false unless bytesize(a) == bytesize(b)
-+
-+ l = a.unpack("C*")
-+
-+ r, i = 0, -1
-+ b.each_byte { |v| r |= v ^ l[i+=1] }
-+ r == 0
-+ end
-+ module_function :secure_compare
-+
- # Context allows the use of a compatible middleware at different points
- # in a request handling stack. A compatible middleware must define
- # #context which should take the arguments env and app. The first of which
-Index: ruby-rack/test/spec_utils.rb
-===================================================================
---- ruby-rack.orig/test/spec_utils.rb 2013-02-11 15:09:25.000000000 +0900
-+++ ruby-rack/test/spec_utils.rb 2013-02-20 23:13:55.627089693 +0900
-@@ -322,6 +322,11 @@
- Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
- end
-
-+ should "should perform constant time string comparison" do
-+ Rack::Utils.secure_compare('a', 'a').should.equal true
-+ Rack::Utils.secure_compare('a', 'b').should.equal false
-+ end
-+
- should "return status code for integer" do
- Rack::Utils.status_code(200).should.equal 200
- end
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index 41e134c..0000000
--- a/debian/patches/series
+++ /dev/null
@@ -1,5 +0,0 @@
-0001-Fix-parsing-performance-for-unquoted-filenames.patch
-0002-multipart-parser-avoid-unbounded-gets-method.patch
-0003-Reimplement-auth-scheme-fix.patch
-0004-Prevent-symlink-path-traversals.patch
-0005-Use-secure_compare-for-hmac-comparison.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-rack.git
More information about the Pkg-ruby-extras-commits
mailing list