[DRE-commits] [ruby-openid] 06/10: Drop 01_remove_rubygems_require.diff (not needed anymore) and 02_fix_CVE-2013-1812.patch (applied upstream)
Cédric Boutillier
boutil at moszumanska.debian.org
Fri Mar 14 15:32:16 UTC 2014
This is an automated email from the git hooks/post-receive script.
boutil pushed a commit to branch master
in repository ruby-openid.
commit d7832474962c0c19c73627051af87ec35a2649bd
Author: Cédric Boutillier <boutil at debian.org>
Date: Fri Mar 14 15:54:54 2014 +0100
Drop 01_remove_rubygems_require.diff (not needed anymore) and 02_fix_CVE-2013-1812.patch (applied upstream)
---
debian/patches/01_remove_rubygems_require.diff | 39 --------
debian/patches/02_fix_CVE-2013-1812.patch | 118 -------------------------
debian/patches/series | 2 -
3 files changed, 159 deletions(-)
diff --git a/debian/patches/01_remove_rubygems_require.diff b/debian/patches/01_remove_rubygems_require.diff
deleted file mode 100644
index 3662b44..0000000
--- a/debian/patches/01_remove_rubygems_require.diff
+++ /dev/null
@@ -1,39 +0,0 @@
-Description: Remove rubygems require statements
-Author: Paul van Tilburg <paulvt at debian.org>
-Origin: vendor
-Forwarded: not-needed
-Last-Updated: 2012-05-19
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-
---- a/admin/runtests.rb
-+++ b/admin/runtests.rb
-@@ -8,7 +8,6 @@
- require 'test/unit/ui/console/testrunner'
-
- begin
-- require 'rubygems'
- require 'memcache'
- rescue LoadError
- else
---- a/examples/active_record_openid_store/init.rb
-+++ b/examples/active_record_openid_store/init.rb
-@@ -1,8 +1,2 @@
--# might using the ruby-openid gem
--begin
-- require 'rubygems'
--rescue LoadError
-- nil
--end
- require 'openid'
- require 'openid_ar_store'
---- a/examples/rails_openid/config/boot.rb
-+++ b/examples/rails_openid/config/boot.rb
-@@ -12,7 +12,6 @@
- if File.directory?("#{RAILS_ROOT}/vendor/rails")
- require "#{RAILS_ROOT}/vendor/rails/railties/lib/initializer"
- else
-- require 'rubygems'
- require 'initializer'
- end
-
diff --git a/debian/patches/02_fix_CVE-2013-1812.patch b/debian/patches/02_fix_CVE-2013-1812.patch
deleted file mode 100644
index 0e98f64..0000000
--- a/debian/patches/02_fix_CVE-2013-1812.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-Description: limit fetching file size & disable XML entity expansion
- This prevents possible XML denial of service attacks [CVE-2013-1812]
-Author: nov matake <nov at matake.jp>
-Origin: https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
-Bug: https://github.com/openid/ruby-openid/pull/43
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702217
-Reviewed-by: Cédric Boutillier <boutil at debian.org>
-Last-Update: 2012-10-23
-
----
- lib/openid/fetchers.rb | 17 ++++++++++++++---
- lib/openid/yadis/xrds.rb | 34 ++++++++++++++++++++++------------
- 2 files changed, 36 insertions(+), 15 deletions(-)
-
---- a/lib/openid/fetchers.rb
-+++ b/lib/openid/fetchers.rb
-@@ -10,7 +10,7 @@
- require 'net/http'
- end
-
--MAX_RESPONSE_KB = 1024
-+MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
-
- module Net
- class HTTP
-@@ -192,6 +192,16 @@
- conn = make_connection(url)
- response = nil
-
-+ whole_body = ''
-+ body_size_limitter = lambda do |r|
-+ r.read_body do |partial| # read body now
-+ whole_body << partial
-+ if whole_body.length > MAX_RESPONSE_KB
-+ raise FetchingError.new("Response Too Large")
-+ end
-+ end
-+ whole_body
-+ end
- response = conn.start {
- # Check the certificate against the URL's hostname
- if supports_ssl?(conn) and conn.use_ssl?
-@@ -199,13 +209,12 @@
- end
-
- if body.nil?
-- conn.request_get(url.request_uri, headers)
-+ conn.request_get(url.request_uri, headers, &body_size_limitter)
- else
- headers["Content-type"] ||= "application/x-www-form-urlencoded"
-- conn.request_post(url.request_uri, body, headers)
-+ conn.request_post(url.request_uri, body, headers, &body_size_limitter)
- end
- }
-- setup_encoding(response)
- rescue Timeout::Error => why
- raise FetchingError, "Error fetching #{url}: #{why}"
- rescue RuntimeError => why
-@@ -232,7 +241,10 @@
- raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
- end
- else
-- return HTTPResponse._from_net_response(response, unparsed_url)
-+ response = HTTPResponse._from_net_response(response, unparsed_url)
-+ response.body = whole_body
-+ setup_encoding(response)
-+ return response
- end
- end
-
---- a/lib/openid/yadis/xrds.rb
-+++ b/lib/openid/yadis/xrds.rb
-@@ -88,23 +88,33 @@
- end
-
- def Yadis::parseXRDS(text)
-- if text.nil?
-- raise XRDSError.new("Not an XRDS document.")
-- end
-+ disable_entity_expansion do
-+ if text.nil?
-+ raise XRDSError.new("Not an XRDS document.")
-+ end
-
-- begin
-- d = REXML::Document.new(text)
-- rescue RuntimeError => why
-- raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
-- end
-+ begin
-+ d = REXML::Document.new(text)
-+ rescue RuntimeError => why
-+ raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
-+ end
-
-- if is_xrds?(d)
-- return d
-- else
-- raise XRDSError.new("Not an XRDS document.")
-+ if is_xrds?(d)
-+ return d
-+ else
-+ raise XRDSError.new("Not an XRDS document.")
-+ end
- end
- end
-
-+ def Yadis::disable_entity_expansion
-+ _previous_ = REXML::Document::entity_expansion_limit
-+ REXML::Document::entity_expansion_limit = 0
-+ yield
-+ ensure
-+ REXML::Document::entity_expansion_limit = _previous_
-+ end
-+
- def Yadis::is_xrds?(xrds_tree)
- xrds_root = xrds_tree.root
- return (!xrds_root.nil? and
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index 637c828..0000000
--- a/debian/patches/series
+++ /dev/null
@@ -1,2 +0,0 @@
-01_remove_rubygems_require.diff
-02_fix_CVE-2013-1812.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-openid.git
More information about the Pkg-ruby-extras-commits
mailing list