Hello community, here is the log from the commit of package rubygem-rack for openSUSE:Factory checked in at 2018-11-10 16:59:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-rack (Old) and /work/SRC/openSUSE:Factory/.rubygem-rack.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack" Sat Nov 10 16:59:57 2018 rev:13 rq:646829 version:2.0.6 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-rack/rubygem-rack.changes 2018-07-18 22:52:04.367332387 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-rack.new/rubygem-rack.changes 2018-11-10 17:02:15.283542695 +0100 @@ -1,0 +2,6 @@ +Tue Nov 6 23:24:32 UTC 2018 - Marcus Rueckert <[email protected]> + +- update to 2.0.6 + see installed HISTORY.md + +------------------------------------------------------------------- @@ -17,0 +24,12 @@ + +------------------------------------------------------------------- +Tue Oct 31 14:09:19 UTC 2017 - [email protected] + +- only build for 2.3+ from now + +------------------------------------------------------------------- +Wed Jun 7 16:24:31 UTC 2017 - [email protected] + +- re-add the rb_build_versions and rb_default_ruby_abi as otherwise + building on older distros fails. +- add ruby 2.4 Old: ---- rack-2.0.5.gem New: ---- rack-2.0.6.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rack.spec ++++++ --- /var/tmp/diff_new_pack.pPjekf/_old 2018-11-10 17:02:15.935541899 +0100 +++ /var/tmp/diff_new_pack.pPjekf/_new 2018-11-10 17:02:15.935541899 +0100 @@ -24,7 +24,7 @@ # Name: rubygem-rack -Version: 2.0.5 +Version: 2.0.6 Release: 0 %define mod_name rack %define mod_full_name %{mod_name}-%{version} @@ -37,9 +37,9 @@ %endif # /MANUAL BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: ruby-macros >= 5 BuildRequires: %{ruby >= 2.2.2} BuildRequires: %{rubygem gem2rpm} -BuildRequires: ruby-macros >= 5 BuildRequires: update-alternatives Url: https://rack.github.io/ Source: https://rubygems.org/gems/%{mod_full_name}.gem @@ -72,6 +72,7 @@ chmod 644 %{buildroot}%{_libdir}/ruby/gems/*/gems/%{mod_name}-%{version}/test/cgi/test.gz # /MANUAL + %gem_packages %changelog ++++++ rack-2.0.5.gem -> rack-2.0.6.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SPEC new/SPEC --- old/SPEC 2018-04-23 19:45:56.000000000 +0200 +++ new/SPEC 2018-11-05 20:29:36.000000000 +0100 @@ -60,8 +60,8 @@ the presence or absence of the appropriate HTTP header in the request. See - {https://tools.ietf.org/html/rfc3875#section-4.1.18 - RFC3875 section 4.1.18} for + <a href="https://tools.ietf.org/html/rfc3875#section-4.1.18";> + RFC3875 section 4.1.18</a> for specific behavior. In addition to this, the Rack environment must include these Rack-specific variables: @@ -98,12 +98,13 @@ Additional environment specifications have approved to standardized middleware APIs. None of these are required to be implemented by the server. -<tt>rack.session</tt>:: A hash like interface for storing request session data. +<tt>rack.session</tt>:: A hash like interface for storing + request session data. The store must implement: - store(key, value) (aliased as []=); - fetch(key, default = nil) (aliased as []); - delete(key); - clear; + store(key, value) (aliased as []=); + fetch(key, default = nil) (aliased as []); + delete(key); + clear; <tt>rack.logger</tt>:: A common object interface for logging messages. The object must implement: info(message, &block) Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/multipart/parser.rb new/lib/rack/multipart/parser.rb --- old/lib/rack/multipart/parser.rb 2018-04-23 19:45:56.000000000 +0200 +++ new/lib/rack/multipart/parser.rb 2018-11-05 20:29:36.000000000 +0100 @@ -5,7 +5,7 @@ class MultipartPartLimitError < Errno::EMFILE; end class Parser - BUFSIZE = 1_048_576 + BUFSIZE = 16384 TEXT_PLAIN = "text/plain" TEMPFILE_FACTORY = lambda { |filename, content_type| Tempfile.new(["RackMultipart", ::File.extname(filename.gsub("\0".freeze, '%00'.freeze))]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/request.rb new/lib/rack/request.rb --- old/lib/rack/request.rb 2018-04-23 19:45:56.000000000 +0200 +++ new/lib/rack/request.rb 2018-11-05 20:29:36.000000000 +0100 @@ -11,6 +11,8 @@ # req.params["data"] class Request + SCHEME_WHITELIST = %w(https http).freeze + def initialize(env) @params = nil super(env) @@ -188,10 +190,8 @@ 'https' elsif get_header(HTTP_X_FORWARDED_SSL) == 'on' 'https' - elsif get_header(HTTP_X_FORWARDED_SCHEME) - get_header(HTTP_X_FORWARDED_SCHEME) - elsif get_header(HTTP_X_FORWARDED_PROTO) - get_header(HTTP_X_FORWARDED_PROTO).split(',')[0] + elsif forwarded_scheme + forwarded_scheme else get_header(RACK_URL_SCHEME) end @@ -479,6 +479,19 @@ def reject_trusted_ip_addresses(ip_addresses) ip_addresses.reject { |ip| trusted_proxy?(ip) } end + + def forwarded_scheme + scheme_headers = [ + get_header(HTTP_X_FORWARDED_SCHEME), + get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0] + ] + + scheme_headers.each do |header| + return header if SCHEME_WHITELIST.include?(header) + end + + nil + end end include Env diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/show_exceptions.rb new/lib/rack/show_exceptions.rb --- old/lib/rack/show_exceptions.rb 2018-04-23 19:45:56.000000000 +0200 +++ new/lib/rack/show_exceptions.rb 2018-11-05 20:29:36.000000000 +0100 @@ -46,7 +46,7 @@ end def prefers_plaintext?(env) - !accepts_html(env) + !accepts_html?(env) end def accepts_html?(env) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack.rb new/lib/rack.rb --- old/lib/rack.rb 2018-04-23 19:45:56.000000000 +0200 +++ new/lib/rack.rb 2018-11-05 20:29:36.000000000 +0100 @@ -18,7 +18,7 @@ VERSION.join(".") end - RELEASE = "2.0.5" + RELEASE = "2.0.6" # Return the Rack release as a dotted string. def self.release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2018-04-23 19:45:56.000000000 +0200 +++ new/metadata 2018-11-05 20:29:36.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: rack version: !ruby/object:Gem::Version - version: 2.0.5 + version: 2.0.6 platform: ruby authors: - Leah Neukirchen autorequire: bindir: bin cert_chain: [] -date: 2018-04-23 00:00:00.000000000 Z +date: 2018-11-05 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: minitest @@ -275,59 +275,59 @@ version: '0' requirements: [] rubyforge_project: -rubygems_version: 2.6.13 +rubygems_version: 2.7.6 signing_key: specification_version: 4 summary: a modular Ruby webserver interface test_files: -- test/spec_auth_basic.rb -- test/spec_auth_digest.rb -- test/spec_body_proxy.rb -- test/spec_builder.rb -- test/spec_cascade.rb -- test/spec_cgi.rb -- test/spec_chunked.rb -- test/spec_common_logger.rb -- test/spec_conditional_get.rb -- test/spec_config.rb -- test/spec_content_length.rb -- test/spec_content_type.rb +- test/spec_multipart.rb - test/spec_deflater.rb -- test/spec_directory.rb +- test/spec_static.rb +- test/spec_session_cookie.rb +- test/spec_session_pool.rb - test/spec_etag.rb -- test/spec_events.rb -- test/spec_fastcgi.rb -- test/spec_file.rb +- test/spec_version.rb - test/spec_handler.rb -- test/spec_head.rb -- test/spec_lint.rb -- test/spec_lobster.rb -- test/spec_lock.rb -- test/spec_logger.rb -- test/spec_media_type.rb -- test/spec_method_override.rb +- test/spec_thin.rb +- test/spec_session_abstract_id.rb - test/spec_mime.rb -- test/spec_mock.rb -- test/spec_multipart.rb -- test/spec_null_logger.rb - test/spec_recursive.rb +- test/spec_null_logger.rb +- test/spec_media_type.rb +- test/spec_cgi.rb +- test/spec_method_override.rb +- test/spec_content_type.rb +- test/spec_session_abstract_session_hash.rb - test/spec_request.rb -- test/spec_response.rb -- test/spec_rewindable_input.rb +- test/spec_chunked.rb +- test/spec_show_exceptions.rb - test/spec_runtime.rb +- test/spec_fastcgi.rb +- test/spec_common_logger.rb +- test/spec_builder.rb +- test/spec_config.rb +- test/spec_utils.rb - test/spec_sendfile.rb +- test/spec_lobster.rb +- test/spec_lint.rb +- test/spec_conditional_get.rb +- test/spec_tempfile_reaper.rb +- test/spec_mock.rb - test/spec_server.rb -- test/spec_session_abstract_id.rb -- test/spec_session_abstract_session_hash.rb -- test/spec_session_cookie.rb -- test/spec_session_memcache.rb -- test/spec_session_pool.rb -- test/spec_show_exceptions.rb +- test/spec_directory.rb +- test/spec_webrick.rb +- test/spec_response.rb +- test/spec_file.rb - test/spec_show_status.rb -- test/spec_static.rb -- test/spec_tempfile_reaper.rb -- test/spec_thin.rb +- test/spec_body_proxy.rb +- test/spec_logger.rb +- test/spec_auth_digest.rb - test/spec_urlmap.rb -- test/spec_utils.rb -- test/spec_version.rb -- test/spec_webrick.rb +- test/spec_events.rb +- test/spec_cascade.rb +- test/spec_auth_basic.rb +- test/spec_head.rb +- test/spec_lock.rb +- test/spec_rewindable_input.rb +- test/spec_session_memcache.rb +- test/spec_content_length.rb diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_request.rb new/test/spec_request.rb --- old/test/spec_request.rb 2018-04-23 19:45:57.000000000 +0200 +++ new/test/spec_request.rb 2018-11-05 20:29:36.000000000 +0100 @@ -572,6 +572,11 @@ request.must_be :ssl? end + it "prevents scheme abuse" do + request = make_request(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>')) + request.scheme.must_equal 'http' + end + it "parse cookies" do req = make_request \ Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_show_exceptions.rb new/test/spec_show_exceptions.rb --- old/test/spec_show_exceptions.rb 2018-04-23 19:45:57.000000000 +0200 +++ new/test/spec_show_exceptions.rb 2018-11-05 20:29:36.000000000 +0100 @@ -77,4 +77,17 @@ assert_match(res, /ShowExceptions/) assert_match(res, /unknown location/) end + + it "knows to prefer plaintext for non-html" do + # We don't need an app for this + exc = Rack::ShowExceptions.new(nil) + + [ + [{ "HTTP_ACCEPT" => "text/plain" }, true], + [{ "HTTP_ACCEPT" => "text/foo" }, true], + [{ "HTTP_ACCEPT" => "text/html" }, false] + ].each do |env, expected| + assert_equal(expected, exc.prefers_plaintext?(env)) + end + end end
