Hello community, here is the log from the commit of package rubygem-rack-1_6 for openSUSE:Factory checked in at 2018-12-04 20:57:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-rack-1_6 (Old) and /work/SRC/openSUSE:Factory/.rubygem-rack-1_6.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-1_6" Tue Dec 4 20:57:05 2018 rev:6 rq:653707 version:1.6.11 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-rack-1_6/rubygem-rack-1_6.changes 2018-07-18 22:52:08.223319601 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-rack-1_6.new.19453/rubygem-rack-1_6.changes 2018-12-04 20:57:07.036667188 +0100 @@ -1,0 +2,6 @@ +Thu Nov 22 05:29:29 UTC 2018 - Stephan Kulow <co...@suse.com> + +- updated to version 1.6.11 + see installed HISTORY.md + +------------------------------------------------------------------- Old: ---- rack-1.6.10.gem New: ---- rack-1.6.11.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rack-1_6.spec ++++++ --- /var/tmp/diff_new_pack.uNzJ4W/_old 2018-12-04 20:57:07.484666694 +0100 +++ /var/tmp/diff_new_pack.uNzJ4W/_new 2018-12-04 20:57:07.484666694 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -24,7 +24,7 @@ # Name: rubygem-rack-1_6 -Version: 1.6.10 +Version: 1.6.11 Release: 0 %define mod_name rack %define mod_full_name %{mod_name}-%{version} ++++++ rack-1.6.10.gem -> rack-1.6.11.gem ++++++ Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/request.rb new/lib/rack/request.rb --- old/lib/rack/request.rb 2018-04-23 19:51:23.000000000 +0200 +++ new/lib/rack/request.rb 2018-11-05 20:58:43.000000000 +0100 @@ -13,6 +13,8 @@ # The environment of the request. attr_reader :env + SCHEME_WHITELIST = %w(https http).freeze + def initialize(env) @env = env end @@ -68,10 +70,8 @@ 'https' elsif @env['HTTP_X_FORWARDED_SSL'] == 'on' 'https' - elsif @env['HTTP_X_FORWARDED_SCHEME'] - @env['HTTP_X_FORWARDED_SCHEME'] - elsif @env['HTTP_X_FORWARDED_PROTO'] - @env['HTTP_X_FORWARDED_PROTO'].split(',')[0] + elsif forwarded_scheme + forwarded_scheme else @env["rack.url_scheme"] end @@ -394,5 +394,18 @@ s end end + + def forwarded_scheme + scheme_headers = [ + @env['HTTP_X_FORWARDED_SCHEME'], + @env['HTTP_X_FORWARDED_PROTO'].to_s.split(',')[0] + ] + + scheme_headers.each do |header| + return header if SCHEME_WHITELIST.include?(header) + end + + nil + end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/showexceptions.rb new/lib/rack/showexceptions.rb --- old/lib/rack/showexceptions.rb 2018-04-23 19:51:23.000000000 +0200 +++ new/lib/rack/showexceptions.rb 2018-11-05 20:58:43.000000000 +0100 @@ -47,7 +47,7 @@ end def prefers_plaintext?(env) - !accepts_html(env) + !accepts_html?(env) end def accepts_html?(env) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack.rb new/lib/rack.rb --- old/lib/rack.rb 2018-04-23 19:51:23.000000000 +0200 +++ new/lib/rack.rb 2018-11-05 20:58:43.000000000 +0100 @@ -20,7 +20,7 @@ # Return the Rack release as a dotted string. def self.release - "1.6.10" + "1.6.11" end PATH_INFO = 'PATH_INFO'.freeze REQUEST_METHOD = 'REQUEST_METHOD'.freeze diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2018-04-23 19:51:23.000000000 +0200 +++ new/metadata 2018-11-05 20:58:43.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: rack version: !ruby/object:Gem::Version - version: 1.6.10 + version: 1.6.11 platform: ruby authors: - Christian Neukirchen autorequire: bindir: bin cert_chain: [] -date: 2018-04-23 00:00:00.000000000 Z +date: 2018-11-05 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: bacon @@ -256,57 +256,57 @@ version: '0' requirements: [] rubyforge_project: rack -rubygems_version: 2.6.13 +rubygems_version: 2.7.6 signing_key: specification_version: 4 summary: a modular Ruby webserver interface test_files: -- test/spec_auth_basic.rb -- test/spec_auth_digest.rb -- test/spec_body_proxy.rb -- test/spec_builder.rb -- test/spec_cascade.rb -- test/spec_cgi.rb -- test/spec_chunked.rb -- test/spec_commonlogger.rb -- test/spec_conditionalget.rb -- test/spec_config.rb -- test/spec_content_length.rb -- test/spec_content_type.rb +- test/spec_multipart.rb - test/spec_deflater.rb -- test/spec_directory.rb +- test/spec_static.rb +- test/spec_session_cookie.rb +- test/spec_commonlogger.rb +- test/spec_session_pool.rb +- test/spec_methodoverride.rb - test/spec_etag.rb -- test/spec_fastcgi.rb -- test/spec_file.rb +- test/spec_version.rb - test/spec_handler.rb -- test/spec_head.rb -- test/spec_lint.rb -- test/spec_lobster.rb -- test/spec_lock.rb -- test/spec_logger.rb -- test/spec_methodoverride.rb +- test/spec_thin.rb +- test/spec_showexceptions.rb +- test/spec_session_abstract_id.rb - test/spec_mime.rb -- test/spec_mock.rb -- test/spec_mongrel.rb -- test/spec_multipart.rb -- test/spec_nulllogger.rb - test/spec_recursive.rb +- test/spec_cgi.rb +- test/spec_content_type.rb - test/spec_request.rb -- test/spec_response.rb -- test/spec_rewindable_input.rb +- test/spec_showstatus.rb +- test/spec_chunked.rb - test/spec_runtime.rb +- test/spec_fastcgi.rb +- test/spec_builder.rb +- test/spec_config.rb +- test/spec_mongrel.rb +- test/spec_utils.rb - test/spec_sendfile.rb -- test/spec_server.rb -- test/spec_session_abstract_id.rb -- test/spec_session_cookie.rb -- test/spec_session_memcache.rb -- test/spec_session_pool.rb -- test/spec_showexceptions.rb -- test/spec_showstatus.rb -- test/spec_static.rb +- test/spec_lobster.rb +- test/spec_lint.rb - test/spec_tempfile_reaper.rb -- test/spec_thin.rb -- test/spec_urlmap.rb -- test/spec_utils.rb -- test/spec_version.rb +- test/spec_mock.rb +- test/spec_conditionalget.rb +- test/spec_server.rb +- test/spec_directory.rb - test/spec_webrick.rb +- test/spec_response.rb +- test/spec_file.rb +- test/spec_body_proxy.rb +- test/spec_logger.rb +- test/spec_auth_digest.rb +- test/spec_urlmap.rb +- test/spec_nulllogger.rb +- test/spec_cascade.rb +- test/spec_auth_basic.rb +- test/spec_head.rb +- test/spec_lock.rb +- test/spec_rewindable_input.rb +- test/spec_session_memcache.rb +- test/spec_content_length.rb diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rack.gemspec new/rack.gemspec --- old/rack.gemspec 2018-04-23 19:51:23.000000000 +0200 +++ new/rack.gemspec 2018-11-05 20:58:43.000000000 +0100 @@ -1,6 +1,6 @@ Gem::Specification.new do |s| s.name = "rack" - s.version = "1.6.10" + s.version = "1.6.11" s.platform = Gem::Platform::RUBY s.summary = "a modular Ruby webserver interface" s.license = "MIT" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_request.rb new/test/spec_request.rb --- old/test/spec_request.rb 2018-04-23 19:51:23.000000000 +0200 +++ new/test/spec_request.rb 2018-11-05 20:58:43.000000000 +0100 @@ -425,6 +425,11 @@ request.should.be.ssl? end + should "prevent scheme abuse" do + request = Rack::Request.new(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>')) + request.scheme.should.not.equal 'a."><script>alert(1)</script>' + end + should "parse cookies" do req = Rack::Request.new \ Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/spec_showexceptions.rb new/test/spec_showexceptions.rb --- old/test/spec_showexceptions.rb 2018-04-23 19:51:23.000000000 +0200 +++ new/test/spec_showexceptions.rb 2018-11-05 20:58:43.000000000 +0100 @@ -82,4 +82,17 @@ res.should =~ /ShowExceptions/ res.should =~ /unknown location/ end + + it "knows to prefer plaintext for non-html" do + # We don't need an app for this + exc = Rack::ShowExceptions.new(nil) + + [ + [{ "HTTP_ACCEPT" => "text/plain" }, true], + [{ "HTTP_ACCEPT" => "text/foo" }, true], + [{ "HTTP_ACCEPT" => "text/html" }, false] + ].each do |env, expected| + assert_equal(expected, exc.prefers_plaintext?(env)) + end + end end