Hello community,
here is the log from the commit of package rubygem-rack-protection for
openSUSE:Factory checked in at 2020-10-05 19:32:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rack-protection (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rack-protection.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-protection"
Mon Oct 5 19:32:55 2020 rev:8 rq:838069 version:2.1.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-rack-protection/rubygem-rack-protection.changes
2020-03-07 21:39:36.264327485 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-rack-protection.new.4249/rubygem-rack-protection.changes
2020-10-05 19:33:04.277188003 +0200
@@ -1,0 +2,6 @@
+Fri Sep 25 14:42:38 UTC 2020 - Stephan Kulow <co...@suse.com>
+
+updated to version 2.1.0
+ no changelog found
+
+-------------------------------------------------------------------
Old:
----
rack-protection-2.0.8.1.gem
New:
----
rack-protection-2.1.0.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rack-protection.spec ++++++
--- /var/tmp/diff_new_pack.8U6loY/_old 2020-10-05 19:33:04.845190398 +0200
+++ /var/tmp/diff_new_pack.8U6loY/_new 2020-10-05 19:33:04.849190414 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-rack-protection
-Version: 2.0.8.1
+Version: 2.1.0
Release: 0
%define mod_name rack-protection
%define mod_full_name %{mod_name}-%{version}
++++++ rack-protection-2.0.8.1.gem -> rack-protection-2.1.0.gem ++++++
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/protection/authenticity_token.rb
new/lib/rack/protection/authenticity_token.rb
--- old/lib/rack/protection/authenticity_token.rb 2020-01-01
21:06:51.000000000 +0100
+++ new/lib/rack/protection/authenticity_token.rb 2020-09-04
20:46:28.000000000 +0200
@@ -63,7 +63,7 @@
# <h1>With Authenticity Token</h1>
# <p>This successfully takes you to back to this form.</p>
# <form action="" method="post">
- # <input type="hidden" name="authenticity_token"
value="#{env['rack.session'][:csrf]}" />
+ # <input type="hidden" name="authenticity_token"
value="#{Rack::Protection::AuthenticityToken.token(env['rack.session'])}" />
# <input type="text" name="foo" />
# <input type="submit" />
# </form>
@@ -189,7 +189,14 @@
end
def xor_byte_strings(s1, s2)
- s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
+ s2 = s2.dup
+ size = s1.bytesize
+ i = 0
+ while i < size
+ s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
+ i += 1
+ end
+ s2
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/protection/content_security_policy.rb
new/lib/rack/protection/content_security_policy.rb
--- old/lib/rack/protection/content_security_policy.rb 2020-01-01
21:06:51.000000000 +0100
+++ new/lib/rack/protection/content_security_policy.rb 2020-09-04
20:46:28.000000000 +0200
@@ -36,16 +36,15 @@
# to be used in a policy.
#
class ContentSecurityPolicy < Base
- default_options default_src: :none, script_src: "'self'",
- img_src: "'self'", style_src: "'self'",
- connect_src: "'self'", report_only: false
+ default_options default_src: "'self'", report_only: false
DIRECTIVES = %i(base_uri child_src connect_src default_src
font_src form_action frame_ancestors frame_src
img_src manifest_src media_src object_src
plugin_types referrer reflected_xss report_to
report_uri require_sri_for sandbox script_src
- style_src worker_src).freeze
+ style_src worker_src webrtc_src navigate_to
+ prefetch_src).freeze
NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
upgrade_insecure_requests).freeze
@@ -62,7 +61,7 @@
# Set these key values to boolean 'true' to include in policy
NO_ARG_DIRECTIVES.each do |d|
if options.key?(d) && options[d].is_a?(TrueClass)
- directives << d.to_s.sub(/_/, '-')
+ directives << d.to_s.tr('_', '-')
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/protection/http_origin.rb
new/lib/rack/protection/http_origin.rb
--- old/lib/rack/protection/http_origin.rb 2020-01-01 21:06:51.000000000
+0100
+++ new/lib/rack/protection/http_origin.rb 2020-09-04 20:46:28.000000000
+0200
@@ -9,11 +9,11 @@
# http://tools.ietf.org/html/draft-abarth-origin
#
# Does not accept unsafe HTTP requests when value of Origin HTTP request
header
- # does not match default or whitelisted URIs.
+ # does not match default or permitted URIs.
#
- # If you want to whitelist a specific domain, you can pass in as the
`:origin_whitelist` option:
+ # If you want to permit a specific domain, you can pass in as the
`:permitted_origins` option:
#
- # use Rack::Protection, origin_whitelist: ["http://localhost:3000";,
"http://127.0.01:3000";]
+ # use Rack::Protection, permitted_origins: ["http://localhost:3000";,
"http://127.0.01:3000";]
#
# The `:allow_if` option can also be set to a proc to use custom
allow/deny logic.
class HttpOrigin < Base
@@ -32,7 +32,14 @@
return true unless origin = env['HTTP_ORIGIN']
return true if base_url(env) == origin
return true if options[:allow_if] && options[:allow_if].call(env)
- Array(options[:origin_whitelist]).include? origin
+
+ if options.key? :origin_whitelist
+ warn "Rack::Protection origin_whitelist option is deprecated and
will be removed, " \
+ "use permitted_origins instead.\n"
+ end
+
+ permitted_origins = options[:permitted_origins] ||
options[:origin_whitelist]
+ Array(permitted_origins).include? origin
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/protection/referrer_policy.rb
new/lib/rack/protection/referrer_policy.rb
--- old/lib/rack/protection/referrer_policy.rb 1970-01-01 01:00:00.000000000
+0100
+++ new/lib/rack/protection/referrer_policy.rb 2020-09-04 20:46:28.000000000
+0200
@@ -0,0 +1,25 @@
+require 'rack/protection'
+
+module Rack
+ module Protection
+ ##
+ # Prevented attack:: Secret leakage, third party tracking
+ # Supported browsers:: mixed support
+ # More infos:: https://www.w3.org/TR/referrer-policy/
+ # https://caniuse.com/#search=referrer-policy
+ #
+ # Sets Referrer-Policy header to tell the browser to limit the Referer
header.
+ #
+ # Options:
+ # referrer_policy:: The policy to use (default:
'strict-origin-when-cross-origin')
+ class ReferrerPolicy < Base
+ default_options :referrer_policy => 'strict-origin-when-cross-origin'
+
+ def call(env)
+ status, headers, body = @app.call(env)
+ headers['Referrer-Policy'] ||= options[:referrer_policy]
+ [status, headers, body]
+ end
+ end
+ end
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/protection/version.rb
new/lib/rack/protection/version.rb
--- old/lib/rack/protection/version.rb 2020-01-01 21:06:51.000000000 +0100
+++ new/lib/rack/protection/version.rb 2020-09-04 20:46:28.000000000 +0200
@@ -1,5 +1,5 @@
module Rack
module Protection
- VERSION = '2.0.8.1'
+ VERSION = '2.1.0'
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rack/protection.rb new/lib/rack/protection.rb
--- old/lib/rack/protection.rb 2020-01-01 21:06:51.000000000 +0100
+++ new/lib/rack/protection.rb 2020-09-04 20:46:28.000000000 +0200
@@ -14,6 +14,7 @@
autoload :IPSpoofing, 'rack/protection/ip_spoofing'
autoload :JsonCsrf, 'rack/protection/json_csrf'
autoload :PathTraversal, 'rack/protection/path_traversal'
+ autoload :ReferrerPolicy, 'rack/protection/referrer_policy'
autoload :RemoteReferrer, 'rack/protection/remote_referrer'
autoload :RemoteToken, 'rack/protection/remote_token'
autoload :SessionHijacking, 'rack/protection/session_hijacking'
@@ -32,9 +33,11 @@
Rack::Builder.new do
# Off by default, unless added
use ::Rack::Protection::AuthenticityToken, options if
use_these.include? :authenticity_token
- use ::Rack::Protection::CookieTossing, options if
use_these.include? :cookie_tossing
use ::Rack::Protection::ContentSecurityPolicy, options if
use_these.include? :content_security_policy
+ use ::Rack::Protection::CookieTossing, options if
use_these.include? :cookie_tossing
+ use ::Rack::Protection::EscapedParams, options if
use_these.include? :escaped_params
use ::Rack::Protection::FormToken, options if
use_these.include? :form_token
+ use ::Rack::Protection::ReferrerPolicy, options if
use_these.include? :referrer_policy
use ::Rack::Protection::RemoteReferrer, options if
use_these.include? :remote_referrer
use ::Rack::Protection::StrictTransport, options if
use_these.include? :strict_transport
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-01-01 21:06:51.000000000 +0100
+++ new/metadata 2020-09-04 20:46:28.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: rack-protection
version: !ruby/object:Gem::Version
- version: 2.0.8.1
+ version: 2.1.0
platform: ruby
authors:
- https://github.com/sinatra/sinatra/graphs/contributors
autorequire:
bindir: bin
cert_chain: []
-date: 2020-01-01 00:00:00.000000000 Z
+date: 2020-09-04 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: rack
@@ -76,6 +76,7 @@
- lib/rack/protection/ip_spoofing.rb
- lib/rack/protection/json_csrf.rb
- lib/rack/protection/path_traversal.rb
+- lib/rack/protection/referrer_policy.rb
- lib/rack/protection/remote_referrer.rb
- lib/rack/protection/remote_token.rb
- lib/rack/protection/session_hijacking.rb
@@ -105,8 +106,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubyforge_project:
-rubygems_version: 2.7.3
+rubygems_version: 3.1.2
signing_key:
specification_version: 4
summary: Protect against typical web attacks, works with all Rack apps,
including
