Hello community, here is the log from the commit of package rubygem-rack-protection for openSUSE:Factory checked in at 2020-10-05 19:32:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-rack-protection (Old) and /work/SRC/openSUSE:Factory/.rubygem-rack-protection.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-protection" Mon Oct 5 19:32:55 2020 rev:8 rq:838069 version:2.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-rack-protection/rubygem-rack-protection.changes 2020-03-07 21:39:36.264327485 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-rack-protection.new.4249/rubygem-rack-protection.changes 2020-10-05 19:33:04.277188003 +0200 @@ -1,0 +2,6 @@ +Fri Sep 25 14:42:38 UTC 2020 - Stephan Kulow <co...@suse.com> + +updated to version 2.1.0 + no changelog found + +------------------------------------------------------------------- Old: ---- rack-protection-2.0.8.1.gem New: ---- rack-protection-2.1.0.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rack-protection.spec ++++++ --- /var/tmp/diff_new_pack.8U6loY/_old 2020-10-05 19:33:04.845190398 +0200 +++ /var/tmp/diff_new_pack.8U6loY/_new 2020-10-05 19:33:04.849190414 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-rack-protection -Version: 2.0.8.1 +Version: 2.1.0 Release: 0 %define mod_name rack-protection %define mod_full_name %{mod_name}-%{version} ++++++ rack-protection-2.0.8.1.gem -> rack-protection-2.1.0.gem ++++++ Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/protection/authenticity_token.rb new/lib/rack/protection/authenticity_token.rb --- old/lib/rack/protection/authenticity_token.rb 2020-01-01 21:06:51.000000000 +0100 +++ new/lib/rack/protection/authenticity_token.rb 2020-09-04 20:46:28.000000000 +0200 @@ -63,7 +63,7 @@ # <h1>With Authenticity Token</h1> # <p>This successfully takes you to back to this form.</p> # <form action="" method="post"> - # <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" /> + # <input type="hidden" name="authenticity_token" value="#{Rack::Protection::AuthenticityToken.token(env['rack.session'])}" /> # <input type="text" name="foo" /> # <input type="submit" /> # </form> @@ -189,7 +189,14 @@ end def xor_byte_strings(s1, s2) - s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*') + s2 = s2.dup + size = s1.bytesize + i = 0 + while i < size + s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i)) + i += 1 + end + s2 end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/protection/content_security_policy.rb new/lib/rack/protection/content_security_policy.rb --- old/lib/rack/protection/content_security_policy.rb 2020-01-01 21:06:51.000000000 +0100 +++ new/lib/rack/protection/content_security_policy.rb 2020-09-04 20:46:28.000000000 +0200 @@ -36,16 +36,15 @@ # to be used in a policy. # class ContentSecurityPolicy < Base - default_options default_src: :none, script_src: "'self'", - img_src: "'self'", style_src: "'self'", - connect_src: "'self'", report_only: false + default_options default_src: "'self'", report_only: false DIRECTIVES = %i(base_uri child_src connect_src default_src font_src form_action frame_ancestors frame_src img_src manifest_src media_src object_src plugin_types referrer reflected_xss report_to report_uri require_sri_for sandbox script_src - style_src worker_src).freeze + style_src worker_src webrtc_src navigate_to + prefetch_src).freeze NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener upgrade_insecure_requests).freeze @@ -62,7 +61,7 @@ # Set these key values to boolean 'true' to include in policy NO_ARG_DIRECTIVES.each do |d| if options.key?(d) && options[d].is_a?(TrueClass) - directives << d.to_s.sub(/_/, '-') + directives << d.to_s.tr('_', '-') end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/protection/http_origin.rb new/lib/rack/protection/http_origin.rb --- old/lib/rack/protection/http_origin.rb 2020-01-01 21:06:51.000000000 +0100 +++ new/lib/rack/protection/http_origin.rb 2020-09-04 20:46:28.000000000 +0200 @@ -9,11 +9,11 @@ # http://tools.ietf.org/html/draft-abarth-origin # # Does not accept unsafe HTTP requests when value of Origin HTTP request header - # does not match default or whitelisted URIs. + # does not match default or permitted URIs. # - # If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option: + # If you want to permit a specific domain, you can pass in as the `:permitted_origins` option: # - # use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"] + # use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"] # # The `:allow_if` option can also be set to a proc to use custom allow/deny logic. class HttpOrigin < Base @@ -32,7 +32,14 @@ return true unless origin = env['HTTP_ORIGIN'] return true if base_url(env) == origin return true if options[:allow_if] && options[:allow_if].call(env) - Array(options[:origin_whitelist]).include? origin + + if options.key? :origin_whitelist + warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \ + "use permitted_origins instead.\n" + end + + permitted_origins = options[:permitted_origins] || options[:origin_whitelist] + Array(permitted_origins).include? origin end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/protection/referrer_policy.rb new/lib/rack/protection/referrer_policy.rb --- old/lib/rack/protection/referrer_policy.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/lib/rack/protection/referrer_policy.rb 2020-09-04 20:46:28.000000000 +0200 @@ -0,0 +1,25 @@ +require 'rack/protection' + +module Rack + module Protection + ## + # Prevented attack:: Secret leakage, third party tracking + # Supported browsers:: mixed support + # More infos:: https://www.w3.org/TR/referrer-policy/ + # https://caniuse.com/#search=referrer-policy + # + # Sets Referrer-Policy header to tell the browser to limit the Referer header. + # + # Options: + # referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin') + class ReferrerPolicy < Base + default_options :referrer_policy => 'strict-origin-when-cross-origin' + + def call(env) + status, headers, body = @app.call(env) + headers['Referrer-Policy'] ||= options[:referrer_policy] + [status, headers, body] + end + end + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/protection/version.rb new/lib/rack/protection/version.rb --- old/lib/rack/protection/version.rb 2020-01-01 21:06:51.000000000 +0100 +++ new/lib/rack/protection/version.rb 2020-09-04 20:46:28.000000000 +0200 @@ -1,5 +1,5 @@ module Rack module Protection - VERSION = '2.0.8.1' + VERSION = '2.1.0' end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/rack/protection.rb new/lib/rack/protection.rb --- old/lib/rack/protection.rb 2020-01-01 21:06:51.000000000 +0100 +++ new/lib/rack/protection.rb 2020-09-04 20:46:28.000000000 +0200 @@ -14,6 +14,7 @@ autoload :IPSpoofing, 'rack/protection/ip_spoofing' autoload :JsonCsrf, 'rack/protection/json_csrf' autoload :PathTraversal, 'rack/protection/path_traversal' + autoload :ReferrerPolicy, 'rack/protection/referrer_policy' autoload :RemoteReferrer, 'rack/protection/remote_referrer' autoload :RemoteToken, 'rack/protection/remote_token' autoload :SessionHijacking, 'rack/protection/session_hijacking' @@ -32,9 +33,11 @@ Rack::Builder.new do # Off by default, unless added use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token - use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy + use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing + use ::Rack::Protection::EscapedParams, options if use_these.include? :escaped_params use ::Rack::Protection::FormToken, options if use_these.include? :form_token + use ::Rack::Protection::ReferrerPolicy, options if use_these.include? :referrer_policy use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer use ::Rack::Protection::StrictTransport, options if use_these.include? :strict_transport diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2020-01-01 21:06:51.000000000 +0100 +++ new/metadata 2020-09-04 20:46:28.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: rack-protection version: !ruby/object:Gem::Version - version: 2.0.8.1 + version: 2.1.0 platform: ruby authors: - https://github.com/sinatra/sinatra/graphs/contributors autorequire: bindir: bin cert_chain: [] -date: 2020-01-01 00:00:00.000000000 Z +date: 2020-09-04 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: rack @@ -76,6 +76,7 @@ - lib/rack/protection/ip_spoofing.rb - lib/rack/protection/json_csrf.rb - lib/rack/protection/path_traversal.rb +- lib/rack/protection/referrer_policy.rb - lib/rack/protection/remote_referrer.rb - lib/rack/protection/remote_token.rb - lib/rack/protection/session_hijacking.rb @@ -105,8 +106,7 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubyforge_project: -rubygems_version: 2.7.3 +rubygems_version: 3.1.2 signing_key: specification_version: 4 summary: Protect against typical web attacks, works with all Rack apps, including