[rubygem-rack/f16] Moved gem install to %prep to be able to apply patches. Applied two patches that fix test failures w
Bohuslav Kabrda
bkabrda at fedoraproject.org
Fri Jan 6 06:28:40 UTC 2012
commit c5833fa8b174e8111f2f82beeca163be5a3a4cf3
Author: Bohuslav Kabrda <bkabrda at redhat.com>
Date: Thu Jan 5 16:02:27 2012 +0100
Moved gem install to %prep to be able to apply patches.
Applied two patches that fix test failures with Ruby 1.8.7-p357.
Applied backported security fix for CVE-2011-5036.
...ck-1.3.0-limit-the-size-of-parameter-keys.patch | 170 ++++++++++++++++++++
...-1.3.0-test-object-which-responds-to-each.patch | 34 ++++
...0-tests-now-accept-different-query-orders.patch | 62 +++++++
rubygem-rack.spec | 30 +++-
4 files changed, 291 insertions(+), 5 deletions(-)
---
diff --git a/rubygem-rack-1.3.0-limit-the-size-of-parameter-keys.patch b/rubygem-rack-1.3.0-limit-the-size-of-parameter-keys.patch
new file mode 100644
index 0000000..550aa72
--- /dev/null
+++ b/rubygem-rack-1.3.0-limit-the-size-of-parameter-keys.patch
@@ -0,0 +1,170 @@
+From 5b9d09a81a9fdc9475f0ab0095cb2a33bf2a8f91 Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan at fallingsnow.net>
+Date: Tue, 13 Dec 2011 10:18:48 -0800
+Subject: [PATCH] Limit the size of parameter keys
+
+Signed-off-by: James Tucker <jftucker at gmail.com>
+Adapted for Rack 1.3.0
+---
+ lib/rack/multipart/parser.rb | 10 ++++++++++
+ lib/rack/utils.rb | 30 ++++++++++++++++++++++++++++++
+ test/spec_multipart.rb | 11 +++++++++++
+ test/spec_request.rb | 26 ++++++++++++++++++++++++++
+ 4 files changed, 77 insertions(+), 0 deletions(-)
+
+diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb
+index 6eee64e..2b55cf9 100644
+--- a/lib/rack/multipart/parser.rb
++++ b/lib/rack/multipart/parser.rb
+@@ -14,6 +14,9 @@ module Rack
+
+ fast_forward_to_first_boundary
+
++ max_key_space = Utils.key_space_limit
++ bytes = 0
++
+ loop do
+ head, filename, content_type, name, body =
+ get_current_head_and_filename_and_content_type_and_name_and_body
+@@ -28,6 +31,13 @@ module Rack
+
+ filename, data = get_data(filename, body, content_type, name, head)
+
++ if name
++ bytes += name.size
++ if bytes > max_key_space
++ raise RangeError, "exceeded available parameter key space"
++ end
++ end
++
+ Utils.normalize_params(@params, name, data) unless data.nil?
+
+ # break if we're at the end of a buffer, but not if it is the end of a field
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 5d77a88..7bceb45 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -39,6 +39,14 @@ module Rack
+
+ DEFAULT_SEP = /[&;] */n
+
++ class << self
++ attr_accessor :key_space_limit
++ end
++
++ # The default number of bytes to allow parameter keys to take up.
++ # This helps prevent a rogue client from flooding a Request.
++ self.key_space_limit = 65536
++
+ # Stolen from Mongrel, with some small modifications:
+ # Parses a query string by breaking it up at the '&'
+ # and ';' characters. You can also use this to parse
+@@ -47,8 +55,19 @@ module Rack
+ def parse_query(qs, d = nil)
+ params = {}
+
++ max_key_space = Utils.key_space_limit
++ bytes = 0
++
+ (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
+ k, v = p.split('=', 2).map { |x| unescape(x) }
++
++ if k
++ bytes += k.size
++ if bytes > max_key_space
++ raise RangeError, "exceeded available parameter key space"
++ end
++ end
++
+ if cur = params[k]
+ if cur.class == Array
+ params[k] << v
+@@ -67,8 +86,19 @@ module Rack
+ def parse_nested_query(qs, d = nil)
+ params = {}
+
++ max_key_space = Utils.key_space_limit
++ bytes = 0
++
+ (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
+ k, v = p.split('=', 2).map { |s| unescape(s) }
++
++ if k
++ bytes += k.size
++ if bytes > max_key_space
++ raise RangeError, "exceeded available parameter key space"
++ end
++ end
++
+ normalize_params(params, k, v)
+ end
+
+diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
+index 4ecd2de..1dc2f4d 100644
+--- a/test/spec_multipart.rb
++++ b/test/spec_multipart.rb
+@@ -30,6 +30,17 @@ describe Rack::Multipart do
+ params["text"].should.equal "contents"
+ end
+
++ should "raise RangeError if the key space is exhausted" do
++ env = Rack::MockRequest.env_for("/", multipart_fixture(:content_type_and_no_filename))
++
++ old, Rack::Utils.key_space_limit = Rack::Utils.key_space_limit, 1
++ begin
++ lambda { Rack::Multipart.parse_multipart(env) }.should.raise(RangeError)
++ ensure
++ Rack::Utils.key_space_limit = old
++ end
++ end
++
+ should "parse multipart form webkit style" do
+ env = Rack::MockRequest.env_for '/', multipart_fixture(:webkit)
+ env['CONTENT_TYPE'] = "multipart/form-data; boundary=----WebKitFormBoundaryWLHCs9qmcJJoyjKR"
+diff --git a/test/spec_request.rb b/test/spec_request.rb
+index 6d61cbc..d20585c 100644
+--- a/test/spec_request.rb
++++ b/test/spec_request.rb
+@@ -125,6 +125,18 @@ describe Rack::Request do
+ req.params.should.equal "foo" => "bar", "quux" => "bla"
+ end
+
++ should "limit the keys from the GET query string" do
++ env = Rack::MockRequest.env_for("/?foo=bar")
++
++ old, Rack::Utils.key_space_limit = Rack::Utils.key_space_limit, 1
++ begin
++ req = Rack::Request.new(env)
++ lambda { req.GET }.should.raise(RangeError)
++ ensure
++ Rack::Utils.key_space_limit = old
++ end
++ end
++
+ should "not unify GET and POST when calling params" do
+ mr = Rack::MockRequest.env_for("/?foo=quux",
+ "REQUEST_METHOD" => 'POST',
+@@ -157,6 +169,20 @@ describe Rack::Request do
+ req.params.should.equal "foo" => "bar", "quux" => "bla"
+ end
+
++ should "limit the keys from the POST form data" do
++ env = Rack::MockRequest.env_for("",
++ "REQUEST_METHOD" => 'POST',
++ :input => "foo=bar&quux=bla")
++
++ old, Rack::Utils.key_space_limit = Rack::Utils.key_space_limit, 1
++ begin
++ req = Rack::Request.new(env)
++ lambda { req.POST }.should.raise(RangeError)
++ ensure
++ Rack::Utils.key_space_limit = old
++ end
++ end
++
+ should "parse POST data with explicit content type regardless of method" do
+ req = Rack::Request.new \
+ Rack::MockRequest.env_for("/",
+--
+1.7.7.5
+
diff --git a/rubygem-rack-1.3.0-test-object-which-responds-to-each.patch b/rubygem-rack-1.3.0-test-object-which-responds-to-each.patch
new file mode 100644
index 0000000..9b2afc1
--- /dev/null
+++ b/rubygem-rack-1.3.0-test-object-which-responds-to-each.patch
@@ -0,0 +1,34 @@
+From 17a3e1ea7be50094d09b6f5fbb4770b5468e8421 Mon Sep 17 00:00:00 2001
+From: HannesG <hag at informatik.uni-kiel.de>
+Date: Thu, 29 Dec 2011 19:23:32 +0100
+Subject: [PATCH] Test an object which repsonds to each instead of a set.
+Backported for rack 1.3.0
+---
+ test/spec_response.rb | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/test/spec_response.rb b/test/spec_response.rb
+index 07dd012..589063e 100644
+--- a/test/spec_response.rb
++++ b/test/spec_response.rb
+@@ -1,3 +1,2 @@
+-require 'set'
+ require 'rack/response'
+
+@@ -134,7 +131,12 @@ describe Rack::Response do
+ str = ""; body.each { |part| str << part }
+ str.should.equal "foobar"
+
+- r = Rack::Response.new(["foo", "bar"].to_set)
++ object_with_each = Object.new
++ def object_with_each.each
++ yield "foo"
++ yield "bar"
++ end
++ r = Rack::Response.new(object_with_each)
+ r.write "foo"
+ status, header, body = r.finish
+ str = ""; body.each { |part| str << part }
+--
+1.7.7.5
+
diff --git a/rubygem-rack-1.3.0-tests-now-accept-different-query-orders.patch b/rubygem-rack-1.3.0-tests-now-accept-different-query-orders.patch
new file mode 100644
index 0000000..b1c6778
--- /dev/null
+++ b/rubygem-rack-1.3.0-tests-now-accept-different-query-orders.patch
@@ -0,0 +1,62 @@
+From c711cd421f3eacfde9965b4b38f41acc5754b5d0 Mon Sep 17 00:00:00 2001
+From: HannesG <hag at informatik.uni-kiel.de>
+Date: Thu, 29 Dec 2011 19:24:03 +0100
+Subject: [PATCH] Utils tests now accept different query orders.
+Backported for rack 1.3.0
+---
+ test/spec_utils.rb | 21 +++++++++++++++------
+ 1 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/test/spec_utils.rb b/test/spec_utils.rb
+index a787763..069e229 100644
+--- a/test/spec_utils.rb
++++ b/test/spec_utils.rb
+@@ -3,6 +3,15 @@ require 'rack/utils'
+ require 'rack/mock'
+
+ describe Rack::Utils do
++
++ # A helper method which checks
++ # if certain query parameters
++ # are equal.
++ def equal_query_to(query)
++ parts = query.split('&')
++ lambda{|other| (parts & other.split('&')) == parts }
++ end
++
+ should "escape correctly" do
+ Rack::Utils.escape("fo<o>bar").should.equal "fo%3Co%3Ebar"
+ Rack::Utils.escape("a space").should.equal "a+space"
+@@ -134,13 +143,13 @@ describe Rack::Utils do
+ end
+
+ should "build query strings correctly" do
+- Rack::Utils.build_query("foo" => "bar").should.equal "foo=bar"
++ Rack::Utils.build_query("foo" => "bar").should.be equal_query_to("foo=bar")
+ Rack::Utils.build_query("foo" => ["bar", "quux"]).
+- should.equal "foo=bar&foo=quux"
++ should.be equal_query_to("foo=bar&foo=quux")
+ Rack::Utils.build_query("foo" => "1", "bar" => "2").
+- should.equal "foo=1&bar=2"
++ should.be equal_query_to("foo=1&bar=2")
+ Rack::Utils.build_query("my weird field" => "q1!2\"'w$5&7/z8)?").
+- should.equal "my+weird+field=q1%212%22%27w%245%267%2Fz8%29%3F"
++ should.be equal_query_to("my+weird+field=q1%212%22%27w%245%267%2Fz8%29%3F")
+ end
+
+ should "build nested query strings correctly" do
+@@ -149,9 +158,9 @@ describe Rack::Utils do
+ Rack::Utils.build_nested_query("foo" => "bar").should.equal "foo=bar"
+
+ Rack::Utils.build_nested_query("foo" => "1", "bar" => "2").
+- should.equal "foo=1&bar=2"
++ should.be equal_query_to("foo=1&bar=2")
+ Rack::Utils.build_nested_query("my weird field" => "q1!2\"'w$5&7/z8)?").
+- should.equal "my+weird+field=q1%212%22%27w%245%267%2Fz8%29%3F"
++ should.be equal_query_to("my+weird+field=q1%212%22%27w%245%267%2Fz8%29%3F")
+
+ Rack::Utils.build_nested_query("foo" => [nil]).
+ should.equal "foo[]"
+--
+1.7.7.5
+
diff --git a/rubygem-rack.spec b/rubygem-rack.spec
index 6d79524..936d246 100644
--- a/rubygem-rack.spec
+++ b/rubygem-rack.spec
@@ -7,12 +7,17 @@ Summary: Common API for connecting web frameworks, web servers and layers
# Introduce Epoch (related to bug 552972)
Epoch: 1
Version: 1.3.0
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://rubyforge.org/projects/%{gemname}/
Source0: http://gems.rubyforge.org/gems/%{gemname}-%{version}.gem
-
+# These patches fix the test failures with Ruby 1.8.7-p357 and are already
+# proposed upstream: https://github.com/rack/rack/pull/298
+Patch0: rubygem-rack-%{version}-test-object-which-responds-to-each.patch
+Patch1: rubygem-rack-%{version}-tests-now-accept-different-query-orders.patch
+# CVE-2011-5036
+Patch2: rubygem-rack-%{version}-limit-the-size-of-parameter-keys.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: rubygems
Requires: ruby(abi) = 1.8
@@ -26,14 +31,24 @@ Rack provides a common API for connecting web frameworks,
web servers and layers of software in between
%prep
+%setup -q -c -T
+mkdir -p .%{gemdir}
+gem install --local --install-dir .%{gemdir} \
+ --force %{SOURCE0}
+
+pushd .%{geminstdir}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+popd
%build
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}%{gemdir}
-gem install --local --install-dir %{buildroot}/%{gemdir} \
- --force %{SOURCE0}
+cp -a .%{gemdir}/* \
+ %{buildroot}%{gemdir}/
# Remove backup files
find %{buildroot}/%{geminstdir} -type f -name "*~" -delete
@@ -57,7 +72,7 @@ find %{buildroot}/%{geminstdir} -type f -perm /g+wx -exec chmod -v g-w {} \;
# Find files that are not readable
find %{buildroot}/%{geminstdir} -type f ! -perm /go+r -exec chmod -v go+r {} \;
-# Move %{gemdir}/bin/rackup to %{_bindir}
+# Move %%{gemdir}/bin/rackup to %%{_bindir}
mkdir -p %{buildroot}/%{_bindir}
mv %{buildroot}/%{gemdir}/bin/rackup %{buildroot}/%{_bindir}
rm -rf %{buildroot}/%{gemdir}/bin/
@@ -90,6 +105,11 @@ popd
%{gemdir}/specifications/%{gemname}-%{version}.gemspec
%changelog
+* Thu Jan 05 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 1:1.3.0-2
+- Moved gem install to %%prep to be able to apply patches.
+- Applied two patches that fix test failures with Ruby 1.8.7-p357.
+- Applied backported security fix for CVE-2011-5036.
+
* Tue Jun 28 2011 Vít Ondruch <vondruch at redhat.com> - 1:1.3.0-1
- Updated to Rack 1.3.
- Fixed FTBFS.
More information about the scm-commits
mailing list