From owner-svn-ports-branches@FreeBSD.ORG Mon Jun 1 18:51:48 2015 Return-Path: Delivered-To: svn-ports-branches@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 162F7849; Mon, 1 Jun 2015 18:51:48 +0000 (UTC) (envelope-from mmoll@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 040EF17AB; Mon, 1 Jun 2015 18:51:48 +0000 (UTC) (envelope-from mmoll@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t51Iplj6048351; Mon, 1 Jun 2015 18:51:47 GMT (envelope-from mmoll@FreeBSD.org) Received: (from mmoll@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t51IpkrS048334; Mon, 1 Jun 2015 18:51:46 GMT (envelope-from mmoll@FreeBSD.org) Message-Id: <201506011851.t51IpkrS048334@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: mmoll set sender to mmoll@FreeBSD.org using -f From: Michael Moll Date: Mon, 1 Jun 2015 18:51:46 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r388252 - in branches/2015Q2/www/rubygem-rest-client: . files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 18:51:48 -0000 Author: mmoll Date: Mon Jun 1 18:51:45 2015 New Revision: 388252 URL: https://svnweb.freebsd.org/changeset/ports/388252 Log: www/rubygem-rest-client: import two security fixes This is a direct commit to branches/2015Q2, as rubygem-rest-client was already updated to 1.8.0 in head. PR: 200504 Differential Revision: https://reviews.freebsd.org/D2707 Approved by: ports-secteam (delphij) Security: CVE-2015-1820 Security: CVE-2015-3448 Added: branches/2015Q2/www/rubygem-rest-client/files/ branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_abstract__response.rb (contents, props changed) branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_raw__response.rb (contents, props changed) branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_request.rb (contents, props changed) branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_response.rb (contents, props changed) branches/2015Q2/www/rubygem-rest-client/files/patch-rest-client.gemspec (contents, props changed) Modified: branches/2015Q2/www/rubygem-rest-client/Makefile Modified: branches/2015Q2/www/rubygem-rest-client/Makefile ============================================================================== --- branches/2015Q2/www/rubygem-rest-client/Makefile Mon Jun 1 18:44:14 2015 (r388251) +++ branches/2015Q2/www/rubygem-rest-client/Makefile Mon Jun 1 18:51:45 2015 (r388252) @@ -3,13 +3,15 @@ PORTNAME= rest-client PORTVERSION= 1.6.7 +PORTREVISION= 1 CATEGORIES= www rubygems MASTER_SITES= RG MAINTAINER= renchap@cocoa-x.com COMMENT= Simple Simple HTTP and REST client for Ruby -RUN_DEPENDS= rubygem-mime-types>=1.16:${PORTSDIR}/misc/rubygem-mime-types +RUN_DEPENDS= rubygem-http-cookie>=1.0.2:${PORTSDIR}/www/rubygem-http-cookie \ + rubygem-mime-types>=1.16:${PORTSDIR}/misc/rubygem-mime-types USE_RUBY= yes USE_RUBYGEMS= yes Added: branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_abstract__response.rb ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_abstract__response.rb Mon Jun 1 18:51:45 2015 (r388252) @@ -0,0 +1,94 @@ +--- lib/restclient/abstract_response.rb.orig 2015-06-01 12:01:41 UTC ++++ lib/restclient/abstract_response.rb +@@ -1,10 +1,11 @@ + require 'cgi' ++require 'http-cookie' + + module RestClient + + module AbstractResponse + +- attr_reader :net_http_res, :args ++ attr_reader :net_http_res, :args, :request + + # HTTP status code + def code +@@ -22,11 +23,36 @@ module RestClient + @raw_headers ||= @net_http_res.to_hash + end + ++ def response_set_vars(net_http_res, args, request) ++ @net_http_res = net_http_res ++ @args = args ++ @request = request ++ end ++ + # Hash of cookies extracted from response headers + def cookies +- @cookies ||= (self.headers[:set_cookie] || {}).inject({}) do |out, cookie_content| +- out.merge parse_cookie(cookie_content) ++ hash = {} ++ ++ cookie_jar.cookies.each do |cookie| ++ hash[cookie.name] = cookie.value + end ++ ++ hash ++ end ++ ++ # Cookie jar extracted from response headers. ++ # ++ # @return [HTTP::CookieJar] ++ # ++ def cookie_jar ++ return @cookie_jar if @cookie_jar ++ ++ jar = HTTP::CookieJar.new ++ headers.fetch(:set_cookie, []).each do |cookie| ++ jar.parse(cookie, @request.url) ++ end ++ ++ @cookie_jar = jar + end + + # Return the default behavior corresponding to the response code: +@@ -61,25 +87,28 @@ module RestClient + + # Follow a redirection + def follow_redirection request = nil, result = nil, & block ++ new_args = @args.dup ++ + url = headers[:location] + if url !~ /^http/ +- url = URI.parse(args[:url]).merge(url).to_s ++ url = URI.parse(request.url).merge(url).to_s + end +- args[:url] = url ++ new_args[:url] = url + if request + if request.max_redirects == 0 + raise MaxRedirectsReached + end +- args[:password] = request.password +- args[:user] = request.user +- args[:headers] = request.headers +- args[:max_redirects] = request.max_redirects - 1 +- # pass any cookie set in the result +- if result && result['set-cookie'] +- args[:headers][:cookies] = (args[:headers][:cookies] || {}).merge(parse_cookie(result['set-cookie'])) +- end ++ new_args[:password] = request.password ++ new_args[:user] = request.user ++ new_args[:headers] = request.headers ++ new_args[:max_redirects] = request.max_redirects - 1 ++ ++ # TODO: figure out what to do with original :cookie, :cookies values ++ new_args[:headers]['Cookie'] = HTTP::Cookie.cookie_value( ++ cookie_jar.cookies(new_args.fetch(:url))) + end +- Request.execute args, &block ++ ++ Request.execute(new_args, &block) + end + + def AbstractResponse.beautify_headers(headers) Added: branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_raw__response.rb ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_raw__response.rb Mon Jun 1 18:51:45 2015 (r388252) @@ -0,0 +1,18 @@ +--- lib/restclient/raw_response.rb.orig 2015-06-01 12:01:41 UTC ++++ lib/restclient/raw_response.rb +@@ -13,12 +13,13 @@ module RestClient + + include AbstractResponse + +- attr_reader :file ++ attr_reader :file, :request + +- def initialize tempfile, net_http_res, args ++ def initialize(tempfile, net_http_res, args, request) + @net_http_res = net_http_res + @args = args + @file = tempfile ++ @request = request + end + + def to_s Added: branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_request.rb ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_request.rb Mon Jun 1 18:51:45 2015 (r388252) @@ -0,0 +1,14 @@ +--- lib/restclient/request.rb.orig 2015-06-01 12:01:41 UTC ++++ lib/restclient/request.rb +@@ -219,9 +219,9 @@ module RestClient + def process_result res, & block + if @raw_response + # We don't decode raw requests +- response = RawResponse.new(@tf, res, args) ++ response = RawResponse.new(@tf, res, args, self) + else +- response = Response.create(Request.decode(res['content-encoding'], res.body), res, args) ++ response = Response.create(Request.decode(res['content-encoding'], res.body), res, args, self) + end + + if block_given? Added: branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_response.rb ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_response.rb Mon Jun 1 18:51:45 2015 (r388252) @@ -0,0 +1,22 @@ +--- lib/restclient/response.rb.orig 2015-06-01 12:01:41 UTC ++++ lib/restclient/response.rb +@@ -6,17 +6,14 @@ module RestClient + + include AbstractResponse + +- attr_accessor :args, :body, :net_http_res +- + def body + self + end + +- def Response.create body, net_http_res, args ++ def self.create body, net_http_res, args, request + result = body || '' + result.extend Response +- result.net_http_res = net_http_res +- result.args = args ++ result.response_set_vars(net_http_res, args, request) + result + end + Added: branches/2015Q2/www/rubygem-rest-client/files/patch-rest-client.gemspec ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/www/rubygem-rest-client/files/patch-rest-client.gemspec Mon Jun 1 18:51:45 2015 (r388252) @@ -0,0 +1,21 @@ +--- rest-client.gemspec.orig 2015-06-01 12:01:42 UTC ++++ rest-client.gemspec +@@ -24,15 +24,18 @@ Gem::Specification.new do |s| + + if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then + s.add_runtime_dependency(%q, [">= 1.16"]) ++ s.add_runtime_dependency(%q, [">= 1.0.2", "< 2.0"]) + s.add_development_dependency(%q, [">= 0.9.1"]) + s.add_development_dependency(%q, [">= 0"]) + else + s.add_dependency(%q, [">= 1.16"]) ++ s.add_dependency(%q, [">= 1.0.2", "< 2.0"]) + s.add_dependency(%q, [">= 0.9.1"]) + s.add_dependency(%q, [">= 0"]) + end + else + s.add_dependency(%q, [">= 1.16"]) ++ s.add_dependency(%q, [">= 1.0.2", "< 2.0"]) + s.add_dependency(%q, [">= 0.9.1"]) + s.add_dependency(%q, [">= 0"]) + end