Package: ruby-rack-protection / 1.5.3-2+deb9u1

Metadata

Package Version Patches format
ruby-rack-protection 1.5.3-2+deb9u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
rpsec3 port.patch | (download)

spec/authenticity_token_spec.rb | 16 8 + 8 - 0 !
spec/base_spec.rb | 12 6 + 6 - 0 !
spec/escaped_params_spec.rb | 8 4 + 4 - 0 !
spec/form_token_spec.rb | 12 6 + 6 - 0 !
spec/frame_options_spec.rb | 10 5 + 5 - 0 !
spec/http_origin_spec.rb | 8 4 + 4 - 0 !
spec/ip_spoofing_spec.rb | 10 5 + 5 - 0 !
spec/json_csrf_spec.rb | 16 8 + 8 - 0 !
spec/path_traversal_spec.rb | 8 4 + 4 - 0 !
spec/protection_spec.rb | 28 14 + 14 - 0 !
spec/remote_referrer_spec.rb | 10 5 + 5 - 0 !
spec/remote_token_spec.rb | 14 7 + 7 - 0 !
spec/session_hijacking_spec.rb | 14 7 + 7 - 0 !
spec/spec_helper.rb | 13 7 + 6 - 0 !
spec/xss_header_spec.rb | 18 9 + 9 - 0 !
15 files changed, 99 insertions(+), 98 deletions(-)

 port tests to rspec 3 syntax (partially)
CVE 2018 1000119.patch | (download)

lib/rack/protection/base.rb | 5 5 + 0 - 0 !
rib/rack/protection/authenticity_token.rb | 4 2 + 2 - 0 !
2 files changed, 7 insertions(+), 2 deletions(-)

 [patch] use secure_compare when checking csrf token

Since string comparisions may return early we want to use a constant
time comparsion function to protect the CSRF token against timing
attacks. Rack::Utils provides a such function.