Instiki 0.17.2: Security Release

This release upgrades Instiki to Rails 2.3.4, which patches two security holes in Rails. See http://weblog.rubyonrails.org/2009/9/4/ruby-on-rails-2-3-4 There are also some new features, and the usual boatload of bugfixes. See the CHANGELOG for details.
2009-09-05 02:01:46 -05:00 · 2009-09-05 02:01:46 -05:00 · 4bdf703ab2
commit 4bdf703ab2
parent 34c4306867
211 changed files with 3959 additions and 1325 deletions
--- a/vendor/rails/activeresource/lib/active_resource/connection.rb
+++ b/vendor/rails/activeresource/lib/active_resource/connection.rb
@ -26,6 +26,14 @@ module ActiveResource
    def to_s; @message ;end
  end

+  # Raised when a OpenSSL::SSL::SSLError occurs.
+  class SSLError < ConnectionError
+    def initialize(message)
+      @message = message
+    end
+    def to_s; @message ;end
+  end
+
  # 3xx Redirection
  class Redirection < ConnectionError # :nodoc:
    def to_s; response['Location'] ? "#{super} => #{response['Location']}" : super; end
@ -49,6 +57,9 @@ module ActiveResource
  # 409 Conflict
  class ResourceConflict < ClientError; end # :nodoc:

+  # 410 Gone
+  class ResourceGone < ClientError; end # :nodoc:
+
  # 5xx Server Error
  class ServerError < ConnectionError; end # :nodoc:

@ -67,10 +78,11 @@ module ActiveResource
    HTTP_FORMAT_HEADER_NAMES = {  :get => 'Accept',
      :put => 'Content-Type',
      :post => 'Content-Type',
-      :delete => 'Accept'
+      :delete => 'Accept',
+      :head => 'Accept'
    }

-    attr_reader :site, :user, :password, :timeout
+    attr_reader :site, :user, :password, :timeout, :proxy, :ssl_options
    attr_accessor :format

    class << self
@ -95,7 +107,12 @@ module ActiveResource
      @password = URI.decode(@site.password) if @site.password
    end

-    # Set user for remote service.
+    # Set the proxy for remote service.
+    def proxy=(proxy)
+      @proxy = proxy.is_a?(URI) ? proxy : URI.parse(proxy)
+    end
+
+    # Set the user for remote service.
    def user=(user)
      @user = user
    end
@ -110,6 +127,11 @@ module ActiveResource
      @timeout = timeout
    end

+    # Hash of options applied to Net::HTTP instance when +site+ protocol is 'https'.
+    def ssl_options=(opts={})
+      @ssl_options = opts
+    end
+
    # Execute a GET request.
    # Used to get (find) resources.
    def get(path, headers = {})
@ -137,7 +159,7 @@ module ActiveResource
    # Execute a HEAD request.
    # Used to obtain meta-information about resources, such as whether they exist and their size (via response headers).
    def head(path, headers = {})
-      request(:head, path, build_request_headers(headers))
+      request(:head, path, build_request_headers(headers, :head))
    end


@ -151,6 +173,8 @@ module ActiveResource
        handle_response(result)
      rescue Timeout::Error => e
        raise TimeoutError.new(e.message)
+      rescue OpenSSL::SSL::SSLError => e
+        raise SSLError.new(e.message)
      end

      # Handles response and error codes from remote service.
@ -172,6 +196,8 @@ module ActiveResource
            raise(MethodNotAllowed.new(response))
          when 409
            raise(ResourceConflict.new(response))
+          when 410
+            raise(ResourceGone.new(response))
          when 422
            raise(ResourceInvalid.new(response))
          when 401...500
@ -186,10 +212,49 @@ module ActiveResource
      # Creates new Net::HTTP instance for communication with
      # remote service and resources.
      def http
-        http             = Net::HTTP.new(@site.host, @site.port)
-        http.use_ssl     = @site.is_a?(URI::HTTPS)
-        http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl
-        http.read_timeout = @timeout if @timeout # If timeout is not set, the default Net::HTTP timeout (60s) is used.
+        configure_http(new_http)
+      end
+
+      def new_http
+        if @proxy
+          Net::HTTP.new(@site.host, @site.port, @proxy.host, @proxy.port, @proxy.user, @proxy.password)
+        else
+          Net::HTTP.new(@site.host, @site.port)
+        end
+      end
+
+      def configure_http(http)
+        http = apply_ssl_options(http)
+
+        # Net::HTTP timeouts default to 60 seconds.
+        if @timeout
+          http.open_timeout = @timeout
+          http.read_timeout = @timeout
+        end
+
+        http
+      end
+
+      def apply_ssl_options(http)
+        return http unless @site.is_a?(URI::HTTPS)
+
+        http.use_ssl     = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        return http unless defined?(@ssl_options)
+
+        http.ca_path     = @ssl_options[:ca_path] if @ssl_options[:ca_path]
+        http.ca_file     = @ssl_options[:ca_file] if @ssl_options[:ca_file]
+
+        http.cert        = @ssl_options[:cert] if @ssl_options[:cert]
+        http.key         = @ssl_options[:key]  if @ssl_options[:key]
+
+        http.cert_store  = @ssl_options[:cert_store]  if @ssl_options[:cert_store]
+        http.ssl_timeout = @ssl_options[:ssl_timeout] if @ssl_options[:ssl_timeout]
+
+        http.verify_mode     = @ssl_options[:verify_mode]     if @ssl_options[:verify_mode]
+        http.verify_callback = @ssl_options[:verify_callback] if @ssl_options[:verify_callback]
+        http.verify_depth    = @ssl_options[:verify_depth]    if @ssl_options[:verify_depth]
+
        http
      end