debian/0000755000000000000000000000000012115621225007163 5ustar debian/source/0000755000000000000000000000000012111135600010454 5ustar debian/source/lintian-overrides0000644000000000000000000000024112111135600014032 0ustar ruby-openid source: duplicate-long-description libopenid-ruby libopenid-ruby1.8 ruby-openid source: duplicate-short-description libopenid-ruby libopenid-ruby1.8 debian/source/format0000644000000000000000000000001412111135600011662 0ustar 3.0 (quilt) debian/README.source0000644000000000000000000000051712111135600011336 0ustar The tarball is repacked by debian/repack.sh, which is called automatically from uscan. Patches to the upstream source are applied during build from debian/patches/. Use "make -f debian/rules apply-patches" to apply them and "make -f debian/rules reverse-patches" to unapply them. You can use cdbs-edit-patch(1) to edit these patches. debian/rules0000755000000000000000000000070112111135600010232 0ustar #!/usr/bin/make -f #export DH_VERBOSE=1 # # Uncomment to ignore all test failures (but the tests will run anyway) #export DH_RUBY_IGNORE_TESTS=all # # Uncomment to ignore some test failures (but the tests will run anyway). # Valid values: #export DH_RUBY_IGNORE_TESTS=ruby1.8 ruby1.9.1 require-rubygems # # If you need to specify the .gemspec (eg there is more than one) #export DH_RUBY_GEMSPEC=gem.gemspec %: dh $@ --buildsystem=ruby --with ruby debian/ruby-openid.lintian-overrides0000644000000000000000000000026612111135600014775 0ustar # The example files ship with prototype.js. We override the fact as it # is in /usr/share/doc and we don't want to depend on libjs-prototype ruby-openid: embedded-javascript-library debian/ruby-openid.docs0000644000000000000000000000000712111135600012260 0ustar README debian/copyright0000644000000000000000000001272412111135600011115 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: ruby-openid Source: http://www.openidenabled.com/ruby-openid/ Comment: the source has been repacked to remove the convienence copy of the hmac Ruby library under lib/hmac, which can be provided on Debian systems by the ruby-hmac package. Files: * Copyright: 2006-2008 by JanRain, Inc. License: Apache-2.0 Files: lib/openid/yadis/htmltokenizer.rb Copyright: 2004 Ben Giddings License: Ruby or GPL-2 Files: examples/rails_openid/public/javascripts/*.js Copyright: 2005-2008, Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us) License: Expat Files: examples/rails_openid/public/javascripts/prototype.js Copyright: 2005, Sam Stephenson License: Expat Comment: License referred to as MIT license. Files: debian/* Copyright: 2007 Antonio Terceiro 2012 Cédric Boutillier 2012 Paul van Tilburg License: Apache-2.0 License: Apache-2.0 On Debian systems, the full text of the Apache License 2.0 can be found at /usr/share/common-licenses/Apache-2.0. License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. License: GPL-2 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License Version 2 as published by the Free Software Foundation. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the full text of the GNU General Public License version 2 can be found in the file `/usr/share/common-licenses/GPL-2'. License: Ruby You can redistribute it and/or modify it under either the terms of the GPL, or the conditions below: . 1. You may make and give away verbatim copies of the source form of the software without restriction, provided that you duplicate all of the original copyright notices and associated disclaimers. . 2. You may modify your copy of the software in any way, provided that you do at least ONE of the following: . a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or by allowing the author to include your modifications in the software. . b) use the modified software only within your corporation or organization. . c) rename any non-standard executables so the names do not conflict with standard executables, which must also be provided. . d) make other distribution arrangements with the author. . 3. You may distribute the software in object code or executable form, provided that you do at least ONE of the following: . a) distribute the executables and library files of the software, together with instructions (in the manual page or equivalent) on where to get the original distribution. . b) accompany the distribution with the machine-readable source of the software. . c) give non-standard executables non-standard names, with instructions on where to get the original software distribution. . d) make other distribution arrangements with the author. . 4. You may modify and include the part of the software into any other software (possibly commercial). But some files in the distribution are not written by the author, so that they are not under this terms. . They are gc.c(partly), utils.c(partly), regex.[ch], st.[ch] and some files under the ./missing directory. See each file for the copying condition. . 5. The scripts and library files supplied as input to or produced as output from the software do not automatically fall under the copyright of the software, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this software. . 6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. debian/repack.sh0000755000000000000000000000220612111135600010760 0ustar #!/bin/sh # Repackage upstream source to exclude non-distributable files # should be called as "repack.sh --upstream-source # (for example, via uscan) set -e set -u VER="$2debian" FILE="$3" PKG=`dpkg-parsechangelog|grep ^Source:|sed 's/^Source: //'` REPACK_DIR="$PKG-$VER.orig" # DevRef § 6.7.8.2 echo -e "\nRepackaging $FILE\n" DIR=`mktemp -d ./tmpRepackXXXXXX` trap "rm -rf \"$DIR\"" QUIT INT EXIT # Create an extra directory to cope with rootless tarballs UP_BASE="$DIR/unpack" mkdir "$UP_BASE" tar xzf "$FILE" -C "$UP_BASE" if [ `ls -1 "$UP_BASE" | wc -l` -eq 1 ]; then # Tarball does contain a root directory UP_BASE="$UP_BASE/`ls -1 "$UP_BASE"`" fi ## Remove stuff rm -vfr $UP_BASE/lib/hmac ## End mv "$UP_BASE" "$DIR/$REPACK_DIR" # Using a pipe hides tar errors! tar cfC "$DIR/repacked.tar" "$DIR" "$REPACK_DIR" gzip -9 < "$DIR/repacked.tar" > "$DIR/repacked.tar.gz" RESULTING_FILE="$(dirname $FILE)/${PKG}_${VER}.orig.tar.gz" mv "$DIR/repacked.tar.gz" "$RESULTING_FILE" rm -f "$FILE" echo "*** $FILE repackaged" echo "*** Please note that the upstream version must be $VER since we are repackaging the tarball!" debian/control0000644000000000000000000000445012111135600010562 0ustar Source: ruby-openid Section: ruby Priority: optional Maintainer: Debian Ruby Extras Maintainers Uploaders: Cédric Boutillier , Paul van Tilburg DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.3.0~) Standards-Version: 3.9.3 Vcs-Git: git://git.debian.org/pkg-ruby-extras/ruby-openid.git Vcs-Browser: http://git.debian.org/?p=pkg-ruby-extras/ruby-openid.git;a=summary Homepage: http://github.com/openid/ruby-openid XS-Ruby-Versions: all Package: ruby-openid Architecture: all XB-Ruby-Versions: ${ruby:Versions} Depends: ${shlibs:Depends}, ${misc:Depends}, ruby | ruby-interpreter, ruby-hmac Replaces: libopenid-ruby (<< 2.1.8-1~), libopenid-ruby1.8 (<< 2.1.8-1~) Breaks: libopenid-ruby (<< 2.1.8-1~), libopenid-ruby1.8 (<< 2.1.8-1~) Provides: libopenid-ruby, libopenid-ruby1.8 Description: Ruby library for verifying and serving OpenID identities Ruby OpenID makes it easy to add OpenID authentication to your web applications. This library is a port of the Python OpenID library, and features: . * API for verifying OpenID identities (OpenID::Consumer) * API for serving OpenID identities (OpenID::Server) * Consumer and server support for extensions, including simple registration * Yadis 1.0 and OpenID 1.0 service discovery, including server fallback * Does not depend on underlying web framework * Multiple storage implementations (Filesystem, SQL) * Comprehensive test suite * Example code to help you get started, including: - WEBrick based consumer - Ruby on rails based server - OpenIDLoginGenerator for quickly creating a rails app that uses OpenID for authentication - ActiveRecord adapter for using an SQL store in rails Package: libopenid-ruby Section: oldlibs Priority: extra Architecture: all Depends: ${misc:Depends}, ruby-openid Description: Transitional package for ruby-openid This is a transitional package to ease upgrades to the ruby-openid package. It can safely be removed. Package: libopenid-ruby1.8 Section: oldlibs Priority: extra Architecture: all Depends: ${misc:Depends}, ruby-openid Description: Transitional package for ruby-openid This is a transitional package to ease upgrades to the ruby-openid package. It can safely be removed. debian/changelog0000644000000000000000000001526212115620363011045 0ustar ruby-openid (2.1.8debian-6) unstable; urgency=high * Urgency set to high as a security bug is fixed. * debian/patches: - add 02_fix_CVE-2013-1812.patch from upstream: limit fetching file size and disable XML entity expansion. [CVE-2013-1812] (Closes: #702217). -- Cédric Boutillier Wed, 06 Mar 2013 11:56:30 +0100 ruby-openid (2.1.8debian-5) unstable; urgency=low * Bump build dependency on gem2deb to >= 0.3.0~ -- Cédric Boutillier Tue, 26 Jun 2012 14:32:34 +0200 ruby-openid (2.1.8debian-4) unstable; urgency=low * debian/control: added missing/lost depend on ruby-hmac. -- Paul van Tilburg Sun, 20 May 2012 14:47:25 +0200 ruby-openid (2.1.8debian-3) unstable; urgency=low * Added missing files and license paragraphs to debian/copyright for examples/rails_openid/public/javascripts/*.js. * Override lintian warnings about duplicate description for transitional packages. -- Paul van Tilburg Sat, 19 May 2012 13:37:34 +0200 ruby-openid (2.1.8debian-2) unstable; urgency=low [ Paul van Tilburg ] * Use different source via uscan/the watch file; reapplied repack. * Source packages adapted according to the new Ruby policy: - Build for both ruby1.8 and ruby1.9.1. - Migrated to pkg-ruby-extras git repos. Changed the Vcs-* fields in debian/control accordingly. - Changed the depends and recommends to follow the new Ruby library naming scheme. * debian/control: - Added a default DM-Upload-Allowed field set to yes. - Standards-Version bumped to 3.9.3; no changes required. - Set XS-Ruby-Versions to all. - Changed the build-depends for using gem2deb instead of ruby-pkg-tools. - Switched the maintainer with the uploaders field as per new convention the team is the default maintainer. - Added myself to the uploaders. - Added libopenid-ruby and libopenid-ruby1.8 as transitional packages. * debian/patches: - Removed patch use-system-installed-hmac as the new upstream source tries to require ruby-hmac first. - Added patch 01_remove_rubygems_require.diff to remove requires of rubygems. * debian/ruby-openid.lintian-overrides: override the embedded-javascript-library warning as we don't want to add a depend on libjs-prototype. [ Cédric Boutillier ] * Convert debian/copyright to Debian copyright format version 1.0. -- Paul van Tilburg Thu, 17 May 2012 17:00:39 +0200 libopenid-ruby (2.1.8debian-1) unstable; urgency=low [ Lucas Nussbaum ] * debian/control: - Added Vcs-* fields. [ Paul van Tilburg ] * debian/control: - Bumped standards-version to 3.8.4; no changes required. - Added quilt to the build-depends. * debian/patches: - Restructured to suit quilt. * debian/rules: - Replaced simple-patchsys.mk by patchsys-quilt.mk. * debian/source/format: - Set the 3.0 (quilt) format for now. [ Antonio Terceiro ] * debian/repack.sh: - Fix location of repackaged tarball - Remove original tarball after repackaging, but keep the originally downloaded file. -- Antonio Terceiro Sun, 11 Apr 2010 20:59:44 -0300 libopenid-ruby (2.1.7debian-1) unstable; urgency=low * new upstream release * Debian Policy 3.8.2 -- Ryan Niebur Thu, 09 Jul 2009 03:48:04 -0700 libopenid-ruby (2.1.6debian-1) unstable; urgency=low [ Gunnar Wolf ] * Changed section to Ruby as per ftp-masters' request [ Ryan Niebur ] * new upstream release * add a repack script to do the repacking * remove debian/README.Debian-sources, the script takes care of it now * add dversionmangle * add README.source * add myself to Uploaders * depend on misc:Depends * Debian Policy 3.8.1 -- Ryan Niebur Wed, 29 Apr 2009 17:22:20 -0700 libopenid-ruby (2.1.2debian-1) unstable; urgency=low * debian/patches/01-use-rubygems-correctly.diff: removed (already fixed by upstream) * debian/patches/10-use-locally-installed-hmac.diff: fix references in upstream source to use system-installed ruby-hmac library instead of its locally-bundled (which was removed from the upstream tarball). The files in the pristine tarball are identical to the ones provided by libhmac-ruby. * debian/rules: + do not remove hmac by hand anymore. Instead, test that they are not there (they should be removed from tarball). + do not compress Javascript, Ruby and ERB files in examples. * added debian/README.Debian-sources explaining the process to obtain a tarball from upstream's pristine one. * debian/control: + removed dependency on libyadis-ruby1.8, since it is now being maintained inside openid itself. (libyadis-ruby must be removed from the archive, then). + bumped standards version to 3.8.0. No changes needed. + mentioned documentation and examples in description for libopenid-ruby. -- Antonio Terceiro Sat, 19 Jul 2008 21:01:37 -0300 libopenid-ruby (1.1.4-3) unstable; urgency=low * debian/watch: pick only tarballs with an actual version number on the name. * debian/TODO: removed * debian/patches/01-use-rubygems-correctly.diff: fix usage of deprecated rubygems 'require_gem'. (Closes: #470282) * debian/libopenid-ruby.overrides: removed. It seems that lintian won't complain about the empty files in the examples anymore. * debian/libopenid-ruby.dirs: removed (contained only the overrides dir) -- Antonio Terceiro Thu, 13 Mar 2008 12:23:53 -0300 libopenid-ruby (1.1.4-2) unstable; urgency=low [ Antonio Terceiro ] * debian/copyright: listing copyright information for every source file to which it's available. Thanks to Joerg Jaspert for pointing this out in behalf of the ftpmaster team. * debian/rules: * remove hmac files already provided by libhmac-ruby package on install target * installing documentation on Ruby-version-independent package * debian/watch: pointing to upstream's new tarball location * debian/control: added "XS-Dm-Upload-Allowed: yes" to allow Debian Maintainers to upload this package. [ Paul van Tilburg ] * Added Vcs-* fields. * Bumped the standards version to 3.7.3; no changes required. [ Antonio Terceiro ] * upstream's examples contain empty files: added lintian overrides so lintian does not keep reminding us of this fact. -- Antonio Terceiro Fri, 21 Dec 2007 15:06:08 -0300 libopenid-ruby (1.1.4-1) unstable; urgency=low * Initial release (Closes: #419778) -- Antonio Terceiro Tue, 17 Apr 2007 20:00:36 -0300 debian/patches/0000755000000000000000000000000012115634220010611 5ustar debian/patches/02_fix_CVE-2013-1812.patch0000644000000000000000000000725212115621103014374 0ustar Description: limit fetching file size & disable XML entity expansion This prevents possible XML denial of service attacks [CVE-2013-1812] Author: nov matake Origin: https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed Bug: https://github.com/openid/ruby-openid/pull/43 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702217 Reviewed-by: Cédric Boutillier Last-Update: 2012-10-23 --- lib/openid/fetchers.rb | 17 ++++++++++++++--- lib/openid/yadis/xrds.rb | 34 ++++++++++++++++++++++------------ 2 files changed, 36 insertions(+), 15 deletions(-) --- a/lib/openid/fetchers.rb +++ b/lib/openid/fetchers.rb @@ -10,7 +10,7 @@ require 'net/http' end -MAX_RESPONSE_KB = 1024 +MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess) module Net class HTTP @@ -192,6 +192,16 @@ conn = make_connection(url) response = nil + whole_body = '' + body_size_limitter = lambda do |r| + r.read_body do |partial| # read body now + whole_body << partial + if whole_body.length > MAX_RESPONSE_KB + raise FetchingError.new("Response Too Large") + end + end + whole_body + end response = conn.start { # Check the certificate against the URL's hostname if supports_ssl?(conn) and conn.use_ssl? @@ -199,13 +209,12 @@ end if body.nil? - conn.request_get(url.request_uri, headers) + conn.request_get(url.request_uri, headers, &body_size_limitter) else headers["Content-type"] ||= "application/x-www-form-urlencoded" - conn.request_post(url.request_uri, body, headers) + conn.request_post(url.request_uri, body, headers, &body_size_limitter) end } - setup_encoding(response) rescue Timeout::Error => why raise FetchingError, "Error fetching #{url}: #{why}" rescue RuntimeError => why @@ -232,7 +241,10 @@ raise FetchingError, "Error encountered in redirect from #{url}: #{why}" end else - return HTTPResponse._from_net_response(response, unparsed_url) + response = HTTPResponse._from_net_response(response, unparsed_url) + response.body = whole_body + setup_encoding(response) + return response end end --- a/lib/openid/yadis/xrds.rb +++ b/lib/openid/yadis/xrds.rb @@ -88,23 +88,33 @@ end def Yadis::parseXRDS(text) - if text.nil? - raise XRDSError.new("Not an XRDS document.") - end + disable_entity_expansion do + if text.nil? + raise XRDSError.new("Not an XRDS document.") + end - begin - d = REXML::Document.new(text) - rescue RuntimeError => why - raise XRDSError.new("Not an XRDS document. Failed to parse XML.") - end + begin + d = REXML::Document.new(text) + rescue RuntimeError => why + raise XRDSError.new("Not an XRDS document. Failed to parse XML.") + end - if is_xrds?(d) - return d - else - raise XRDSError.new("Not an XRDS document.") + if is_xrds?(d) + return d + else + raise XRDSError.new("Not an XRDS document.") + end end end + def Yadis::disable_entity_expansion + _previous_ = REXML::Document::entity_expansion_limit + REXML::Document::entity_expansion_limit = 0 + yield + ensure + REXML::Document::entity_expansion_limit = _previous_ + end + def Yadis::is_xrds?(xrds_tree) xrds_root = xrds_tree.root return (!xrds_root.nil? and debian/patches/series0000644000000000000000000000007312115634207012033 0ustar 01_remove_rubygems_require.diff 02_fix_CVE-2013-1812.patch debian/patches/01_remove_rubygems_require.diff0000644000000000000000000000166012111135600016706 0ustar Description: Remove rubygems require statements Author: Paul van Tilburg Origin: vendor Forwarded: not-needed Last-Updated: 2012-05-19 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/admin/runtests.rb +++ b/admin/runtests.rb @@ -8,7 +8,6 @@ require 'test/unit/ui/console/testrunner' begin - require 'rubygems' require 'memcache' rescue LoadError else --- a/examples/active_record_openid_store/init.rb +++ b/examples/active_record_openid_store/init.rb @@ -1,8 +1,2 @@ -# might using the ruby-openid gem -begin - require 'rubygems' -rescue LoadError - nil -end require 'openid' require 'openid_ar_store' --- a/examples/rails_openid/config/boot.rb +++ b/examples/rails_openid/config/boot.rb @@ -12,7 +12,6 @@ if File.directory?("#{RAILS_ROOT}/vendor/rails") require "#{RAILS_ROOT}/vendor/rails/railties/lib/initializer" else - require 'rubygems' require 'initializer' end debian/ruby-openid.examples0000644000000000000000000000001312111135600013143 0ustar examples/* debian/watch0000644000000000000000000000026212111135600010205 0ustar version=3 options="dversionmangle=s/debian//" \ http://pkg-ruby-extras.alioth.debian.org/cgi-bin/gemwatch/ruby-openid .*/ruby-openid-(.*).tar.gz \ debian sh debian/repack.sh debian/compat0000644000000000000000000000000212111135600010352 0ustar 7