Topics

rest-client 1.8.0 released with security fixes

Andy Brody <andy@...>
 

Hi all,

Rest-client 1.8.0 is now available on GitHub and rubygems.org:

https://rubygems.org/gems/rest-client/versions/1.8.0
https://github.com/rest-client/rest-client/releases/tag/v1.8.0

This release fixes an issue with cookie processing that could lead to
session fixation or cookie disclosure attacks. This issue has been
assigned CVE-2015-1820, and was discovered by the rest-client team
following a similar issue affecting python-requests.

https://github.com/rest-client/rest-client/issues/369

The problematic behavior was introduced in rest-client 1.6.1: any
Set-Cookie headers present in an HTTP 30x redirection response are
blindly sent to the redirection target, regardless of domain, path,
expiration, or secure cookie settings. All subsequent 1.6.x and 1.7.x
releases are affected.

This issue could not be easily fixed without substantial changes to
rest-client's cookie processing. Rest-client now depends on the
http-cookie gem, which implements RFC 6265 compliant support for
cookies in a browser-like way.

As a result, the behavior of rest-client in 1.8.0 differs from
previous releases in that it now omits invalid or incorrectly targeted
cookies from the Response#cookies hash. While the new behavior is more
secure and standards compliant, this may break some use cases. Please
use `headers[:set_cookie]` on response objects to see the raw headers
if this is problematic.

Otherwise, the changes in behavior for 1.8.0 should be transparent.

Cheers,
Andy