egalite 0.0.7 → 1.0.0

data/README.md

@@ -89,3 +89,22 @@ URL以外で引き渡されるパラメーター(クエリパラメータやPOST
 ### フォームへの自動埋め込み
 
 
+## セキュリティ対応
+
+### 自動CSRF対策機能
+
+egaliteには自動でCSRF対策のチェック値を埋め込む機能が付いています。この機能を有効にすると自動でCSRF対策を行うことができます。
+
+【注意】外部のサイトにフォームを送信するときにセッション情報が送られてしまいますので、外部のサイトにフォームを送る必要があるシステムでは絶対に使わないでください。(そのうち改善します)
+
+有効にする方法は以下の通りです。
+
+  egalite = Egalite::Handler.new(
+    :db => db,
+    :template_engine => Egalite::CSRFTemplate
+  )
+
+  class Pages < Egalite::CSRFController
+  end
+
+

data/lib/egalite/version.rb

@@ -1,3 +1,3 @@
 module Egalite
-  VERSION = "0.0.7"
+  VERSION = "1.0.0"
 end

data/lib/egalite.rb

@@ -101,7 +101,9 @@ module Egalite
           :subject => 'Critical error at xcream.net'
         })
       end
-      @@table.insert(hash) if @@table
+      if @@table
+        @@table.insert(hash) rescue nil
+      end
     end
     def write_exception(e, hash)
       severity = 'exception'
@@ -126,6 +128,9 @@ class Controller
   def after_filter_return_value(response) # right after controller
     response
   end
+  def after_filter_html(response) # html after template filter
+    response
+  end
   def after_filter(response) # after filter for final http output
     response
   end
@@ -330,7 +335,7 @@ class Request
   attr_accessor :session, :cookies, :authorization
   attr_accessor :language, :method
   attr_accessor :route, :controller, :action, :params, :path_info, :path_params
-  attr_accessor :controller_class, :action_method
+  attr_accessor :controller_class, :action_method, :inner_path
   attr_reader :rack_request, :time, :handler
 
   def initialize(values = {})
@@ -583,6 +588,9 @@ class Handler
         inner_dispatch(req,values)[2]
       }
       t = Time.now - s
+      
+      html = controller.after_filter_html(html)
+      
       @profile_logger.puts "#{Time.now}: view #{t}sec #{controller.class.name}.#{action} (#{req.path_info})" if @profile_logger
 
       [200,{"Content-Type"=>"text/html"},[html]]
@@ -615,6 +623,7 @@ class Handler
     req.controller_class = controller
     req.action = action_name
     req.action_method = action
+    req.inner_path = path
     req.path_params = path_params
     req.path_info = path_params.join('/')
 

data/test/test_auth.rb

@@ -1,10 +1,9 @@
 $LOAD_PATH << File.dirname(__FILE__)
-$LOAD_PATH << File.join(File.dirname(__FILE__), '..')
 
 require 'rubygems'
 require 'test/unit'
 require 'egalite'
-require 'auth/basic'
+require 'egalite/auth/basic'
 
 require 'rack/test'
 

data/test/test_blank.rb

@@ -1,7 +1,6 @@
-$LOAD_PATH << File.join(File.dirname(__FILE__), '..')
-
+require 'rubygems'
 require 'test/unit'
-require 'blank'
+require 'egalite/blank'
 
 class Empty
   def empty?

data/test/test_errorconsole.rb

@@ -3,9 +3,9 @@ require 'rubygems'
 require 'sequel'
 require 'test/unit'
 require 'egalite'
-require 'helper'
-require 'auth/basic'
-require 'errorconsole'
+require 'egalite/helper'
+require 'egalite/auth/basic'
+require 'egalite/errorconsole'
 
 require 'rack/test'
 require 'setup'
@@ -63,13 +63,13 @@ CREATE TABLE logs (
   def test_group
     basic_authorize('admin','9999')
     get "/egalite/error/group/1234"
-    assert_match %r|<li>/hoge</li>\n*<li>hogehoge</li>|, last_response.body
+    assert_match %r|<li>&#x2F;hoge</li>\n*<li>hogehoge</li>|, last_response.body
   end
   def test_detail
     basic_authorize('admin','9999')
     get "/egalite/error/detail/1"
     assert_not_equal "no record found.", last_response.body
-    assert_match %r|<li>127.0.0.1</li>\n*<li>/hoge</li>\n*<li>hogehoge</li>|, last_response.body
+    assert_match %r|<li>127.0.0.1</li>\n*<li>&#x2F;hoge</li>\n*<li>hogehoge</li>|, last_response.body
     
     get "/egalite/error/detail/100"
     assert_equal "no record found.", last_response.body

data/test/test_keitai.rb

@@ -2,17 +2,17 @@
 
 $KCODE = 'UTF8'
 
-$LOAD_PATH << File.join(File.dirname(__FILE__), '..')
 $LOAD_PATH << File.join(File.dirname(__FILE__))
 
 require 'rubygems'
 require 'test/unit'
 require 'egalite'
-require 'keitai/keitai'
+require 'egalite/keitai/keitai'
 
 require 'rack'
 require 'rack/multipart'
 require 'rack/test'
+require 'rack/ketai'
 
 require 'kconv'
 

data/test/test_m17n.rb

@@ -1,9 +1,7 @@
-$LOAD_PATH << File.join(File.dirname(__FILE__), '..')
-
 require 'rubygems'
 require 'test/unit'
 require 'egalite'
-require 'm17n'
+require 'egalite/m17n'
 
 require 'rack/test'
 

data/test/test_template.rb

@@ -8,7 +8,13 @@ require 'rack/test'
 
 require 'setup'
 
+$filter = []
+
 class TemplateController < Egalite::Controller
+  def after_filter_html(html)
+    $filter << req.inner_path
+    html
+  end
   def get
     {
       :val => 'piyo',
@@ -70,6 +76,11 @@ class T_Template < Test::Unit::TestCase
     assert last_response.body =~ /group4: 41/
     assert last_response.body =~ /group4: 42/
   end
+  def test_filter
+    $filter = []
+    get "/template"
+    assert_equal ["/template/inner", "/template/innerparam/9", "/template/innerparam/5", "/template"], $filter
+  end
 end
 
 class T_OnHtmlLoadFilter < Test::Unit::TestCase

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: egalite
 version: !ruby/object:Gem::Version 
-  hash: 17
+  hash: 23
   prerelease: 
   segments: 
+  - 1
   - 0
   - 0
-  - 7
-  version: 0.0.7
+  version: 1.0.0
 platform: ruby
 authors: 
 - Shunichi Arai
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-07-11 00:00:00 Z
+date: 2013-08-07 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bundler
@@ -75,32 +75,13 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
-- auth/basic.rb
-- blank.rb
 - egalite.gemspec
-- egalite.rb
-- errorconsole.rb
 - examples/simple/config.ru
 - examples/simple/example.rb
 - examples/simple/pages/test.html
 - examples/simple/run_webrick.rb
 - examples/simple_db/example_db.rb
 - examples/simple_db/pages/edit.html
-- helper.rb
-- keitai/keitai.rb
-- keitai/ketai.rb
-- keitai/rack/ketai/carrier.rb
-- keitai/rack/ketai/carrier/abstract.rb
-- keitai/rack/ketai/carrier/au.rb
-- keitai/rack/ketai/carrier/docomo.rb
-- keitai/rack/ketai/carrier/emoji/ausjisstrtoemojiid.rb
-- keitai/rack/ketai/carrier/emoji/docomosjisstrtoemojiid.rb
-- keitai/rack/ketai/carrier/emoji/emojidata.rb
-- keitai/rack/ketai/carrier/emoji/softbankutf8strtoemojiid.rb
-- keitai/rack/ketai/carrier/emoji/softbankwebcodetoutf8str.rb
-- keitai/rack/ketai/carrier/iphone.rb
-- keitai/rack/ketai/carrier/softbank.rb
-- keitai/rack/ketai/middleware.rb
 - lib/egalite.rb
 - lib/egalite/auth/basic.rb
 - lib/egalite/blank.rb
@@ -129,70 +110,6 @@ files:
 - lib/egalite/support.rb
 - lib/egalite/template.rb
 - lib/egalite/version.rb
-- m17n.rb
-- rack.rb
-- rack/auth/abstract/handler.rb
-- rack/auth/abstract/request.rb
-- rack/auth/basic.rb
-- rack/auth/digest/md5.rb
-- rack/auth/digest/nonce.rb
-- rack/auth/digest/params.rb
-- rack/auth/digest/request.rb
-- rack/builder.rb
-- rack/cascade.rb
-- rack/chunked.rb
-- rack/commonlogger.rb
-- rack/conditionalget.rb
-- rack/config.rb
-- rack/content_length.rb
-- rack/content_type.rb
-- rack/deflater.rb
-- rack/directory.rb
-- rack/etag.rb
-- rack/file.rb
-- rack/handler.rb
-- rack/handler/cgi.rb
-- rack/handler/evented_mongrel.rb
-- rack/handler/fastcgi.rb
-- rack/handler/lsws.rb
-- rack/handler/mongrel.rb
-- rack/handler/scgi.rb
-- rack/handler/swiftiplied_mongrel.rb
-- rack/handler/thin.rb
-- rack/handler/webrick.rb
-- rack/head.rb
-- rack/lint.rb
-- rack/lobster.rb
-- rack/lock.rb
-- rack/logger.rb
-- rack/methodoverride.rb
-- rack/mime.rb
-- rack/mock.rb
-- rack/nulllogger.rb
-- rack/recursive.rb
-- rack/reloader.rb
-- rack/request.rb
-- rack/response.rb
-- rack/rewindable_input.rb
-- rack/runtime.rb
-- rack/sendfile.rb
-- rack/server.rb
-- rack/session/abstract/id.rb
-- rack/session/cookie.rb
-- rack/session/memcache.rb
-- rack/session/pool.rb
-- rack/showexceptions.rb
-- rack/showstatus.rb
-- rack/static.rb
-- rack/urlmap.rb
-- rack/utils.rb
-- route.rb
-- sendmail.rb
-- sequel_helper.rb
-- session.rb
-- stringify_hash.rb
-- support.rb
-- template.rb
 - test.bat
 - test/french.html
 - test/french_msg.html

data/auth/basic.rb

@@ -1,32 +0,0 @@
-
-module Egalite
-  module Auth
-    class Basic
-      def self.authorize(req,realm)
-        auth = req.authorization
-        return unauthorized(realm) if auth.blank?
-        (method,credentials) = auth.split(' ', 2)
-        return bad_request if method.downcase != "basic"
-        (username,password) = credentials.unpack("m*").first.split(/:/,2)
-        return unauthorized(realm) unless yield(username,password)
-        true
-      end
-      def self.unauthorized(realm)
-        return [ 401,
-          { 'Content-Type' => 'text/plain',
-            'Content-Length' => '0',
-            'WWW-Authenticate' => 'Basic realm="%s"' % realm },
-          []
-        ]
-      end
-      def self.bad_request
-        return [ 400,
-          { 'Content-Type' => 'text/plain',
-            'Content-Length' => '0' },
-          []
-        ]
-      end
-    end
-  end
-end
-

data/blank.rb

@@ -1,53 +0,0 @@
-# I stole it from ActiveSupport library of Ruby on Rails
-# (MIT License)
-
-class Object
-  # An object is blank if it's nil, empty, or a whitespace string.
-  # For example, "", "   ", nil, [], and {} are blank.
-  #
-  # This simplifies
-  #   if !address.nil? && !address.empty?
-  # to
-  #   if !address.blank?
-  def blank?
-    respond_to?(:empty?) ? empty? : !self
-  end
-end
-
-class NilClass #:nodoc:
-  def blank?
-    true
-  end
-end
-
-class FalseClass #:nodoc:
-  def blank?
-    true
-  end
-end
-
-class TrueClass #:nodoc:
-  def blank?
-    false
-  end
-end
-
-class Array #:nodoc:
-  alias_method :blank?, :empty?
-end
-
-class Hash #:nodoc:
-  alias_method :blank?, :empty?
-end
-
-class String #:nodoc:
-  def blank?
-    self !~ /\S/
-  end
-end
-
-class Numeric #:nodoc:
-  def blank?
-    false
-  end
-end