heroku-bouncer 0.4.1 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/heroku/bouncer/middleware.rb +7 -4
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 828f65b68c8ed42f82cf523ab3748a16263fe5d2
|
|
4
|
+
data.tar.gz: 6b53e6ef3efb5f53bd35af410e0fd0501a3a9722
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0b317ac658086d8ebe4157ab5b85b93fd23b61569d0ac5b41c7426a9514c4b490d06ffabc2daed835a40fcd2a33bd33812afe95d4d0843b6438d6d17b0894c4a
|
|
7
|
+
data.tar.gz: 12fd8a29894b24568fbfd0ed6d236b640cb4658084692e61f5900e7dc32ca69ebab3570d3760c76cef8ddf3f88ca6b45d27d6cbb6ef0fb5a6af75451b41d9c44
|
|
@@ -80,7 +80,7 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
|
|
|
80
80
|
store_write(:expires_at, Time.now.to_i + 3600 * 8)
|
|
81
81
|
|
|
82
82
|
return_to = store_delete(:return_to) || '/'
|
|
83
|
-
redirect to(enforce_host(request.host, return_to))
|
|
83
|
+
redirect to(enforce_host(request.scheme, request.host, return_to))
|
|
84
84
|
end
|
|
85
85
|
|
|
86
86
|
# something went wrong
|
|
@@ -109,7 +109,9 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
|
|
|
109
109
|
|
|
110
110
|
# login, setting the URL to return to
|
|
111
111
|
get '/auth/login' do
|
|
112
|
-
|
|
112
|
+
if params['return_to'] && params['return_to'].length <= 255
|
|
113
|
+
store_write(:return_to, params['return_to'])
|
|
114
|
+
end
|
|
113
115
|
redirect to('/auth/heroku')
|
|
114
116
|
end
|
|
115
117
|
|
|
@@ -201,9 +203,10 @@ private
|
|
|
201
203
|
end
|
|
202
204
|
|
|
203
205
|
# Prevent open redirect vulnerabilities by setting the current host
|
|
204
|
-
def enforce_host(host, url)
|
|
206
|
+
def enforce_host(scheme, host, url)
|
|
205
207
|
return_to = URI.parse(url) rescue '/'
|
|
206
|
-
return_to.
|
|
208
|
+
return_to.scheme = scheme
|
|
209
|
+
return_to.host = host
|
|
207
210
|
return_to.to_s
|
|
208
211
|
end
|
|
209
212
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: heroku-bouncer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jonathan Dance
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-05-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: omniauth-heroku
|