heroku-bouncer 0.4.1 → 0.4.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/lib/heroku/bouncer/middleware.rb +7 -4
  3. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 561e884f024ac6a325bb3b923da047eb4e1093a2
4
- data.tar.gz: 693c9b580e04067aff895f73b74124b55ca9c96c
3
+ metadata.gz: 828f65b68c8ed42f82cf523ab3748a16263fe5d2
4
+ data.tar.gz: 6b53e6ef3efb5f53bd35af410e0fd0501a3a9722
5
5
  SHA512:
6
- metadata.gz: f4191578a75d18970863267576af3f1427d36d8663231ea1b86bf5f6fa74cfb5ca72dc1034c04729ebcd1f2c4cd6dd9c9e61e35d3da521bc087fc18c12211896
7
- data.tar.gz: d3089222610ba125714dd08f1b9457ad9727a7c9bfabcaa25ea3adcdc4386036381072e6fc59a20a3cb5612ac73cba2d7560df104762fcf620aa1f6998246d35
6
+ metadata.gz: 0b317ac658086d8ebe4157ab5b85b93fd23b61569d0ac5b41c7426a9514c4b490d06ffabc2daed835a40fcd2a33bd33812afe95d4d0843b6438d6d17b0894c4a
7
+ data.tar.gz: 12fd8a29894b24568fbfd0ed6d236b640cb4658084692e61f5900e7dc32ca69ebab3570d3760c76cef8ddf3f88ca6b45d27d6cbb6ef0fb5a6af75451b41d9c44
data/lib/heroku/bouncer/middleware.rb CHANGED
@@ -80,7 +80,7 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
80
80
  store_write(:expires_at, Time.now.to_i + 3600 * 8)
81
81
 
82
82
  return_to = store_delete(:return_to) || '/'
83
- redirect to(enforce_host(request.host, return_to))
83
+ redirect to(enforce_host(request.scheme, request.host, return_to))
84
84
  end
85
85
 
86
86
  # something went wrong
@@ -109,7 +109,9 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
109
109
 
110
110
  # login, setting the URL to return to
111
111
  get '/auth/login' do
112
- store_write(:return_to, params['return_to'])
112
+ if params['return_to'] && params['return_to'].length <= 255
113
+ store_write(:return_to, params['return_to'])
114
+ end
113
115
  redirect to('/auth/heroku')
114
116
  end
115
117
 
@@ -201,9 +203,10 @@ private
201
203
  end
202
204
 
203
205
  # Prevent open redirect vulnerabilities by setting the current host
204
- def enforce_host(host, url)
206
+ def enforce_host(scheme, host, url)
205
207
  return_to = URI.parse(url) rescue '/'
206
- return_to.host = request.host
208
+ return_to.scheme = scheme
209
+ return_to.host = host
207
210
  return_to.to_s
208
211
  end
209
212
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: heroku-bouncer
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.1
4
+ version: 0.4.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jonathan Dance
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-03-20 00:00:00.000000000 Z
11
+ date: 2014-05-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth-heroku