heroku-bouncer 0.4.1 → 0.4.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/heroku/bouncer/middleware.rb +7 -4
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 828f65b68c8ed42f82cf523ab3748a16263fe5d2
|
4
|
+
data.tar.gz: 6b53e6ef3efb5f53bd35af410e0fd0501a3a9722
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0b317ac658086d8ebe4157ab5b85b93fd23b61569d0ac5b41c7426a9514c4b490d06ffabc2daed835a40fcd2a33bd33812afe95d4d0843b6438d6d17b0894c4a
|
7
|
+
data.tar.gz: 12fd8a29894b24568fbfd0ed6d236b640cb4658084692e61f5900e7dc32ca69ebab3570d3760c76cef8ddf3f88ca6b45d27d6cbb6ef0fb5a6af75451b41d9c44
|
@@ -80,7 +80,7 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
|
|
80
80
|
store_write(:expires_at, Time.now.to_i + 3600 * 8)
|
81
81
|
|
82
82
|
return_to = store_delete(:return_to) || '/'
|
83
|
-
redirect to(enforce_host(request.host, return_to))
|
83
|
+
redirect to(enforce_host(request.scheme, request.host, return_to))
|
84
84
|
end
|
85
85
|
|
86
86
|
# something went wrong
|
@@ -109,7 +109,9 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
|
|
109
109
|
|
110
110
|
# login, setting the URL to return to
|
111
111
|
get '/auth/login' do
|
112
|
-
|
112
|
+
if params['return_to'] && params['return_to'].length <= 255
|
113
|
+
store_write(:return_to, params['return_to'])
|
114
|
+
end
|
113
115
|
redirect to('/auth/heroku')
|
114
116
|
end
|
115
117
|
|
@@ -201,9 +203,10 @@ private
|
|
201
203
|
end
|
202
204
|
|
203
205
|
# Prevent open redirect vulnerabilities by setting the current host
|
204
|
-
def enforce_host(host, url)
|
206
|
+
def enforce_host(scheme, host, url)
|
205
207
|
return_to = URI.parse(url) rescue '/'
|
206
|
-
return_to.
|
208
|
+
return_to.scheme = scheme
|
209
|
+
return_to.host = host
|
207
210
|
return_to.to_s
|
208
211
|
end
|
209
212
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: heroku-bouncer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jonathan Dance
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-05-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: omniauth-heroku
|