rack-cors 1.0.3 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +1 -0
- data/CHANGELOG.md +8 -0
- data/lib/rack/cors.rb +18 -10
- data/lib/rack/cors/version.rb +1 -1
- data/rack-cors.gemspec +1 -0
- data/test/unit/cors_test.rb +6 -0
- data/test/unit/test.ru +1 -0
- metadata +17 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a12cdfc5aca2abf0cf86fb1ca217619fa6b40cad19721118016e064554f46ba0
|
|
4
|
+
data.tar.gz: 2874199b748909fdfd3e8ec601bd8620bc0235e60c66226259a79ff2404dbaf8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2b71fe191ad396ab85e8c1966e979fa3516ee768bae6ed93fd1d43644eada8a455dbab00990ef22440ee7f82dab16a37b283897403d4eba674547bda1f0b86f5
|
|
7
|
+
data.tar.gz: a31481b3f6d9d45bdc522c444e923438f7f513a57796bf2cf6eaaa665d87f7479bf5f1e5f5ea8d380ce7194f0d3690823e1a681e55c17317cab29bf87b7a7303
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,14 @@
|
|
|
1
1
|
# Change Log
|
|
2
2
|
All notable changes to this project will be documented in this file.
|
|
3
3
|
|
|
4
|
+
## 1.0.5 - 2019-11-14
|
|
5
|
+
### Changed
|
|
6
|
+
- Update Gem spec to require rack >= 1.6.0
|
|
7
|
+
|
|
8
|
+
## 1.0.4 - 2019-11-13
|
|
9
|
+
### Security
|
|
10
|
+
- Escape and resolve path before evaluating resource rules (thanks to Colby Morgan)
|
|
11
|
+
|
|
4
12
|
## 1.0.3 - 2019-03-24
|
|
5
13
|
### Changed
|
|
6
14
|
- Don't send 'Content-Type' header with pre-flight requests
|
data/lib/rack/cors.rb
CHANGED
|
@@ -64,24 +64,27 @@ module Rack
|
|
|
64
64
|
def call(env)
|
|
65
65
|
env[HTTP_ORIGIN] ||= env[HTTP_X_ORIGIN] if env[HTTP_X_ORIGIN]
|
|
66
66
|
|
|
67
|
+
path = evaluate_path(env)
|
|
68
|
+
|
|
67
69
|
add_headers = nil
|
|
68
70
|
if env[HTTP_ORIGIN]
|
|
69
71
|
debug(env) do
|
|
70
72
|
[ 'Incoming Headers:',
|
|
71
73
|
" Origin: #{env[HTTP_ORIGIN]}",
|
|
74
|
+
" Path-Info: #{path}",
|
|
72
75
|
" Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
|
|
73
76
|
" Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
|
|
74
77
|
].join("\n")
|
|
75
78
|
end
|
|
76
79
|
if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
|
|
77
|
-
headers = process_preflight(env)
|
|
80
|
+
headers = process_preflight(env, path)
|
|
78
81
|
debug(env) do
|
|
79
82
|
"Preflight Headers:\n" +
|
|
80
83
|
headers.collect{|kv| " #{kv.join(': ')}"}.join("\n")
|
|
81
84
|
end
|
|
82
85
|
return [200, headers, []]
|
|
83
86
|
else
|
|
84
|
-
add_headers = process_cors(env)
|
|
87
|
+
add_headers = process_cors(env, path)
|
|
85
88
|
end
|
|
86
89
|
else
|
|
87
90
|
Result.miss(env, Result::MISS_NO_ORIGIN)
|
|
@@ -90,7 +93,7 @@ module Rack
|
|
|
90
93
|
# This call must be done BEFORE calling the app because for some reason
|
|
91
94
|
# env[PATH_INFO] gets changed after that and it won't match. (At least
|
|
92
95
|
# in rails 4.1.6)
|
|
93
|
-
vary_resource = resource_for_path(
|
|
96
|
+
vary_resource = resource_for_path(path)
|
|
94
97
|
|
|
95
98
|
status, headers, body = @app.call env
|
|
96
99
|
|
|
@@ -147,14 +150,20 @@ module Rack
|
|
|
147
150
|
end
|
|
148
151
|
end
|
|
149
152
|
|
|
153
|
+
def evaluate_path(env)
|
|
154
|
+
path = env[PATH_INFO]
|
|
155
|
+
path = Rack::Utils.clean_path_info(Rack::Utils.unescape_path(path)) if path
|
|
156
|
+
path
|
|
157
|
+
end
|
|
158
|
+
|
|
150
159
|
def all_resources
|
|
151
160
|
@all_resources ||= []
|
|
152
161
|
end
|
|
153
162
|
|
|
154
|
-
def process_preflight(env)
|
|
163
|
+
def process_preflight(env, path)
|
|
155
164
|
result = Result.preflight(env)
|
|
156
165
|
|
|
157
|
-
resource, error = match_resource(env)
|
|
166
|
+
resource, error = match_resource(path, env)
|
|
158
167
|
unless resource
|
|
159
168
|
result.miss(error)
|
|
160
169
|
return {}
|
|
@@ -163,8 +172,8 @@ module Rack
|
|
|
163
172
|
return resource.process_preflight(env, result)
|
|
164
173
|
end
|
|
165
174
|
|
|
166
|
-
def process_cors(env)
|
|
167
|
-
resource, error = match_resource(env)
|
|
175
|
+
def process_cors(env, path)
|
|
176
|
+
resource, error = match_resource(path, env)
|
|
168
177
|
if resource
|
|
169
178
|
Result.hit(env)
|
|
170
179
|
cors = resource.to_headers(env)
|
|
@@ -185,8 +194,7 @@ module Rack
|
|
|
185
194
|
nil
|
|
186
195
|
end
|
|
187
196
|
|
|
188
|
-
def match_resource(env)
|
|
189
|
-
path = env[PATH_INFO]
|
|
197
|
+
def match_resource(path, env)
|
|
190
198
|
origin = env[HTTP_ORIGIN]
|
|
191
199
|
|
|
192
200
|
origin_matched = false
|
|
@@ -330,7 +338,7 @@ module Rack
|
|
|
330
338
|
|
|
331
339
|
self.path = path
|
|
332
340
|
self.credentials = public_resource ? false : (opts[:credentials] == true)
|
|
333
|
-
self.max_age = opts[:max_age] ||
|
|
341
|
+
self.max_age = opts[:max_age] || 7200
|
|
334
342
|
self.pattern = compile(path)
|
|
335
343
|
self.if_proc = opts[:if]
|
|
336
344
|
self.vary_headers = opts[:vary] && [opts[:vary]].flatten
|
data/lib/rack/cors/version.rb
CHANGED
data/rack-cors.gemspec
CHANGED
|
@@ -18,6 +18,7 @@ Gem::Specification.new do |spec|
|
|
|
18
18
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
|
19
19
|
spec.require_paths = ["lib"]
|
|
20
20
|
|
|
21
|
+
spec.add_dependency "rack", ">= 1.6.0"
|
|
21
22
|
spec.add_development_dependency "bundler", ">= 1.16.0", '< 3'
|
|
22
23
|
spec.add_development_dependency "rake", "~> 12.3.0"
|
|
23
24
|
spec.add_development_dependency "minitest", "~> 5.11.0"
|
data/test/unit/cors_test.rb
CHANGED
|
@@ -146,6 +146,12 @@ describe Rack::Cors do
|
|
|
146
146
|
last_response.headers['Vary'].must_equal 'Origin, Host'
|
|
147
147
|
end
|
|
148
148
|
|
|
149
|
+
it "decode URL and resolve paths before resource matching" do
|
|
150
|
+
header 'Origin', 'http://localhost:3000'
|
|
151
|
+
get '/public/a/..%2F..%2Fprivate/stuff'
|
|
152
|
+
last_response.wont_render_cors_success
|
|
153
|
+
end
|
|
154
|
+
|
|
149
155
|
describe 'with array of upstream Vary headers' do
|
|
150
156
|
let(:app) { load_app('test', { proxy: true }) }
|
|
151
157
|
|
data/test/unit/test.ru
CHANGED
metadata
CHANGED
|
@@ -1,15 +1,29 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-cors
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Calvin Yu
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-11-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rack
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 1.6.0
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: 1.6.0
|
|
13
27
|
- !ruby/object:Gem::Dependency
|
|
14
28
|
name: bundler
|
|
15
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -133,8 +147,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
133
147
|
- !ruby/object:Gem::Version
|
|
134
148
|
version: '0'
|
|
135
149
|
requirements: []
|
|
136
|
-
|
|
137
|
-
rubygems_version: 2.7.6
|
|
150
|
+
rubygems_version: 3.0.6
|
|
138
151
|
signing_key:
|
|
139
152
|
specification_version: 4
|
|
140
153
|
summary: Middleware for enabling Cross-Origin Resource Sharing in Rack apps
|