rack-post-body-to-params 0.1.6 → 0.1.7
Sign up to get free protection for your applications and to get access to all the features.
- data/VERSION +1 -1
- data/lib/rack/post-body-to-params.rb +16 -9
- data/rack-post-body-to-params.gemspec +2 -2
- metadata +6 -6
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.1.
|
1
|
+
0.1.7
|
@@ -54,22 +54,29 @@ module Rack
|
|
54
54
|
#
|
55
55
|
def initialize(app, config={})
|
56
56
|
@content_types = config.delete(:content_types) || [APPLICATION_JSON, APPLICATION_XML]
|
57
|
-
|
57
|
+
|
58
58
|
@parsers = {
|
59
59
|
APPLICATION_JSON => Proc.new{ |post_body| parse_as_json post_body },
|
60
60
|
APPLICATION_XML => Proc.new{ |post_body| parse_as_xml post_body }
|
61
61
|
}
|
62
62
|
@parsers.update(config[:parsers]) if config[:parsers]
|
63
|
-
|
63
|
+
|
64
64
|
@error_responses = {
|
65
65
|
APPLICATION_JSON => Proc.new{ |error| json_error_response error },
|
66
66
|
APPLICATION_XML => Proc.new{ |error| xml_error_response error }
|
67
67
|
}
|
68
68
|
@error_responses.update(config[:error_responses]) if config[:error_responses]
|
69
|
-
|
69
|
+
|
70
70
|
# Check wether we're vulnerable via YAML:
|
71
|
-
|
72
|
-
|
71
|
+
begin
|
72
|
+
parsers[APPLICATION_XML].call %Q{<?xml version="1.0" encoding="UTF-8"?><bang type="yaml">--- !ruby/hash:Rack::PostBodyToParams::RCETEST\n foo: bar</bang>}
|
73
|
+
rescue Exception => e
|
74
|
+
# If ActiveSupport caught the error, we're safe. Otherwise, exception.
|
75
|
+
unless e.kind_of?(Hash::DisallowedType)
|
76
|
+
raise Exception, 'Please educate about the ActiveSupport YAML remote code execution vulnerability and take measures. Either install and require safe_yaml or upgrade ActiveSupport'
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
73
80
|
@app = app
|
74
81
|
end
|
75
82
|
|
@@ -89,10 +96,10 @@ module Rack
|
|
89
96
|
|
90
97
|
def call(env)
|
91
98
|
content_type = env[CONTENT_TYPE] && env[CONTENT_TYPE].split(';').first
|
92
|
-
|
99
|
+
|
93
100
|
if content_type && @content_types.include?(content_type)
|
94
101
|
post_body = env[POST_BODY].read
|
95
|
-
|
102
|
+
|
96
103
|
unless post_body.blank?
|
97
104
|
begin
|
98
105
|
new_form_hash = parsers[content_type].call post_body
|
@@ -102,9 +109,9 @@ module Rack
|
|
102
109
|
end
|
103
110
|
env.update(FORM_HASH => new_form_hash, FORM_INPUT => env[POST_BODY])
|
104
111
|
end
|
105
|
-
|
112
|
+
|
106
113
|
end
|
107
|
-
|
114
|
+
|
108
115
|
@app.call(env)
|
109
116
|
end
|
110
117
|
|
@@ -5,11 +5,11 @@
|
|
5
5
|
|
6
6
|
Gem::Specification.new do |s|
|
7
7
|
s.name = "rack-post-body-to-params"
|
8
|
-
s.version = "0.1.
|
8
|
+
s.version = "0.1.7"
|
9
9
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
11
|
s.authors = ["Niko Dittmann"]
|
12
|
-
s.date = "2013-02-
|
12
|
+
s.date = "2013-02-05"
|
13
13
|
s.email = "mail+git@niko-dittmann.com"
|
14
14
|
s.extra_rdoc_files = [
|
15
15
|
"LICENSE",
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-post-body-to-params
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.7
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,11 +9,11 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-02-
|
12
|
+
date: 2013-02-05 00:00:00.000000000Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: shoulda
|
16
|
-
requirement: &
|
16
|
+
requirement: &70162486027220 !ruby/object:Gem::Requirement
|
17
17
|
none: false
|
18
18
|
requirements:
|
19
19
|
- - ! '>='
|
@@ -21,10 +21,10 @@ dependencies:
|
|
21
21
|
version: '0'
|
22
22
|
type: :development
|
23
23
|
prerelease: false
|
24
|
-
version_requirements: *
|
24
|
+
version_requirements: *70162486027220
|
25
25
|
- !ruby/object:Gem::Dependency
|
26
26
|
name: activesupport
|
27
|
-
requirement: &
|
27
|
+
requirement: &70162486026720 !ruby/object:Gem::Requirement
|
28
28
|
none: false
|
29
29
|
requirements:
|
30
30
|
- - ! '>='
|
@@ -32,7 +32,7 @@ dependencies:
|
|
32
32
|
version: '2.3'
|
33
33
|
type: :runtime
|
34
34
|
prerelease: false
|
35
|
-
version_requirements: *
|
35
|
+
version_requirements: *70162486026720
|
36
36
|
description:
|
37
37
|
email: mail+git@niko-dittmann.com
|
38
38
|
executables: []
|