rack-post-body-to-params 0.1.6 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/VERSION +1 -1
- data/lib/rack/post-body-to-params.rb +16 -9
- data/rack-post-body-to-params.gemspec +2 -2
- metadata +6 -6
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.1.
|
|
1
|
+
0.1.7
|
|
@@ -54,22 +54,29 @@ module Rack
|
|
|
54
54
|
#
|
|
55
55
|
def initialize(app, config={})
|
|
56
56
|
@content_types = config.delete(:content_types) || [APPLICATION_JSON, APPLICATION_XML]
|
|
57
|
-
|
|
57
|
+
|
|
58
58
|
@parsers = {
|
|
59
59
|
APPLICATION_JSON => Proc.new{ |post_body| parse_as_json post_body },
|
|
60
60
|
APPLICATION_XML => Proc.new{ |post_body| parse_as_xml post_body }
|
|
61
61
|
}
|
|
62
62
|
@parsers.update(config[:parsers]) if config[:parsers]
|
|
63
|
-
|
|
63
|
+
|
|
64
64
|
@error_responses = {
|
|
65
65
|
APPLICATION_JSON => Proc.new{ |error| json_error_response error },
|
|
66
66
|
APPLICATION_XML => Proc.new{ |error| xml_error_response error }
|
|
67
67
|
}
|
|
68
68
|
@error_responses.update(config[:error_responses]) if config[:error_responses]
|
|
69
|
-
|
|
69
|
+
|
|
70
70
|
# Check wether we're vulnerable via YAML:
|
|
71
|
-
|
|
72
|
-
|
|
71
|
+
begin
|
|
72
|
+
parsers[APPLICATION_XML].call %Q{<?xml version="1.0" encoding="UTF-8"?><bang type="yaml">--- !ruby/hash:Rack::PostBodyToParams::RCETEST\n foo: bar</bang>}
|
|
73
|
+
rescue Exception => e
|
|
74
|
+
# If ActiveSupport caught the error, we're safe. Otherwise, exception.
|
|
75
|
+
unless e.kind_of?(Hash::DisallowedType)
|
|
76
|
+
raise Exception, 'Please educate about the ActiveSupport YAML remote code execution vulnerability and take measures. Either install and require safe_yaml or upgrade ActiveSupport'
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
|
|
73
80
|
@app = app
|
|
74
81
|
end
|
|
75
82
|
|
|
@@ -89,10 +96,10 @@ module Rack
|
|
|
89
96
|
|
|
90
97
|
def call(env)
|
|
91
98
|
content_type = env[CONTENT_TYPE] && env[CONTENT_TYPE].split(';').first
|
|
92
|
-
|
|
99
|
+
|
|
93
100
|
if content_type && @content_types.include?(content_type)
|
|
94
101
|
post_body = env[POST_BODY].read
|
|
95
|
-
|
|
102
|
+
|
|
96
103
|
unless post_body.blank?
|
|
97
104
|
begin
|
|
98
105
|
new_form_hash = parsers[content_type].call post_body
|
|
@@ -102,9 +109,9 @@ module Rack
|
|
|
102
109
|
end
|
|
103
110
|
env.update(FORM_HASH => new_form_hash, FORM_INPUT => env[POST_BODY])
|
|
104
111
|
end
|
|
105
|
-
|
|
112
|
+
|
|
106
113
|
end
|
|
107
|
-
|
|
114
|
+
|
|
108
115
|
@app.call(env)
|
|
109
116
|
end
|
|
110
117
|
|
|
@@ -5,11 +5,11 @@
|
|
|
5
5
|
|
|
6
6
|
Gem::Specification.new do |s|
|
|
7
7
|
s.name = "rack-post-body-to-params"
|
|
8
|
-
s.version = "0.1.
|
|
8
|
+
s.version = "0.1.7"
|
|
9
9
|
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
11
11
|
s.authors = ["Niko Dittmann"]
|
|
12
|
-
s.date = "2013-02-
|
|
12
|
+
s.date = "2013-02-05"
|
|
13
13
|
s.email = "mail+git@niko-dittmann.com"
|
|
14
14
|
s.extra_rdoc_files = [
|
|
15
15
|
"LICENSE",
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-post-body-to-params
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.7
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,11 +9,11 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2013-02-
|
|
12
|
+
date: 2013-02-05 00:00:00.000000000Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: shoulda
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &70162486027220 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ! '>='
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: '0'
|
|
22
22
|
type: :development
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *70162486027220
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: activesupport
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &70162486026720 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - ! '>='
|
|
@@ -32,7 +32,7 @@ dependencies:
|
|
|
32
32
|
version: '2.3'
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *70162486026720
|
|
36
36
|
description:
|
|
37
37
|
email: mail+git@niko-dittmann.com
|
|
38
38
|
executables: []
|