rack-protection 1.0.0 → 1.1.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack-protection might be problematic. Click here for more details.

data/README.md CHANGED
@@ -92,3 +92,11 @@ First stable release.
92
92
  Changes:
93
93
 
94
94
  * Fix bug in JsonCsrf
95
+
96
+ ## v1.1.0 (2011/09/03)
97
+
98
+ Second public release.
99
+
100
+ Changes:
101
+
102
+ * Dependency on `escape_utils` is now optional
@@ -1,5 +1,10 @@
1
1
  require 'rack/protection'
2
- require 'escape_utils'
2
+ require 'rack/utils'
3
+
4
+ begin
5
+ require 'escape_utils'
6
+ rescue LoadError
7
+ end
3
8
 
4
9
  module Rack
5
10
  module Protection
@@ -16,14 +21,28 @@ module Rack
16
21
  # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
17
22
  # Available: :html (default), :javascript, :url
18
23
  class EscapedParams < Base
19
- default_options :escape => :html
24
+ extend Rack::Utils
25
+
26
+ class << self
27
+ alias escape_url escape
28
+ public :escape_html
29
+ end
30
+
31
+ default_options :escape => :html,
32
+ :escaper => defined?(EscapeUtils) ? EscapeUtils : self
20
33
 
21
34
  def initialize(*)
22
35
  super
23
- modes = Array options[:escape]
24
- code = "def self.escape_string(str) %s end"
25
- modes.each { |m| code %= "EscapeUtils.escape_#{m}(%s)"}
26
- eval code % 'str'
36
+
37
+ modes = Array options[:escape]
38
+ @escaper = options[:escaper]
39
+ @html = modes.include? :html
40
+ @javascript = modes.include? :javascript
41
+ @url = modes.include? :url
42
+
43
+ if @javascript and not @escaper.respond_to? :escape_javascript
44
+ fail("Use EscapeUtils for JavaScript escaping.")
45
+ end
27
46
  end
28
47
 
29
48
  def call(env)
@@ -32,7 +51,7 @@ module Rack
32
51
  post_was = handle(request.POST) rescue nil
33
52
  app.call env
34
53
  ensure
35
- request.GET.replace get_was
54
+ request.GET.replace get_was if get_was
36
55
  request.POST.replace post_was if post_was
37
56
  end
38
57
 
@@ -56,6 +75,13 @@ module Rack
56
75
  hash.each { |k,v| hash[k] = escape(v) }
57
76
  hash
58
77
  end
78
+
79
+ def escape_string(str)
80
+ str = @escaper.escape_url(str) if @url
81
+ str = @escaper.escape_html(str) if @html
82
+ str = @escaper.escape_javascript(str) if @javascript
83
+ str
84
+ end
59
85
  end
60
86
  end
61
87
  end
@@ -13,7 +13,7 @@ module Rack
13
13
 
14
14
  def accepts?(env)
15
15
  return true unless env.include? 'HTTP_X_FORWARDED_FOR'
16
- ips = env['HTTP_X_FORWARDED_FOR'].split /\s*,\s*/
16
+ ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
17
17
  return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
18
18
  return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
19
19
  true
@@ -19,10 +19,17 @@ module Rack
19
19
  end
20
20
 
21
21
  def cleanup(path)
22
- return cleanup("/" << path)[1..-1] unless path[0] == ?/
23
- escaped = ::File.expand_path path.gsub('%2e', '.').gsub('%2f', '/')
24
- escaped << '/' if escaped[-1] != ?/ and path =~ /\/\.{0,2}$/
25
- escaped.gsub /\/\/+/, '/'
22
+ parts = []
23
+ unescaped = path.gsub('%2e', '.').gsub('%2f', '/')
24
+
25
+ unescaped.split('/').each do |part|
26
+ next if part.empty? or part == '.'
27
+ part == '..' ? parts.pop : parts << part
28
+ end
29
+
30
+ cleaned = '/' << parts.join('/')
31
+ cleaned << '/' if parts.any? and unescaped =~ /\/\.{0,2}$/
32
+ cleaned
26
33
  end
27
34
  end
28
35
  end
@@ -4,41 +4,13 @@ module Rack
4
4
  VERSION
5
5
  end
6
6
 
7
- module VERSION
8
- extend Comparable
7
+ SIGNATURE = [1, 1, 2]
8
+ VERSION = SIGNATURE.join('.')
9
9
 
10
- MAJOR = 1
11
- MINOR = 0
12
- TINY = 0
13
- SIGNATURE = [MAJOR, MINOR, TINY]
14
- STRING = SIGNATURE.join '.'
15
-
16
- def self.major; MAJOR end
17
- def self.minor; MINOR end
18
- def self.tiny; TINY end
19
- def self.to_s; STRING end
20
-
21
- def self.hash
22
- STRING.hash
23
- end
24
-
25
- def self.<=>(other)
26
- other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
27
- SIGNATURE <=> Array(other)
28
- end
29
-
30
- def self.inspect
31
- STRING.inspect
32
- end
33
-
34
- def self.respond_to?(meth, *)
35
- meth.to_s !~ /^__|^to_str$/ and STRING.respond_to? meth unless super
36
- end
37
-
38
- def self.method_missing(meth, *args, &block)
39
- return super unless STRING.respond_to?(meth)
40
- STRING.send(meth, *args, &block)
41
- end
10
+ VERSION.extend Comparable
11
+ def VERSION.<=>(other)
12
+ other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
13
+ SIGNATURE <=> Array(other)
42
14
  end
43
15
  end
44
16
  end
@@ -2,7 +2,7 @@
2
2
  Gem::Specification.new do |s|
3
3
  # general infos
4
4
  s.name = "rack-protection"
5
- s.version = "1.0.0"
5
+ s.version = "1.1.2"
6
6
  s.description = "You should use protection!"
7
7
  s.homepage = "http://github.com/rkh/rack-protection"
8
8
  s.summary = s.description
@@ -11,6 +11,7 @@ Gem::Specification.new do |s|
11
11
  s.authors = [
12
12
  "Konstantin Haase",
13
13
  "Corey Ward",
14
+ "David Kellum",
14
15
  "Fojas"
15
16
  ]
16
17
 
@@ -18,6 +19,7 @@ Gem::Specification.new do |s|
18
19
  s.email = [
19
20
  "konstantin.mailinglists@googlemail.com",
20
21
  "coreyward@me.com",
22
+ "dek-oss@gravitext.com",
21
23
  "developer@fojasaur.us"
22
24
  ]
23
25
 
@@ -59,7 +61,6 @@ Gem::Specification.new do |s|
59
61
 
60
62
  # dependencies
61
63
  s.add_dependency "rack"
62
- s.add_dependency "escape_utils"
63
64
  s.add_development_dependency "rack-test"
64
65
  s.add_development_dependency "rspec", "~> 2.0"
65
66
  end
metadata CHANGED
@@ -1,21 +1,22 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.1.2
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
8
8
  - Konstantin Haase
9
9
  - Corey Ward
10
+ - David Kellum
10
11
  - Fojas
11
12
  autorequire:
12
13
  bindir: bin
13
14
  cert_chain: []
14
- date: 2011-09-02 00:00:00.000000000Z
15
+ date: 2011-10-01 00:00:00.000000000Z
15
16
  dependencies:
16
17
  - !ruby/object:Gem::Dependency
17
18
  name: rack
18
- requirement: &2151828860 !ruby/object:Gem::Requirement
19
+ requirement: &2152912960 !ruby/object:Gem::Requirement
19
20
  none: false
20
21
  requirements:
21
22
  - - ! '>='
@@ -23,21 +24,10 @@ dependencies:
23
24
  version: '0'
24
25
  type: :runtime
25
26
  prerelease: false
26
- version_requirements: *2151828860
27
- - !ruby/object:Gem::Dependency
28
- name: escape_utils
29
- requirement: &2151828040 !ruby/object:Gem::Requirement
30
- none: false
31
- requirements:
32
- - - ! '>='
33
- - !ruby/object:Gem::Version
34
- version: '0'
35
- type: :runtime
36
- prerelease: false
37
- version_requirements: *2151828040
27
+ version_requirements: *2152912960
38
28
  - !ruby/object:Gem::Dependency
39
29
  name: rack-test
40
- requirement: &2151827300 !ruby/object:Gem::Requirement
30
+ requirement: &2152911920 !ruby/object:Gem::Requirement
41
31
  none: false
42
32
  requirements:
43
33
  - - ! '>='
@@ -45,10 +35,10 @@ dependencies:
45
35
  version: '0'
46
36
  type: :development
47
37
  prerelease: false
48
- version_requirements: *2151827300
38
+ version_requirements: *2152911920
49
39
  - !ruby/object:Gem::Dependency
50
40
  name: rspec
51
- requirement: &2151826180 !ruby/object:Gem::Requirement
41
+ requirement: &2152909740 !ruby/object:Gem::Requirement
52
42
  none: false
53
43
  requirements:
54
44
  - - ~>
@@ -56,11 +46,12 @@ dependencies:
56
46
  version: '2.0'
57
47
  type: :development
58
48
  prerelease: false
59
- version_requirements: *2151826180
49
+ version_requirements: *2152909740
60
50
  description: You should use protection!
61
51
  email:
62
52
  - konstantin.mailinglists@googlemail.com
63
53
  - coreyward@me.com
54
+ - dek-oss@gravitext.com
64
55
  - developer@fojasaur.us
65
56
  executables: []
66
57
  extensions: []
@@ -118,7 +109,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
118
109
  version: '0'
119
110
  requirements: []
120
111
  rubyforge_project:
121
- rubygems_version: 1.8.6
112
+ rubygems_version: 1.8.10
122
113
  signing_key:
123
114
  specification_version: 3
124
115
  summary: You should use protection!