rack-protection 1.0.0 → 1.1.2

data/README.md

@@ -92,3 +92,11 @@ First stable release.
 Changes:
 
 * Fix bug in JsonCsrf
+
+## v1.1.0 (2011/09/03)
+
+Second public release.
+
+Changes:
+
+* Dependency on `escape_utils` is now optional

data/lib/rack/protection/escaped_params.rb

@@ -1,5 +1,10 @@
 require 'rack/protection'
-require 'escape_utils'
+require 'rack/utils'
+
+begin
+  require 'escape_utils'
+rescue LoadError
+end
 
 module Rack
   module Protection
@@ -16,14 +21,28 @@ module Rack
     # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
     #          Available: :html (default), :javascript, :url
     class EscapedParams < Base
-      default_options :escape => :html
+      extend Rack::Utils
+
+      class << self
+        alias escape_url escape
+        public :escape_html
+      end
+
+      default_options :escape => :html,
+        :escaper => defined?(EscapeUtils) ? EscapeUtils : self
 
       def initialize(*)
         super
-        modes = Array options[:escape]
-        code  = "def self.escape_string(str) %s end"
-        modes.each { |m| code %= "EscapeUtils.escape_#{m}(%s)"}
-        eval code % 'str'
+
+        modes       = Array options[:escape]
+        @escaper    = options[:escaper]
+        @html       = modes.include? :html
+        @javascript = modes.include? :javascript
+        @url        = modes.include? :url
+
+        if @javascript and not @escaper.respond_to? :escape_javascript
+          fail("Use EscapeUtils for JavaScript escaping.")
+        end
       end
 
       def call(env)
@@ -32,7 +51,7 @@ module Rack
         post_was = handle(request.POST) rescue nil
         app.call env
       ensure
-        request.GET.replace get_was
+        request.GET.replace  get_was  if get_was
         request.POST.replace post_was if post_was
       end
 
@@ -56,6 +75,13 @@ module Rack
         hash.each { |k,v| hash[k] = escape(v) }
         hash
       end
+
+      def escape_string(str)
+        str = @escaper.escape_url(str)        if @url
+        str = @escaper.escape_html(str)       if @html
+        str = @escaper.escape_javascript(str) if @javascript
+        str
+      end
     end
   end
 end

data/lib/rack/protection/ip_spoofing.rb

@@ -13,7 +13,7 @@ module Rack
 
       def accepts?(env)
         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
-        ips = env['HTTP_X_FORWARDED_FOR'].split /\s*,\s*/
+        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
         return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
         return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
         true

data/lib/rack/protection/path_traversal.rb

@@ -19,10 +19,17 @@ module Rack
       end
 
       def cleanup(path)
-        return cleanup("/" << path)[1..-1] unless path[0] == ?/
-        escaped = ::File.expand_path path.gsub('%2e', '.').gsub('%2f', '/')
-        escaped << '/' if escaped[-1] != ?/ and path =~ /\/\.{0,2}$/
-        escaped.gsub /\/\/+/, '/'
+        parts     = []
+        unescaped = path.gsub('%2e', '.').gsub('%2f', '/')
+
+        unescaped.split('/').each do |part|
+          next if part.empty? or part == '.'
+          part == '..' ? parts.pop : parts << part
+        end
+
+        cleaned = '/' << parts.join('/')
+        cleaned << '/' if parts.any? and unescaped =~ /\/\.{0,2}$/
+        cleaned
       end
     end
   end

data/lib/rack/protection/version.rb

@@ -4,41 +4,13 @@ module Rack
       VERSION
     end
 
-    module VERSION
-      extend Comparable
+    SIGNATURE = [1, 1, 2]
+    VERSION   = SIGNATURE.join('.')
 
-      MAJOR     = 1
-      MINOR     = 0
-      TINY      = 0
-      SIGNATURE = [MAJOR, MINOR, TINY]
-      STRING    = SIGNATURE.join '.'
-
-      def self.major; MAJOR  end
-      def self.minor; MINOR  end
-      def self.tiny;  TINY   end
-      def self.to_s;  STRING end
-
-      def self.hash
-        STRING.hash
-      end
-
-      def self.<=>(other)
-        other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
-        SIGNATURE <=> Array(other)
-      end
-
-      def self.inspect
-        STRING.inspect
-      end
-
-      def self.respond_to?(meth, *)
-        meth.to_s !~ /^__|^to_str$/ and STRING.respond_to? meth unless super
-      end
-
-      def self.method_missing(meth, *args, &block)
-        return super unless STRING.respond_to?(meth)
-        STRING.send(meth, *args, &block)
-      end
+    VERSION.extend Comparable
+    def VERSION.<=>(other)
+      other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
+      SIGNATURE <=> Array(other)
     end
   end
 end

data/rack-protection.gemspec

@@ -2,7 +2,7 @@
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "1.0.0"
+  s.version     = "1.1.2"
   s.description = "You should use protection!"
   s.homepage    = "http://github.com/rkh/rack-protection"
   s.summary     = s.description
@@ -11,6 +11,7 @@ Gem::Specification.new do |s|
   s.authors = [
     "Konstantin Haase",
     "Corey Ward",
+    "David Kellum",
     "Fojas"
   ]
 
@@ -18,6 +19,7 @@ Gem::Specification.new do |s|
   s.email = [
     "konstantin.mailinglists@googlemail.com",
     "coreyward@me.com",
+    "dek-oss@gravitext.com",
     "developer@fojasaur.us"
   ]
 
@@ -59,7 +61,6 @@ Gem::Specification.new do |s|
 
   # dependencies
   s.add_dependency "rack"
-  s.add_dependency "escape_utils"
   s.add_development_dependency "rack-test"
   s.add_development_dependency "rspec", "~> 2.0"
 end

metadata

@@ -1,21 +1,22 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.2
   prerelease: 
 platform: ruby
 authors:
 - Konstantin Haase
 - Corey Ward
+- David Kellum
 - Fojas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-09-02 00:00:00.000000000Z
+date: 2011-10-01 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
-  requirement: &2151828860 !ruby/object:Gem::Requirement
+  requirement: &2152912960 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -23,21 +24,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *2151828860
-- !ruby/object:Gem::Dependency
-  name: escape_utils
-  requirement: &2151828040 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: *2151828040
+  version_requirements: *2152912960
 - !ruby/object:Gem::Dependency
   name: rack-test
-  requirement: &2151827300 !ruby/object:Gem::Requirement
+  requirement: &2152911920 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -45,10 +35,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2151827300
+  version_requirements: *2152911920
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &2151826180 !ruby/object:Gem::Requirement
+  requirement: &2152909740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -56,11 +46,12 @@ dependencies:
         version: '2.0'
   type: :development
   prerelease: false
-  version_requirements: *2151826180
+  version_requirements: *2152909740
 description: You should use protection!
 email:
 - konstantin.mailinglists@googlemail.com
 - coreyward@me.com
+- dek-oss@gravitext.com
 - developer@fojasaur.us
 executables: []
 extensions: []
@@ -118,7 +109,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.6
+rubygems_version: 1.8.10
 signing_key: 
 specification_version: 3
 summary: You should use protection!