rack-protection 1.5.3 → 1.5.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 2b7d78da301d9f7fc81ae73e46a389c2b8ce10ab8121f169fd760018ac506d47
|
|
4
|
+
data.tar.gz: a91bd28f8624f325d6714262ac11d83e0a347405f14e600780cb1bfd846e5b34
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0c5de92c0283313c00d50c1f9a219c808ad587caabff81c4d1530abd8f0e7d9c0f3753ad9bab7c06a29ce97b2a717fddc04ced642adff058f3431419286e4da6
|
|
7
|
+
data.tar.gz: d3bf5830bf30475871b73ba54ee38f962bd93c2e1f420b59b649d6dcb7f97d89f091d3add3f692ba847ffe5f5c6cade665d522c86220087d977fb3706e41bd58
|
|
@@ -23,8 +23,8 @@ module Rack
|
|
|
23
23
|
session = session env
|
|
24
24
|
token = session[:csrf] ||= session['_csrf_token'] || random_string
|
|
25
25
|
safe?(env) ||
|
|
26
|
-
env['HTTP_X_CSRF_TOKEN']
|
|
27
|
-
Request.new(env).params[options[:authenticity_param]]
|
|
26
|
+
secure_compare(env['HTTP_X_CSRF_TOKEN'].to_s, token) ||
|
|
27
|
+
secure_compare(Request.new(env).params[options[:authenticity_param]].to_s, token)
|
|
28
28
|
end
|
|
29
29
|
end
|
|
30
30
|
end
|
data/lib/rack/protection/base.rb
CHANGED
|
@@ -110,6 +110,30 @@ module Rack
|
|
|
110
110
|
options[:encryptor].hexdigest value.to_s
|
|
111
111
|
end
|
|
112
112
|
|
|
113
|
+
# The implementations of secure_compare and bytesize are taken from
|
|
114
|
+
# Rack::Utils to be able to support rack older than XXXX.
|
|
115
|
+
def secure_compare(a, b)
|
|
116
|
+
return false unless bytesize(a) == bytesize(b)
|
|
117
|
+
|
|
118
|
+
l = a.unpack("C*")
|
|
119
|
+
|
|
120
|
+
r, i = 0, -1
|
|
121
|
+
b.each_byte { |v| r |= v ^ l[i+=1] }
|
|
122
|
+
r == 0
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
# Return the bytesize of String; uses String#size under Ruby 1.8 and
|
|
126
|
+
# String#bytesize under 1.9.
|
|
127
|
+
if ''.respond_to?(:bytesize)
|
|
128
|
+
def bytesize(string)
|
|
129
|
+
string.bytesize
|
|
130
|
+
end
|
|
131
|
+
else
|
|
132
|
+
def bytesize(string)
|
|
133
|
+
string.size
|
|
134
|
+
end
|
|
135
|
+
end
|
|
136
|
+
|
|
113
137
|
alias default_reaction deny
|
|
114
138
|
|
|
115
139
|
def html?(headers)
|
|
@@ -24,14 +24,17 @@ module Rack
|
|
|
24
24
|
encoding = path.encoding
|
|
25
25
|
dot = '.'.encode(encoding)
|
|
26
26
|
slash = '/'.encode(encoding)
|
|
27
|
+
backslash = '\\'.encode(encoding)
|
|
27
28
|
else
|
|
28
29
|
# Ruby 1.8
|
|
29
30
|
dot = '.'
|
|
30
31
|
slash = '/'
|
|
32
|
+
backslash = '\\'
|
|
31
33
|
end
|
|
32
34
|
|
|
33
35
|
parts = []
|
|
34
|
-
unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
|
|
36
|
+
unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
|
|
37
|
+
unescaped = unescaped.gsub(backslash, slash)
|
|
35
38
|
|
|
36
39
|
unescaped.split(slash).each do |part|
|
|
37
40
|
next if part.empty? or part == dot
|
data/rack-protection.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-protection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.5.
|
|
4
|
+
version: 1.5.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Konstantin Haase
|
|
@@ -35,7 +35,7 @@ authors:
|
|
|
35
35
|
autorequire:
|
|
36
36
|
bindir: bin
|
|
37
37
|
cert_chain: []
|
|
38
|
-
date:
|
|
38
|
+
date: 2018-03-07 00:00:00.000000000 Z
|
|
39
39
|
dependencies:
|
|
40
40
|
- !ruby/object:Gem::Dependency
|
|
41
41
|
name: rack
|
|
@@ -168,9 +168,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
168
168
|
version: '0'
|
|
169
169
|
requirements: []
|
|
170
170
|
rubyforge_project:
|
|
171
|
-
rubygems_version: 2.
|
|
171
|
+
rubygems_version: 2.7.3
|
|
172
172
|
signing_key:
|
|
173
173
|
specification_version: 4
|
|
174
174
|
summary: You should use protection!
|
|
175
175
|
test_files: []
|
|
176
|
-
has_rdoc:
|