rack-protection 2.0.1.rc1 → 2.0.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 9ca2e92c0c0ea291a4fe70147390728620e34484
4
- data.tar.gz: 2d0def4c47eeb73f7bb726d30efe6c89211c8a7e
2
+ SHA256:
3
+ metadata.gz: 6015d056e4f5265f3c1fdc7178cceed9fc00de04e58da0978c6c2556327fdf81
4
+ data.tar.gz: ee55a7522a64747e3cf0eb18711e86010761eb20abdcef4e6620367e6f96cb79
5
5
  SHA512:
6
- metadata.gz: 4f63dd691c176f7a1d765c6780565797441d203df82473d5e75c4ebbdd84771f5aee2ba318726292e8692d5c489e4794b16c5fa1c40c5bb722782d615524272e
7
- data.tar.gz: d3c6150b41f30cf81e0fe4135d3cd470e76a2506b9578ed5500ba5c4211d8a76a2d07650c149e151d06b8fc12752ce40899dcd992f80b4b9f7f6b98707f77f13
6
+ metadata.gz: 263d4ac4c912957ec1e37058d1c16ba096dc0ffa06dfc6018ee27d9cd3dd4664eb97c2e1b6f122f38eb20edec7a823424e933c879605adf92e77c94ba1b39862
7
+ data.tar.gz: 5ebba7b3867d64cb2ac48a0de559611719f4cce0e901c30dab1e8a6190530be971c33c637c1bff3949fa14871fd5bc532ebe94e58439fb184ac76dae10b5df68
data/Gemfile CHANGED
@@ -1,4 +1,4 @@
1
- source "http://rubygems.org"
1
+ source "https://rubygems.org"
2
2
  # encoding: utf-8
3
3
 
4
4
  gem 'rake'
@@ -9,14 +9,78 @@ module Rack
9
9
  # Supported browsers:: all
10
10
  # More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
11
11
  #
12
- # Only accepts unsafe HTTP requests if a given access token matches the token
13
- # included in the session.
12
+ # This middleware only accepts requests other than <tt>GET</tt>,
13
+ # <tt>HEAD</tt>, <tt>OPTIONS</tt>, <tt>TRACE</tt> if their given access
14
+ # token matches the token included in the session.
14
15
  #
15
- # Compatible with rack-csrf.
16
+ # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
17
+ # data.
16
18
  #
17
- # Options:
19
+ # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
18
20
  #
19
- # authenticity_param: Defines the param's name that should contain the token on a request.
21
+ # == Options
22
+ #
23
+ # [<tt>:authenticity_param</tt>] the name of the param that should contain
24
+ # the token on a request. Default value:
25
+ # <tt>"authenticity_token"</tt>
26
+ #
27
+ # == Example: Forms application
28
+ #
29
+ # To show what the AuthenticityToken does, this section includes a sample
30
+ # program which shows two forms. One with, and one without a CSRF token
31
+ # The one without CSRF token field will get a 403 Forbidden response.
32
+ #
33
+ # Install the gem, then run the program:
34
+ #
35
+ # gem install 'rack-protection'
36
+ # ruby server.rb
37
+ #
38
+ # Here is <tt>server.rb</tt>:
39
+ #
40
+ # require 'rack/protection'
41
+ #
42
+ # app = Rack::Builder.app do
43
+ # use Rack::Session::Cookie, secret: 'secret'
44
+ # use Rack::Protection::AuthenticityToken
45
+ #
46
+ # run -> (env) do
47
+ # [200, {}, [
48
+ # <<~EOS
49
+ # <!DOCTYPE html>
50
+ # <html lang="en">
51
+ # <head>
52
+ # <meta charset="UTF-8" />
53
+ # <title>rack-protection minimal example</title>
54
+ # </head>
55
+ # <body>
56
+ # <h1>Without Authenticity Token</h1>
57
+ # <p>This takes you to <tt>Forbidden</tt></p>
58
+ # <form action="" method="post">
59
+ # <input type="text" name="foo" />
60
+ # <input type="submit" />
61
+ # </form>
62
+ #
63
+ # <h1>With Authenticity Token</h1>
64
+ # <p>This successfully takes you to back to this form.</p>
65
+ # <form action="" method="post">
66
+ # <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
67
+ # <input type="text" name="foo" />
68
+ # <input type="submit" />
69
+ # </form>
70
+ # </body>
71
+ # </html>
72
+ # EOS
73
+ # ]]
74
+ # end
75
+ # end
76
+ #
77
+ # Rack::Handler::WEBrick.run app
78
+ #
79
+ # == Example: Customize which POST parameter holds the token
80
+ #
81
+ # To customize the authenticity parameter for form data, use the
82
+ # <tt>:authenticity_param</tt> option:
83
+ # use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'
20
84
  class AuthenticityToken < Base
21
85
  TOKEN_LENGTH = 32
22
86
 
@@ -13,7 +13,7 @@ module Rack
13
13
  :session_key => 'rack.session', :status => 403,
14
14
  :allow_empty_referrer => true,
15
15
  :report_key => "protection.failed",
16
- :html_types => %w[text/html application/xhtml]
16
+ :html_types => %w[text/html application/xhtml text/xml application/xml]
17
17
  }
18
18
 
19
19
  attr_reader :app, :options
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  module Protection
3
- VERSION = '2.0.1.rc1'
3
+ VERSION = '2.0.2'
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.1.rc1
4
+ version: 2.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - https://github.com/sinatra/sinatra/graphs/contributors
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-02-13 00:00:00.000000000 Z
11
+ date: 2018-06-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -98,12 +98,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
98
98
  version: '0'
99
99
  required_rubygems_version: !ruby/object:Gem::Requirement
100
100
  requirements:
101
- - - ">"
101
+ - - ">="
102
102
  - !ruby/object:Gem::Version
103
- version: 1.3.1
103
+ version: '0'
104
104
  requirements: []
105
105
  rubyforge_project:
106
- rubygems_version: 2.6.8
106
+ rubygems_version: 2.7.6
107
107
  signing_key:
108
108
  specification_version: 4
109
109
  summary: Protect against typical web attacks, works with all Rack apps, including