rack-protection 2.0.1 → 2.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 82bb8eedbee01c6c9183404515dc70cc7135844d
-  data.tar.gz: 19f676ac801969dbc0dd7a04dbeb5dc7561c5b76
+SHA256:
+  metadata.gz: 6015d056e4f5265f3c1fdc7178cceed9fc00de04e58da0978c6c2556327fdf81
+  data.tar.gz: ee55a7522a64747e3cf0eb18711e86010761eb20abdcef4e6620367e6f96cb79
 SHA512:
-  metadata.gz: 30b9dfe62c92269b96c52fa344b5d53fe074a87366a556f1321c7b4f93466f89745f2f8d4acc5d190f316e1cef01a846a797e198e7304310bfa57c6a2f7ec99e
-  data.tar.gz: a1821675a3324d297c37bae3c7aa5e606e9a879ed097ec163d4148657de18efc918477b062ea176c547393830e93d56e5c3149b20e7bcee63de6dde2101da392
+  metadata.gz: 263d4ac4c912957ec1e37058d1c16ba096dc0ffa06dfc6018ee27d9cd3dd4664eb97c2e1b6f122f38eb20edec7a823424e933c879605adf92e77c94ba1b39862
+  data.tar.gz: 5ebba7b3867d64cb2ac48a0de559611719f4cce0e901c30dab1e8a6190530be971c33c637c1bff3949fa14871fd5bc532ebe94e58439fb184ac76dae10b5df68

data/Gemfile

@@ -1,4 +1,4 @@
-source "http://rubygems.org"
+source "https://rubygems.org"
 # encoding: utf-8
 
 gem 'rake'

data/lib/rack/protection/authenticity_token.rb

@@ -9,14 +9,78 @@ module Rack
     # Supported browsers:: all
     # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
     #
-    # Only accepts unsafe HTTP requests if a given access token matches the token
-    # included in the session.
+    # This middleware only accepts requests other than <tt>GET</tt>,
+    # <tt>HEAD</tt>, <tt>OPTIONS</tt>, <tt>TRACE</tt> if their given access
+    # token matches the token included in the session.
     #
-    # Compatible with rack-csrf.
+    # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
+    # data.
     #
-    # Options:
+    # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
     #
-    # authenticity_param: Defines the param's name that should contain the token on a request.
+    # == Options
+    #
+    # [<tt>:authenticity_param</tt>] the name of the param that should contain
+    #                                the token on a request. Default value:
+    #                                <tt>"authenticity_token"</tt>
+    #
+    # == Example: Forms application
+    #
+    # To show what the AuthenticityToken does, this section includes a sample
+    # program which shows two forms. One with, and one without a CSRF token
+    # The one without CSRF token field will get a 403 Forbidden response.
+    #
+    # Install the gem, then run the program:
+    #
+    #   gem install 'rack-protection'
+    #   ruby server.rb
+    #
+    # Here is <tt>server.rb</tt>:
+    #
+    #   require 'rack/protection'
+    #
+    #   app = Rack::Builder.app do
+    #     use Rack::Session::Cookie, secret: 'secret'
+    #     use Rack::Protection::AuthenticityToken
+    #
+    #     run -> (env) do
+    #       [200, {}, [
+    #         <<~EOS
+    #           <!DOCTYPE html>
+    #           <html lang="en">
+    #           <head>
+    #             <meta charset="UTF-8" />
+    #             <title>rack-protection minimal example</title>
+    #           </head>
+    #           <body>
+    #             <h1>Without Authenticity Token</h1>
+    #             <p>This takes you to <tt>Forbidden</tt></p>
+    #             <form action="" method="post">
+    #               <input type="text" name="foo" />
+    #               <input type="submit" />
+    #             </form>
+    #
+    #             <h1>With Authenticity Token</h1>
+    #             <p>This successfully takes you to back to this form.</p>
+    #             <form action="" method="post">
+    #               <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
+    #               <input type="text" name="foo" />
+    #               <input type="submit" />
+    #             </form>
+    #           </body>
+    #           </html>
+    #         EOS
+    #       ]]
+    #     end
+    #   end
+    #
+    #   Rack::Handler::WEBrick.run app
+    #
+    # == Example: Customize which POST parameter holds the token
+    #
+    # To customize the authenticity parameter for form data, use the
+    # <tt>:authenticity_param</tt> option:
+    #   use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'
     class AuthenticityToken < Base
       TOKEN_LENGTH = 32
 

data/lib/rack/protection/base.rb

@@ -13,7 +13,7 @@ module Rack
         :session_key => 'rack.session',    :status    => 403,
         :allow_empty_referrer => true,
         :report_key           => "protection.failed",
-        :html_types           => %w[text/html application/xhtml]
+        :html_types           => %w[text/html application/xhtml text/xml application/xml]
       }
 
       attr_reader :app, :options

data/lib/rack/protection/version.rb

@@ -1,5 +1,5 @@
 module Rack
   module Protection
-    VERSION = '2.0.1'
+    VERSION = '2.0.2'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.0.2
 platform: ruby
 authors:
 - https://github.com/sinatra/sinatra/graphs/contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-16 00:00:00.000000000 Z
+date: 2018-06-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -103,7 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Protect against typical web attacks, works with all Rack apps, including