rack-protection 2.0.1 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 82bb8eedbee01c6c9183404515dc70cc7135844d
4
- data.tar.gz: 19f676ac801969dbc0dd7a04dbeb5dc7561c5b76
2
+ SHA256:
3
+ metadata.gz: 6015d056e4f5265f3c1fdc7178cceed9fc00de04e58da0978c6c2556327fdf81
4
+ data.tar.gz: ee55a7522a64747e3cf0eb18711e86010761eb20abdcef4e6620367e6f96cb79
5
5
  SHA512:
6
- metadata.gz: 30b9dfe62c92269b96c52fa344b5d53fe074a87366a556f1321c7b4f93466f89745f2f8d4acc5d190f316e1cef01a846a797e198e7304310bfa57c6a2f7ec99e
7
- data.tar.gz: a1821675a3324d297c37bae3c7aa5e606e9a879ed097ec163d4148657de18efc918477b062ea176c547393830e93d56e5c3149b20e7bcee63de6dde2101da392
6
+ metadata.gz: 263d4ac4c912957ec1e37058d1c16ba096dc0ffa06dfc6018ee27d9cd3dd4664eb97c2e1b6f122f38eb20edec7a823424e933c879605adf92e77c94ba1b39862
7
+ data.tar.gz: 5ebba7b3867d64cb2ac48a0de559611719f4cce0e901c30dab1e8a6190530be971c33c637c1bff3949fa14871fd5bc532ebe94e58439fb184ac76dae10b5df68
data/Gemfile CHANGED
@@ -1,4 +1,4 @@
1
- source "http://rubygems.org"
1
+ source "https://rubygems.org"
2
2
  # encoding: utf-8
3
3
 
4
4
  gem 'rake'
@@ -9,14 +9,78 @@ module Rack
9
9
  # Supported browsers:: all
10
10
  # More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
11
11
  #
12
- # Only accepts unsafe HTTP requests if a given access token matches the token
13
- # included in the session.
12
+ # This middleware only accepts requests other than <tt>GET</tt>,
13
+ # <tt>HEAD</tt>, <tt>OPTIONS</tt>, <tt>TRACE</tt> if their given access
14
+ # token matches the token included in the session.
14
15
  #
15
- # Compatible with rack-csrf.
16
+ # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
17
+ # data.
16
18
  #
17
- # Options:
19
+ # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
18
20
  #
19
- # authenticity_param: Defines the param's name that should contain the token on a request.
21
+ # == Options
22
+ #
23
+ # [<tt>:authenticity_param</tt>] the name of the param that should contain
24
+ # the token on a request. Default value:
25
+ # <tt>"authenticity_token"</tt>
26
+ #
27
+ # == Example: Forms application
28
+ #
29
+ # To show what the AuthenticityToken does, this section includes a sample
30
+ # program which shows two forms. One with, and one without a CSRF token
31
+ # The one without CSRF token field will get a 403 Forbidden response.
32
+ #
33
+ # Install the gem, then run the program:
34
+ #
35
+ # gem install 'rack-protection'
36
+ # ruby server.rb
37
+ #
38
+ # Here is <tt>server.rb</tt>:
39
+ #
40
+ # require 'rack/protection'
41
+ #
42
+ # app = Rack::Builder.app do
43
+ # use Rack::Session::Cookie, secret: 'secret'
44
+ # use Rack::Protection::AuthenticityToken
45
+ #
46
+ # run -> (env) do
47
+ # [200, {}, [
48
+ # <<~EOS
49
+ # <!DOCTYPE html>
50
+ # <html lang="en">
51
+ # <head>
52
+ # <meta charset="UTF-8" />
53
+ # <title>rack-protection minimal example</title>
54
+ # </head>
55
+ # <body>
56
+ # <h1>Without Authenticity Token</h1>
57
+ # <p>This takes you to <tt>Forbidden</tt></p>
58
+ # <form action="" method="post">
59
+ # <input type="text" name="foo" />
60
+ # <input type="submit" />
61
+ # </form>
62
+ #
63
+ # <h1>With Authenticity Token</h1>
64
+ # <p>This successfully takes you to back to this form.</p>
65
+ # <form action="" method="post">
66
+ # <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
67
+ # <input type="text" name="foo" />
68
+ # <input type="submit" />
69
+ # </form>
70
+ # </body>
71
+ # </html>
72
+ # EOS
73
+ # ]]
74
+ # end
75
+ # end
76
+ #
77
+ # Rack::Handler::WEBrick.run app
78
+ #
79
+ # == Example: Customize which POST parameter holds the token
80
+ #
81
+ # To customize the authenticity parameter for form data, use the
82
+ # <tt>:authenticity_param</tt> option:
83
+ # use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'
20
84
  class AuthenticityToken < Base
21
85
  TOKEN_LENGTH = 32
22
86
 
@@ -13,7 +13,7 @@ module Rack
13
13
  :session_key => 'rack.session', :status => 403,
14
14
  :allow_empty_referrer => true,
15
15
  :report_key => "protection.failed",
16
- :html_types => %w[text/html application/xhtml]
16
+ :html_types => %w[text/html application/xhtml text/xml application/xml]
17
17
  }
18
18
 
19
19
  attr_reader :app, :options
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  module Protection
3
- VERSION = '2.0.1'
3
+ VERSION = '2.0.2'
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.1
4
+ version: 2.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - https://github.com/sinatra/sinatra/graphs/contributors
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-02-16 00:00:00.000000000 Z
11
+ date: 2018-06-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -103,7 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
103
103
  version: '0'
104
104
  requirements: []
105
105
  rubyforge_project:
106
- rubygems_version: 2.6.8
106
+ rubygems_version: 2.7.6
107
107
  signing_key:
108
108
  specification_version: 4
109
109
  summary: Protect against typical web attacks, works with all Rack apps, including