rack-protection 2.0.1 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/Gemfile +1 -1
- data/lib/rack/protection/authenticity_token.rb +69 -5
- data/lib/rack/protection/base.rb +1 -1
- data/lib/rack/protection/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 6015d056e4f5265f3c1fdc7178cceed9fc00de04e58da0978c6c2556327fdf81
|
4
|
+
data.tar.gz: ee55a7522a64747e3cf0eb18711e86010761eb20abdcef4e6620367e6f96cb79
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 263d4ac4c912957ec1e37058d1c16ba096dc0ffa06dfc6018ee27d9cd3dd4664eb97c2e1b6f122f38eb20edec7a823424e933c879605adf92e77c94ba1b39862
|
7
|
+
data.tar.gz: 5ebba7b3867d64cb2ac48a0de559611719f4cce0e901c30dab1e8a6190530be971c33c637c1bff3949fa14871fd5bc532ebe94e58439fb184ac76dae10b5df68
|
data/Gemfile
CHANGED
@@ -9,14 +9,78 @@ module Rack
|
|
9
9
|
# Supported browsers:: all
|
10
10
|
# More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
11
11
|
#
|
12
|
-
#
|
13
|
-
#
|
12
|
+
# This middleware only accepts requests other than <tt>GET</tt>,
|
13
|
+
# <tt>HEAD</tt>, <tt>OPTIONS</tt>, <tt>TRACE</tt> if their given access
|
14
|
+
# token matches the token included in the session.
|
14
15
|
#
|
15
|
-
#
|
16
|
+
# It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
|
17
|
+
# data.
|
16
18
|
#
|
17
|
-
#
|
19
|
+
# Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
|
18
20
|
#
|
19
|
-
#
|
21
|
+
# == Options
|
22
|
+
#
|
23
|
+
# [<tt>:authenticity_param</tt>] the name of the param that should contain
|
24
|
+
# the token on a request. Default value:
|
25
|
+
# <tt>"authenticity_token"</tt>
|
26
|
+
#
|
27
|
+
# == Example: Forms application
|
28
|
+
#
|
29
|
+
# To show what the AuthenticityToken does, this section includes a sample
|
30
|
+
# program which shows two forms. One with, and one without a CSRF token
|
31
|
+
# The one without CSRF token field will get a 403 Forbidden response.
|
32
|
+
#
|
33
|
+
# Install the gem, then run the program:
|
34
|
+
#
|
35
|
+
# gem install 'rack-protection'
|
36
|
+
# ruby server.rb
|
37
|
+
#
|
38
|
+
# Here is <tt>server.rb</tt>:
|
39
|
+
#
|
40
|
+
# require 'rack/protection'
|
41
|
+
#
|
42
|
+
# app = Rack::Builder.app do
|
43
|
+
# use Rack::Session::Cookie, secret: 'secret'
|
44
|
+
# use Rack::Protection::AuthenticityToken
|
45
|
+
#
|
46
|
+
# run -> (env) do
|
47
|
+
# [200, {}, [
|
48
|
+
# <<~EOS
|
49
|
+
# <!DOCTYPE html>
|
50
|
+
# <html lang="en">
|
51
|
+
# <head>
|
52
|
+
# <meta charset="UTF-8" />
|
53
|
+
# <title>rack-protection minimal example</title>
|
54
|
+
# </head>
|
55
|
+
# <body>
|
56
|
+
# <h1>Without Authenticity Token</h1>
|
57
|
+
# <p>This takes you to <tt>Forbidden</tt></p>
|
58
|
+
# <form action="" method="post">
|
59
|
+
# <input type="text" name="foo" />
|
60
|
+
# <input type="submit" />
|
61
|
+
# </form>
|
62
|
+
#
|
63
|
+
# <h1>With Authenticity Token</h1>
|
64
|
+
# <p>This successfully takes you to back to this form.</p>
|
65
|
+
# <form action="" method="post">
|
66
|
+
# <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
|
67
|
+
# <input type="text" name="foo" />
|
68
|
+
# <input type="submit" />
|
69
|
+
# </form>
|
70
|
+
# </body>
|
71
|
+
# </html>
|
72
|
+
# EOS
|
73
|
+
# ]]
|
74
|
+
# end
|
75
|
+
# end
|
76
|
+
#
|
77
|
+
# Rack::Handler::WEBrick.run app
|
78
|
+
#
|
79
|
+
# == Example: Customize which POST parameter holds the token
|
80
|
+
#
|
81
|
+
# To customize the authenticity parameter for form data, use the
|
82
|
+
# <tt>:authenticity_param</tt> option:
|
83
|
+
# use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'
|
20
84
|
class AuthenticityToken < Base
|
21
85
|
TOKEN_LENGTH = 32
|
22
86
|
|
data/lib/rack/protection/base.rb
CHANGED
@@ -13,7 +13,7 @@ module Rack
|
|
13
13
|
:session_key => 'rack.session', :status => 403,
|
14
14
|
:allow_empty_referrer => true,
|
15
15
|
:report_key => "protection.failed",
|
16
|
-
:html_types => %w[text/html application/xhtml]
|
16
|
+
:html_types => %w[text/html application/xhtml text/xml application/xml]
|
17
17
|
}
|
18
18
|
|
19
19
|
attr_reader :app, :options
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-protection
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- https://github.com/sinatra/sinatra/graphs/contributors
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-06-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -103,7 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
103
103
|
version: '0'
|
104
104
|
requirements: []
|
105
105
|
rubyforge_project:
|
106
|
-
rubygems_version: 2.6
|
106
|
+
rubygems_version: 2.7.6
|
107
107
|
signing_key:
|
108
108
|
specification_version: 4
|
109
109
|
summary: Protect against typical web attacks, works with all Rack apps, including
|