rack-protection 1.5.1 → 1.5.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rack-protection might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/rack/protection/session_hijacking.rb +3 -3
  3. data/lib/rack/protection/version.rb +1 -1
  4. data/rack-protection.gemspec +7 -3
  5. data/spec/escaped_params_spec.rb +0 -1
  6. data/spec/session_hijacking_spec.rb +3 -2
  7. metadata +9 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: d142ba2e517a486c07d79a7c7a80061fe405a84d
4
- data.tar.gz: 43a1d8c17e3bc26171c5c75bc22eaded63b4587c
3
+ metadata.gz: 522f79f2479b2792fe66e2e0831afa23d9b4c039
4
+ data.tar.gz: 093a7f64d629cde5c16ef3355fe4604d57fee5d0
5
5
  SHA512:
6
- metadata.gz: df0552ef6da37611e34ff91e664521794681596cfd3898bf1cd5acb8150eea553db1bc761dc9fc3c90900884a3f5128368096bd9a1e386c84e90fe9c0fb83431
7
- data.tar.gz: 4903af66fc37585786fb5650f9475695d3f0455f984c2621bc35ed9ae7addb19588fbc55d134cbf891f972c0316305e426c0d90ecdd9431273ad69a37585ef92
6
+ metadata.gz: ecb85cac807d3e454773435a8d931a36c4edd90d11aa85486efe80cfd8bf021684394547f9e22cffab41ee798301743322d937d82d88556a443dc498411c4f8b
7
+ data.tar.gz: f4c57b6fa768de957a90f234efb45aa0b50581322e1c953b159549e8ac4d137f673538137d51bc9eb35fce7b7ad54bfd24fe35c3c7466686575f41844afff35a
data/lib/rack/protection/session_hijacking.rb CHANGED
@@ -9,12 +9,12 @@ module Rack
9
9
  #
10
10
  # Tracks request properties like the user agent in the session and empties
11
11
  # the session if those properties change. This essentially prevents attacks
12
- # from Firesheep. Since all headers taken into consideration might be
13
- # spoofed, too, this will not prevent all hijacking attempts.
12
+ # from Firesheep. Since all headers taken into consideration can be
13
+ # spoofed, too, this will not prevent determined hijacking attempts.
14
14
  class SessionHijacking < Base
15
15
  default_reaction :drop_session
16
16
  default_options :tracking_key => :tracking, :encrypt_tracking => true,
17
- :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE]
17
+ :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
18
18
 
19
19
  def accepts?(env)
20
20
  session = session env
data/lib/rack/protection/version.rb CHANGED
@@ -4,7 +4,7 @@ module Rack
4
4
  VERSION
5
5
  end
6
6
 
7
- SIGNATURE = [1, 5, 1]
7
+ SIGNATURE = [1, 5, 2]
8
8
  VERSION = SIGNATURE.join('.')
9
9
 
10
10
  VERSION.extend Comparable
data/rack-protection.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
  Gem::Specification.new do |s|
3
3
  # general infos
4
4
  s.name = "rack-protection"
5
- s.version = "1.5.1"
5
+ s.version = "1.5.2"
6
6
  s.description = "You should use protection!"
7
7
  s.homepage = "http://github.com/rkh/rack-protection"
8
8
  s.summary = s.description
@@ -13,19 +13,21 @@ Gem::Specification.new do |s|
13
13
  "Konstantin Haase",
14
14
  "Alex Rodionov",
15
15
  "Patrick Ellis",
16
- "Jeff Welling",
17
16
  "ITO Nobuaki",
18
17
  "Matteo Centenaro",
18
+ "Jeff Welling",
19
19
  "David Kellum",
20
20
  "Egor Homakov",
21
21
  "Florian Gilcher",
22
22
  "Fojas",
23
23
  "Mael Clerambault",
24
24
  "Martin Mauch",
25
+ "Renne Nissinen",
25
26
  "SAKAI, Kazuaki",
26
27
  "Stanislav Savulchik",
27
28
  "Steve Agalloco",
28
29
  "TOBY",
30
+ "Vipul A M",
29
31
  "Akzhan Abdulin",
30
32
  "brookemckim",
31
33
  "Bj\u00F8rge N\u00E6ss",
@@ -41,17 +43,19 @@ Gem::Specification.new do |s|
41
43
  "p0deje@gmail.com",
42
44
  "patrick@soundcloud.com",
43
45
  "jeff.welling@gmail.com",
44
- "bugant@gmail.com",
45
46
  "daydream.trippers@gmail.com",
47
+ "bugant@gmail.com",
46
48
  "homakov@gmail.com",
47
49
  "florian.gilcher@asquera.de",
48
50
  "developer@fojasaur.us",
49
51
  "mael@clerambault.fr",
50
52
  "martin.mauch@gmail.com",
53
+ "rennex@iki.fi",
51
54
  "kaz.july.7@gmail.com",
52
55
  "s.savulchik@gmail.com",
53
56
  "steve.agalloco@gmail.com",
54
57
  "toby.net.info.mail+git@gmail.com",
58
+ "vipulnsward@gmail.com",
55
59
  "akzhan.abdulin@gmail.com",
56
60
  "brooke@digitalocean.com",
57
61
  "bjoerge@bengler.no",
data/spec/escaped_params_spec.rb CHANGED
@@ -33,7 +33,6 @@ describe Rack::Protection::EscapedParams do
33
33
 
34
34
  it 'leaves cache-breaker params untouched' do
35
35
  mock_app do |env|
36
- request = Rack::Request.new(env)
37
36
  [200, {'Content-Type' => 'text/plain'}, ['hi']]
38
37
  end
39
38
 
data/spec/session_hijacking_spec.rb CHANGED
@@ -17,11 +17,12 @@ describe Rack::Protection::SessionHijacking do
17
17
  session.should be_empty
18
18
  end
19
19
 
20
- it "denies requests with a changing Accept-Encoding header" do
20
+ it "accepts requests with a changing Accept-Encoding header" do
21
+ # this is tested because previously it led to clearing the session
21
22
  session = {:foo => :bar}
22
23
  get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
23
24
  get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
24
- session.should be_empty
25
+ session.should_not be_empty
25
26
  end
26
27
 
27
28
  it "denies requests with a changing Accept-Language header" do
metadata CHANGED
@@ -1,25 +1,27 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.5.1
4
+ version: 1.5.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Konstantin Haase
8
8
  - Alex Rodionov
9
9
  - Patrick Ellis
10
- - Jeff Welling
11
10
  - ITO Nobuaki
12
11
  - Matteo Centenaro
12
+ - Jeff Welling
13
13
  - David Kellum
14
14
  - Egor Homakov
15
15
  - Florian Gilcher
16
16
  - Fojas
17
17
  - Mael Clerambault
18
18
  - Martin Mauch
19
+ - Renne Nissinen
19
20
  - SAKAI, Kazuaki
20
21
  - Stanislav Savulchik
21
22
  - Steve Agalloco
22
23
  - TOBY
24
+ - Vipul A M
23
25
  - Akzhan Abdulin
24
26
  - brookemckim
25
27
  - Bjørge Næss
@@ -30,7 +32,7 @@ authors:
30
32
  autorequire:
31
33
  bindir: bin
32
34
  cert_chain: []
33
- date: 2013-10-21 00:00:00.000000000 Z
35
+ date: 2014-01-15 00:00:00.000000000 Z
34
36
  dependencies:
35
37
  - !ruby/object:Gem::Dependency
36
38
  name: rack
@@ -80,17 +82,19 @@ email:
80
82
  - p0deje@gmail.com
81
83
  - patrick@soundcloud.com
82
84
  - jeff.welling@gmail.com
83
- - bugant@gmail.com
84
85
  - daydream.trippers@gmail.com
86
+ - bugant@gmail.com
85
87
  - homakov@gmail.com
86
88
  - florian.gilcher@asquera.de
87
89
  - developer@fojasaur.us
88
90
  - mael@clerambault.fr
89
91
  - martin.mauch@gmail.com
92
+ - rennex@iki.fi
90
93
  - kaz.july.7@gmail.com
91
94
  - s.savulchik@gmail.com
92
95
  - steve.agalloco@gmail.com
93
96
  - toby.net.info.mail+git@gmail.com
97
+ - vipulnsward@gmail.com
94
98
  - akzhan.abdulin@gmail.com
95
99
  - brooke@digitalocean.com
96
100
  - bjoerge@bengler.no
@@ -158,9 +162,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
158
162
  version: '0'
159
163
  requirements: []
160
164
  rubyforge_project:
161
- rubygems_version: 2.0.7
165
+ rubygems_version: 2.2.0
162
166
  signing_key:
163
167
  specification_version: 4
164
168
  summary: You should use protection!
165
169
  test_files: []
166
- has_rdoc: