rack-utf8_sanitizer 1.2.4 → 1.3.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3bc32f9a8c3c78f8d8d6854cb8d00c408f8e2f49
4
- data.tar.gz: 8d6cd8deaa275ccf64eaa92635a540862f35f908
3
+ metadata.gz: 8aacddbd472d3669a350a888d96b382340503997
4
+ data.tar.gz: 32941a3fd46aef0de4a1bccc0225d39f2761d745
5
5
  SHA512:
6
- metadata.gz: eb00499174901a1f61f899969973d734ff585b636b4f270c3cc4bfc6c18c0bcadebfd47ce2f96b5472f1681dce4ba00e72d1c28ac16624766692f6a0c96c7557
7
- data.tar.gz: 3d4266e03573f4a8b3a6e006def51060397ba4b08550b3ff370882e5f94096fba05a132677ba3828b1952ea15508406a7412d0bb3e36ff3649efe7272c76fb07
6
+ metadata.gz: 2a119e6e461f8e7e86616181dc2853197a7352e06547847c5db200d47d6e362169243d258b85a0ea3adffc0fd662d8ad86f2f8ac3cf1f79fc849e22f90f41c65
7
+ data.tar.gz: 1c4d8edd9653403602449aee577ff34f2c603d3c920e6f149d728f6dbef4861ff63b92debe1d6be9ba3eb78365afffaa352aaff3f550b3d6b01401f327bc7122
@@ -32,6 +32,10 @@ module Rack
32
32
  text/javascript
33
33
  )
34
34
 
35
+ URI_ENCODED_CONTENT_TYPES = %w(
36
+ application/x-www-form-urlencoded
37
+ )
38
+
35
39
  def sanitize(env)
36
40
  sanitize_rack_input(env)
37
41
  env.each do |key, value|
@@ -57,7 +61,8 @@ module Rack
57
61
  content_type &&= content_type.split(/\s*[;,]\s*/, 2).first
58
62
  content_type &&= content_type.downcase
59
63
  return unless SANITIZABLE_CONTENT_TYPES.any? {|type| content_type == type }
60
- env['rack.input'] &&= sanitize_io(env['rack.input'])
64
+ uri_encoded = URI_ENCODED_CONTENT_TYPES.any? {|type| content_type == type}
65
+ env['rack.input'] &&= sanitize_io(env['rack.input'], uri_encoded)
61
66
  end
62
67
 
63
68
  # Modeled after Rack::RewindableInput
@@ -85,11 +90,15 @@ module Rack
85
90
  end
86
91
  end
87
92
 
88
- def sanitize_io(io)
93
+ def sanitize_io(io, uri_encoded = false)
89
94
  input = io.read
90
- sanitized_io = transfer_frozen(input,
91
- sanitize_string(input))
92
- SanitizedRackInput.new(io, StringIO.new(sanitized_io))
95
+ sanitized_input = sanitize_string(input)
96
+ if uri_encoded
97
+ sanitized_input = sanitize_uri_encoded_string(sanitized_input).
98
+ force_encoding(Encoding::UTF_8)
99
+ end
100
+ sanitized_input = transfer_frozen(input, sanitized_input)
101
+ SanitizedRackInput.new(io, StringIO.new(sanitized_input))
93
102
  end
94
103
 
95
104
  # URI.encode/decode expect the input to be in ASCII-8BIT.
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |gem|
4
4
  gem.name = "rack-utf8_sanitizer"
5
- gem.version = '1.2.4'
5
+ gem.version = '1.3.0'
6
6
  gem.authors = ["Peter Zotov"]
7
7
  gem.email = ["whitequark@whitequark.org"]
8
8
  gem.description = %{Rack::UTF8Sanitizer is a Rack middleware which cleans up } <<
@@ -224,6 +224,22 @@ describe Rack::UTF8Sanitizer do
224
224
  end
225
225
  end
226
226
 
227
+ it "sanitizes StringIO rack.input with form encoded bad encoding" do
228
+ input = "foo=bla&foo=baz&quux%ED=bar%ED"
229
+ @rack_input = StringIO.new input
230
+
231
+ sanitize_form_data do |sanitized_input|
232
+ # URI.decode_www_form does some encoding magic
233
+ sanitized_input.split("&").each do |pair|
234
+ pair.split("=", 2).each do |component|
235
+ decoded = URI.decode_www_form_component(component)
236
+ decoded.should.be.valid_encoding
237
+ end
238
+ end
239
+ sanitized_input.should != input
240
+ end
241
+ end
242
+
227
243
  it "sanitizes non-StringIO rack.input" do
228
244
  require 'rack/rewindable_input'
229
245
  input = "foo=bla&quux=bar"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-utf8_sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.4
4
+ version: 1.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Peter Zotov
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-11-29 00:00:00.000000000 Z
11
+ date: 2015-01-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack