rack-utf8_sanitizer 1.5.0 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/lib/rack/utf8_sanitizer.rb +16 -1
- data/rack-utf8_sanitizer.gemspec +1 -1
- data/test/test_utf8_sanitizer.rb +28 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 53093765db81984315b860f92ab0c1b51cc2e458147bc3cfb3d289424fb9b6d0
|
|
4
|
+
data.tar.gz: 21493f9709c2db974d65612a8f22328824f74118ee500f37eeafe957a3dd1d39
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 621f2ea1b68feaf198d558d22cdc9dbb22a1133cb61f755450c80757bc4e848a80b337657f0356d59ebef869633e348bb3392612ec7fe7954dc1134f03b04e5a
|
|
7
|
+
data.tar.gz: 917f05a6ed39b0656c84f60a076b072ed141418f15aa7b26d43c707be8268a739b1ce698955669bb8620f6e9f0c887e2c24a354f508a7e574af308c513e9da96
|
data/lib/rack/utf8_sanitizer.rb
CHANGED
|
@@ -63,6 +63,7 @@ module Rack
|
|
|
63
63
|
|
|
64
64
|
def sanitize(env)
|
|
65
65
|
sanitize_rack_input(env)
|
|
66
|
+
sanitize_cookies(env)
|
|
66
67
|
env.each do |key, value|
|
|
67
68
|
next if skip?(key)
|
|
68
69
|
|
|
@@ -105,7 +106,7 @@ module Rack
|
|
|
105
106
|
return unless @sanitizable_content_types.any? {|type| content_type == type }
|
|
106
107
|
uri_encoded = URI_ENCODED_CONTENT_TYPES.any? {|type| content_type == type}
|
|
107
108
|
|
|
108
|
-
if env[
|
|
109
|
+
if env['rack.input']
|
|
109
110
|
sanitized_input = sanitize_io(env['rack.input'], uri_encoded)
|
|
110
111
|
|
|
111
112
|
env['rack.input'] = sanitized_input
|
|
@@ -159,6 +160,20 @@ module Rack
|
|
|
159
160
|
SanitizedRackInput.new(io, StringIO.new(sanitized_input))
|
|
160
161
|
end
|
|
161
162
|
|
|
163
|
+
# Cookies need to be split and then sanitized as url encoded strings
|
|
164
|
+
# since the cookie string itself is not url encoded (separated by `;`),
|
|
165
|
+
# and the normal method of `sanitize_uri_encoded_string` would break
|
|
166
|
+
# later cookie parsing in the case that a cookie value contained an
|
|
167
|
+
# encoded `;`.
|
|
168
|
+
def sanitize_cookies(env)
|
|
169
|
+
return unless env['HTTP_COOKIE']
|
|
170
|
+
|
|
171
|
+
env['HTTP_COOKIE'] = env['HTTP_COOKIE']
|
|
172
|
+
.split(/[;,] */n)
|
|
173
|
+
.map { |cookie| sanitize_uri_encoded_string(cookie) }
|
|
174
|
+
.join('; ')
|
|
175
|
+
end
|
|
176
|
+
|
|
162
177
|
# URI.encode/decode expect the input to be in ASCII-8BIT.
|
|
163
178
|
# However, there could be invalid UTF-8 characters both in
|
|
164
179
|
# raw and percent-encoded form.
|
data/rack-utf8_sanitizer.gemspec
CHANGED
data/test/test_utf8_sanitizer.rb
CHANGED
|
@@ -325,6 +325,34 @@ describe Rack::UTF8Sanitizer do
|
|
|
325
325
|
end
|
|
326
326
|
end
|
|
327
327
|
|
|
328
|
+
describe "with custom content-type" do
|
|
329
|
+
def request_env
|
|
330
|
+
{
|
|
331
|
+
"REQUEST_METHOD" => "GET",
|
|
332
|
+
"CONTENT_TYPE" => "application/json",
|
|
333
|
+
"HTTP_COOKIE" => @cookie,
|
|
334
|
+
"rack.input" => StringIO.new,
|
|
335
|
+
}
|
|
336
|
+
end
|
|
337
|
+
|
|
338
|
+
it "sanitizes bad http cookie" do
|
|
339
|
+
@cookie = "foo=bla; quux=bar\xED"
|
|
340
|
+
response_env = @app.(request_env)
|
|
341
|
+
response_env['HTTP_COOKIE'].should != @cookie
|
|
342
|
+
response_env['HTTP_COOKIE'].should == 'foo=bla; quux=bar%EF%BF%BD'
|
|
343
|
+
end
|
|
344
|
+
|
|
345
|
+
it "does not change ok http cookie" do
|
|
346
|
+
@cookie = "foo=bla; quux=bar"
|
|
347
|
+
response_env = @app.(request_env)
|
|
348
|
+
response_env['HTTP_COOKIE'].should == @cookie
|
|
349
|
+
|
|
350
|
+
@cookie = "foo=b%3bla; quux=b%20a%20r"
|
|
351
|
+
response_env = @app.(request_env)
|
|
352
|
+
response_env['HTTP_COOKIE'].should == @cookie
|
|
353
|
+
end
|
|
354
|
+
end
|
|
355
|
+
|
|
328
356
|
describe "with custom content-type" do
|
|
329
357
|
def request_env
|
|
330
358
|
@plain_input = "foo bar лол".force_encoding('UTF-8')
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-utf8_sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- whitequark
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-06-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -110,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
110
110
|
version: '0'
|
|
111
111
|
requirements: []
|
|
112
112
|
rubyforge_project:
|
|
113
|
-
rubygems_version: 2.
|
|
113
|
+
rubygems_version: 2.7.6
|
|
114
114
|
signing_key:
|
|
115
115
|
specification_version: 4
|
|
116
116
|
summary: Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters
|