rack-utf8_sanitizer 1.5.0 → 1.6.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 7122c2055da0fbed5a8f18a81078283040d0f614
4
- data.tar.gz: 45526c40b0c2e96572f9511911c7fdc87d4c0a6a
2
+ SHA256:
3
+ metadata.gz: 53093765db81984315b860f92ab0c1b51cc2e458147bc3cfb3d289424fb9b6d0
4
+ data.tar.gz: 21493f9709c2db974d65612a8f22328824f74118ee500f37eeafe957a3dd1d39
5
5
  SHA512:
6
- metadata.gz: 766ad027d90baee2a60fdb4a6ac932ca94d42d8a65636ed3e50695e44b843a1512909966283da42484a9b243e8d26dc1836216fdbea42c78e1eec3cbc5be5d46
7
- data.tar.gz: caade282f19e01c14ecce793b83adcc125a95f0f1d8b6c37f6ce2f0203518d7ec604776015265027a92ef45be1c21cb19680a5297d7995c3f347a994da8fa954
6
+ metadata.gz: 621f2ea1b68feaf198d558d22cdc9dbb22a1133cb61f755450c80757bc4e848a80b337657f0356d59ebef869633e348bb3392612ec7fe7954dc1134f03b04e5a
7
+ data.tar.gz: 917f05a6ed39b0656c84f60a076b072ed141418f15aa7b26d43c707be8268a739b1ce698955669bb8620f6e9f0c887e2c24a354f508a7e574af308c513e9da96
@@ -63,6 +63,7 @@ module Rack
63
63
 
64
64
  def sanitize(env)
65
65
  sanitize_rack_input(env)
66
+ sanitize_cookies(env)
66
67
  env.each do |key, value|
67
68
  next if skip?(key)
68
69
 
@@ -105,7 +106,7 @@ module Rack
105
106
  return unless @sanitizable_content_types.any? {|type| content_type == type }
106
107
  uri_encoded = URI_ENCODED_CONTENT_TYPES.any? {|type| content_type == type}
107
108
 
108
- if env["rack.input"]
109
+ if env['rack.input']
109
110
  sanitized_input = sanitize_io(env['rack.input'], uri_encoded)
110
111
 
111
112
  env['rack.input'] = sanitized_input
@@ -159,6 +160,20 @@ module Rack
159
160
  SanitizedRackInput.new(io, StringIO.new(sanitized_input))
160
161
  end
161
162
 
163
+ # Cookies need to be split and then sanitized as url encoded strings
164
+ # since the cookie string itself is not url encoded (separated by `;`),
165
+ # and the normal method of `sanitize_uri_encoded_string` would break
166
+ # later cookie parsing in the case that a cookie value contained an
167
+ # encoded `;`.
168
+ def sanitize_cookies(env)
169
+ return unless env['HTTP_COOKIE']
170
+
171
+ env['HTTP_COOKIE'] = env['HTTP_COOKIE']
172
+ .split(/[;,] */n)
173
+ .map { |cookie| sanitize_uri_encoded_string(cookie) }
174
+ .join('; ')
175
+ end
176
+
162
177
  # URI.encode/decode expect the input to be in ASCII-8BIT.
163
178
  # However, there could be invalid UTF-8 characters both in
164
179
  # raw and percent-encoded form.
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |gem|
4
4
  gem.name = "rack-utf8_sanitizer"
5
- gem.version = '1.5.0'
5
+ gem.version = '1.6.0'
6
6
  gem.authors = ["whitequark"]
7
7
  gem.license = "MIT"
8
8
  gem.email = ["whitequark@whitequark.org"]
@@ -325,6 +325,34 @@ describe Rack::UTF8Sanitizer do
325
325
  end
326
326
  end
327
327
 
328
+ describe "with custom content-type" do
329
+ def request_env
330
+ {
331
+ "REQUEST_METHOD" => "GET",
332
+ "CONTENT_TYPE" => "application/json",
333
+ "HTTP_COOKIE" => @cookie,
334
+ "rack.input" => StringIO.new,
335
+ }
336
+ end
337
+
338
+ it "sanitizes bad http cookie" do
339
+ @cookie = "foo=bla; quux=bar\xED"
340
+ response_env = @app.(request_env)
341
+ response_env['HTTP_COOKIE'].should != @cookie
342
+ response_env['HTTP_COOKIE'].should == 'foo=bla; quux=bar%EF%BF%BD'
343
+ end
344
+
345
+ it "does not change ok http cookie" do
346
+ @cookie = "foo=bla; quux=bar"
347
+ response_env = @app.(request_env)
348
+ response_env['HTTP_COOKIE'].should == @cookie
349
+
350
+ @cookie = "foo=b%3bla; quux=b%20a%20r"
351
+ response_env = @app.(request_env)
352
+ response_env['HTTP_COOKIE'].should == @cookie
353
+ end
354
+ end
355
+
328
356
  describe "with custom content-type" do
329
357
  def request_env
330
358
  @plain_input = "foo bar лол".force_encoding('UTF-8')
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-utf8_sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.5.0
4
+ version: 1.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - whitequark
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-02-26 00:00:00.000000000 Z
11
+ date: 2018-06-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -110,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
110
110
  version: '0'
111
111
  requirements: []
112
112
  rubyforge_project:
113
- rubygems_version: 2.5.2.2
113
+ rubygems_version: 2.7.6
114
114
  signing_key:
115
115
  specification_version: 4
116
116
  summary: Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters