rack-utf8_sanitizer 1.2.4 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3bc32f9a8c3c78f8d8d6854cb8d00c408f8e2f49
-  data.tar.gz: 8d6cd8deaa275ccf64eaa92635a540862f35f908
+  metadata.gz: 8aacddbd472d3669a350a888d96b382340503997
+  data.tar.gz: 32941a3fd46aef0de4a1bccc0225d39f2761d745
 SHA512:
-  metadata.gz: eb00499174901a1f61f899969973d734ff585b636b4f270c3cc4bfc6c18c0bcadebfd47ce2f96b5472f1681dce4ba00e72d1c28ac16624766692f6a0c96c7557
-  data.tar.gz: 3d4266e03573f4a8b3a6e006def51060397ba4b08550b3ff370882e5f94096fba05a132677ba3828b1952ea15508406a7412d0bb3e36ff3649efe7272c76fb07
+  metadata.gz: 2a119e6e461f8e7e86616181dc2853197a7352e06547847c5db200d47d6e362169243d258b85a0ea3adffc0fd662d8ad86f2f8ac3cf1f79fc849e22f90f41c65
+  data.tar.gz: 1c4d8edd9653403602449aee577ff34f2c603d3c920e6f149d728f6dbef4861ff63b92debe1d6be9ba3eb78365afffaa352aaff3f550b3d6b01401f327bc7122

data/lib/rack/utf8_sanitizer.rb

@@ -32,6 +32,10 @@ module Rack
       text/javascript
     )
 
+    URI_ENCODED_CONTENT_TYPES = %w(
+      application/x-www-form-urlencoded
+    )
+
     def sanitize(env)
       sanitize_rack_input(env)
       env.each do |key, value|
@@ -57,7 +61,8 @@ module Rack
       content_type &&= content_type.split(/\s*[;,]\s*/, 2).first
       content_type &&= content_type.downcase
       return unless SANITIZABLE_CONTENT_TYPES.any? {|type| content_type == type }
-      env['rack.input'] &&= sanitize_io(env['rack.input'])
+      uri_encoded = URI_ENCODED_CONTENT_TYPES.any? {|type| content_type == type}
+      env['rack.input'] &&= sanitize_io(env['rack.input'], uri_encoded)
     end
 
     # Modeled after Rack::RewindableInput
@@ -85,11 +90,15 @@ module Rack
       end
     end
 
-    def sanitize_io(io)
+    def sanitize_io(io, uri_encoded = false)
       input = io.read
-      sanitized_io = transfer_frozen(input,
-                      sanitize_string(input))
-      SanitizedRackInput.new(io, StringIO.new(sanitized_io))
+      sanitized_input = sanitize_string(input)
+      if uri_encoded
+        sanitized_input = sanitize_uri_encoded_string(sanitized_input).
+          force_encoding(Encoding::UTF_8)
+      end
+      sanitized_input = transfer_frozen(input, sanitized_input)
+      SanitizedRackInput.new(io, StringIO.new(sanitized_input))
     end
 
     # URI.encode/decode expect the input to be in ASCII-8BIT.

data/rack-utf8_sanitizer.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |gem|
   gem.name          = "rack-utf8_sanitizer"
-  gem.version       = '1.2.4'
+  gem.version       = '1.3.0'
   gem.authors       = ["Peter Zotov"]
   gem.email         = ["whitequark@whitequark.org"]
   gem.description   = %{Rack::UTF8Sanitizer is a Rack middleware which cleans up } <<

data/test/test_utf8_sanitizer.rb

@@ -224,6 +224,22 @@ describe Rack::UTF8Sanitizer do
       end
     end
 
+    it "sanitizes StringIO rack.input with form encoded bad encoding" do
+      input = "foo=bla&foo=baz&quux%ED=bar%ED"
+      @rack_input = StringIO.new input
+
+      sanitize_form_data do |sanitized_input|
+        # URI.decode_www_form does some encoding magic
+        sanitized_input.split("&").each do |pair|
+          pair.split("=", 2).each do |component|
+            decoded = URI.decode_www_form_component(component)
+            decoded.should.be.valid_encoding
+          end
+        end
+        sanitized_input.should != input
+      end
+    end
+
     it "sanitizes non-StringIO rack.input" do
       require 'rack/rewindable_input'
       input = "foo=bla&quux=bar"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-utf8_sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.2.4
+  version: 1.3.0
 platform: ruby
 authors:
 - Peter Zotov
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-29 00:00:00.000000000 Z
+date: 2015-01-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack