safer_send_file 0.0.1

data/MIT_LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Hubert Łępicki
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,27 @@
+= Overview
+
+This little gem adds "safer_send_file" method, that wraps Rails' "send_file" and checks if file being sent is in one of white-listed directories. This is to prevent Rails application from sending /etc/passwd or any other sensitive data.
+
+= Installation
+
+Edit your Gemfile, and add:
+
+    gem "safer_send_file", "0.0.1"
+
+and run:
+    
+    $ bundle install
+
+= Configuration
+
+Create file #{Rails.root}/config/initializers/safe_send_file and specify allowed directories. Default is not to allow serving any files!
+
+Example initializer file:
+
+    SaferSendFile.allowed_directories = [
+      File.join(Rails.root, "uploads")
+    ]
+
+= License
+
+MIT, see MIT_LICENSE for details.

data/lib/safer_send_file.rb

@@ -0,0 +1,13 @@
+module SaferSendFile
+  class NotAllowed < RuntimeError; end
+  def self.allowed_directories=(some_directories)
+    @@allowed_directories = some_directories.collect { |dir| File.expand_path(dir) }
+  end
+
+  def self.allowed_directories
+    defined?(@@allowed_directories) ? @@allowed_directories : []
+  end
+end
+
+require 'safer_send_file/streaming'
+require 'safer_send_file/railtie'

data/lib/safer_send_file/railtie.rb

@@ -0,0 +1,10 @@
+require 'rails'
+module SaferSendFile
+  class Railtie < Rails::Railtie
+    initializer "safer_send_file.include_helpers" do |app|
+      ActiveSupport.on_load(:action_controller) do
+        ActionController::Base.send(:include, SaferSendFile::Streaming)
+      end
+    end
+  end
+end

data/lib/safer_send_file/streaming.rb

@@ -0,0 +1,14 @@
+module SaferSendFile
+  module Streaming 
+    def safer_send_file(path, options = {})
+      full_path = File.expand_path(path)
+      if SaferSendFile.allowed_directories.any? { |dir| dir == full_path[0..dir.size-1] }
+        send_file full_path, options
+      else
+        raise SaferSendFile::NotAllowed
+      end
+    end
+  end
+end
+
+

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification 
+name: safer_send_file
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- "Hubert \xC5\x81\xC4\x99picki"
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-09-26 00:00:00 +02:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rails
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 3
+        - 0
+        version: "3.0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 0
+        - 0
+        - beta
+        - 22
+        version: 2.0.0.beta.22
+  type: :development
+  version_requirements: *id002
+description: implements safer_send_file method that allows sending files only from specified directories
+email: 
+- hubert.lepicki@amberbit.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/safer_send_file/railtie.rb
+- lib/safer_send_file/streaming.rb
+- lib/safer_send_file.rb
+- MIT_LICENSE
+- README.rdoc
+has_rdoc: true
+homepage: http://amberbit.com
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 1
+      - 3
+      - 6
+      version: 1.3.6
+requirements: []
+
+rubyforge_project: safer_send_file
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Safer send_file for Rails 3
+test_files: []
+