mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Treat ORIGIN as an opaque identifier and do equality comparison with the specified whitelist
This commit is contained in:
parent
d621ae41c1
commit
ecab8314eb
3 changed files with 11 additions and 21 deletions
|
@ -168,23 +168,12 @@ module ActionCable
|
|||
def allow_request_origin?
|
||||
return true if server.config.disable_request_forgery_protection
|
||||
|
||||
if env['HTTP_ORIGIN'].present?
|
||||
origin_host = URI.parse(env['HTTP_ORIGIN']).host
|
||||
|
||||
allowed = if server.config.allowed_request_origins.present?
|
||||
Array(server.config.allowed_request_origins).include? origin_host
|
||||
else
|
||||
request.host == origin_host
|
||||
end
|
||||
|
||||
logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") unless allowed
|
||||
allowed
|
||||
if Array(server.config.allowed_request_origins).include? env['HTTP_ORIGIN']
|
||||
true
|
||||
else
|
||||
logger.error("Request origin missing.")
|
||||
logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")
|
||||
false
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
false
|
||||
end
|
||||
|
||||
def respond_to_successful_request
|
||||
|
|
|
@ -16,9 +16,10 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase
|
|||
|
||||
setup do
|
||||
@server = TestServer.new
|
||||
@server.config.allowed_request_origins = %w( http://rubyonrails.com )
|
||||
|
||||
env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket',
|
||||
'SERVER_NAME' => 'rubyonrails.com', 'HTTP_ORIGIN' => 'http://rubyonrails.com'
|
||||
'HTTP_ORIGIN' => 'http://rubyonrails.com'
|
||||
|
||||
@connection = Connection.new(@server, env)
|
||||
@response = @connection.process
|
||||
|
|
|
@ -6,11 +6,12 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
|
|||
|
||||
setup do
|
||||
@server = TestServer.new
|
||||
@server.config.allowed_request_origins = %w( http://rubyonrails.com )
|
||||
end
|
||||
|
||||
test "default cross site forgery protection only allows origin same as the server host" do
|
||||
assert_origin_allowed 'http://rubyonrails.com'
|
||||
assert_origin_not_allowed 'http://hax.com'
|
||||
teardown do
|
||||
@server.config.disable_request_forgery_protection = false
|
||||
@server.config.allowed_request_origins = []
|
||||
end
|
||||
|
||||
test "disable forgery protection" do
|
||||
|
@ -20,16 +21,15 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
|
|||
end
|
||||
|
||||
test "explicitly specified a single allowed origin" do
|
||||
@server.config.allowed_request_origins = 'hax.com'
|
||||
@server.config.allowed_request_origins = 'http://hax.com'
|
||||
assert_origin_not_allowed 'http://rubyonrails.com'
|
||||
assert_origin_allowed 'http://hax.com'
|
||||
end
|
||||
|
||||
test "explicitly specified multiple allowed origins" do
|
||||
@server.config.allowed_request_origins = %w( rubyonrails.com www.rubyonrails.com )
|
||||
@server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com )
|
||||
assert_origin_allowed 'http://rubyonrails.com'
|
||||
assert_origin_allowed 'http://www.rubyonrails.com'
|
||||
assert_origin_allowed 'https://www.rubyonrails.com'
|
||||
assert_origin_not_allowed 'http://hax.com'
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in a new issue