kotovalexarian-likes-github/sinatra
1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
Code Releases Activity

pending specs and fixes for session hijacking

Browse source
This commit is contained in:
Konstantin Haase 2011-06-20 15:48:13 +02:00
parent 7798cda967
commit 1957d75919
2 changed files with 38 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
rack-protection/lib/rack/protection/session_hijacking.rb
View file

@ -12,6 +12,7 @@ module Rack
# from Firesheep. Since all headers taken into consideration might be
# spoofed, too, this will not prevent all hijacking attempts.
class SessionHijacking < Base
default_reaction :drop_session
default_options :tracking_key => :tracking, :encrypt_tracking => true,
:track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE
HTTP_VERSION]
@ -20,10 +21,10 @@ module Rack
session = session env
key = options[:tracking_key]
if session.include? key
session[key].all? { |k,v| env[k] == encrypt(v) }
session[key].all? { |k,v| v == encrypt(env[k]) }
else
session[key] = {}
options[:track].each { |k| session[k] = encrypt(env[k]) }
options[:track].each { |k| session[key][k] = encrypt(env[k]) }
end
end

40
rack-protection/spec/session_hijacking_spec.rb
View file

@ -2,9 +2,39 @@ require File.expand_path('../spec_helper.rb', __FILE__)
describe Rack::Protection::SessionHijacking do
it_behaves_like "any rack application"
it "accepts a session without changes to tracked parameters"
it "denies requests with a changing User-Agent header"
it "denies requests with a changing Accept-Encoding header"
it "denies requests with a changing Accept-Language header"
it "denies requests with a changing Version header"
it "accepts a session without changes to tracked parameters" do
session = {:foo => :bar}
get '/', {}, 'rack.session' => session
get '/', {}, 'rack.session' => session
session[:foo].should == :bar
end
it "denies requests with a changing User-Agent header" do
session = {:foo => :bar}
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
session.should be_empty
end
it "denies requests with a changing Accept-Encoding header" do
session = {:foo => :bar}
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
session.should be_empty
end
it "denies requests with a changing Accept-Language header" do
session = {:foo => :bar}
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
session.should be_empty
end
it "denies requests with a changing Version header"do
session = {:foo => :bar}
get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
session.should be_empty
end
end