move stuff around, add remote_token protection

2023-03-27 23:18:01 -04:00 · 2011-05-29 11:45:27 +02:00 · 2011-05-29 11:45:27 +02:00 · 3588ba5d33
commit 3588ba5d33
parent ab177702bb
6 changed files with 22 additions and 2 deletions
--- a/rack-protection/lib/rack/protection.rb
+++ b/rack-protection/lib/rack/protection.rb
@ -22,7 +22,6 @@ module Rack
        use EscapedParams,    options unless except.include? :escaped_params
        use FrameOptions,     options unless except.include? :frame_options
        use PathTraversal,    options unless except.include? :path_traversal
-        use RemoteReferrer,   options unless except.include? :remote_referrer
        use RemoteToken,      options unless except.include? :remote_token
        use SessionHijacking, options unless except.include? :session_hijacking
        use XSSHeader,        options unless except.include? :xss_header
--- a/rack-protection/lib/rack/protection/base.rb
+++ b/rack-protection/lib/rack/protection/base.rb
@ -1,5 +1,6 @@
 require 'rack/protection'
 require 'logger'
+require 'uri'

 module Rack
  module Protection
@ -58,6 +59,11 @@ module Rack
        env['rack.session'] ||= {}
      end

+      def referrer(env)
+        ref = env['HTTP_REFERER']
+        URI.parse(ref).host || Request.new(env).host if ref and not ref.empty?
+      end
+
      def random_string(secure = defined? SecureRandom)
        secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
      rescue NotImpelentedError
--- a/rack-protection/lib/rack/protection/no_referrer.rb
+++ b/rack-protection/lib/rack/protection/no_referrer.rb
@ -18,7 +18,7 @@ module Rack
      default_reaction :deny

      def accepts?(env)
-        safe?(env) or (env['HTTP_REFERER'] and not env['HTTP_REFERER'].empty?)
+        safe?(env) or referrer(env)
      end
    end
  end
--- a/rack-protection/lib/rack/protection/remote_referrer.rb
+++ b/rack-protection/lib/rack/protection/remote_referrer.rb
@ -15,6 +15,11 @@ module Rack
    #
    # Not Yet Implemented!
    class RemoteReferrer < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        safe?(env) or referrer(env) == Request.new(env).host
+      end
    end
  end
 end
--- a/rack-protection/lib/rack/protection/remote_token.rb
+++ b/rack-protection/lib/rack/protection/remote_token.rb
@ -14,6 +14,11 @@ module Rack
    #
    # Not Yet Implemented!
    class RemoteToken < AuthenticityToken
+      default_reaction :deny
+
+      def accepts?(env)
+        super or referrer(env) == Request.new(env).host
+      end
    end
  end
 end
--- a/rack-protection/spec/protection_spec.rb
+++ b/rack-protection/spec/protection_spec.rb
@ -0,0 +1,5 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection do
+  it_behaves_like "any rack application"
+end