From 4d17ca61e4ba934c9c2dfc09cee37f77c9bc7eeb Mon Sep 17 00:00:00 2001
From: Jens Ulferts <j.ulferts@finn.de>
Date: Fri, 28 Feb 2014 13:34:13 +0100
Subject: [PATCH] closes body on prevented JsonCsrf

---
 .../lib/rack/protection/json_csrf.rb          | 17 +++++++--
 rack-protection/spec/json_csrf_spec.rb        | 35 +++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/rack-protection/lib/rack/protection/json_csrf.rb b/rack-protection/lib/rack/protection/json_csrf.rb
index f163f686..d1a8949f 100644
--- a/rack-protection/lib/rack/protection/json_csrf.rb
+++ b/rack-protection/lib/rack/protection/json_csrf.rb
@@ -17,9 +17,10 @@ module Rack
         request               = Request.new(env)
         status, headers, body = app.call(env)
 
-        if has_vector? request, headers
+        if has_vector?(request, headers)
           warn env, "attack prevented by #{self.class}"
-          react(env) or [status, headers, body]
+
+          react_and_close(env, body) or [status, headers, body]
         else
           [status, headers, body]
         end
@@ -30,6 +31,18 @@ module Rack
         return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
         origin(request.env).nil? and referrer(request.env) != request.host
       end
+
+      def react_and_close(env, body)
+        reaction = react(env)
+
+        close_body(body) if reaction
+
+        reaction
+      end
+
+      def close_body(body)
+        body.close if body.respond_to?(:close)
+      end
     end
   end
 end
diff --git a/rack-protection/spec/json_csrf_spec.rb b/rack-protection/spec/json_csrf_spec.rb
index 264f9483..5ea03f2d 100644
--- a/rack-protection/spec/json_csrf_spec.rb
+++ b/rack-protection/spec/json_csrf_spec.rb
@@ -3,6 +3,31 @@ require File.expand_path('../spec_helper.rb', __FILE__)
 describe Rack::Protection::JsonCsrf do
   it_behaves_like "any rack application"
 
+  module DummyAppWithBody
+    module Closeable
+      def close
+        @closed = true
+      end
+
+      def closed?
+        @closed
+      end
+    end
+
+    def self.body
+      @body ||= begin
+        body = ['ok']
+        body.extend(Closeable)
+        body
+      end
+    end
+
+    def self.call(env)
+      Thread.current[:last_env] = env
+      [200, {'Content-Type' => 'application/json'}, body]
+    end
+  end
+
   describe 'json response' do
     before do
       mock_app { |e| [200, {'Content-Type' => 'application/json'}, []]}
@@ -12,6 +37,16 @@ describe Rack::Protection::JsonCsrf do
       get('/', {}, 'HTTP_REFERER' => 'http://evil.com').should_not be_ok
     end
 
+    it "closes the body returned by the app if it denies the get request" do
+      mock_app DummyAppWithBody do |e|
+        [200, {'Content-Type' => 'application/json'}, []]
+      end
+
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com')
+
+      DummyAppWithBody.body.should be_closed
+    end
+
     it "accepts requests with json responses with a remote referrer when there's an origin header set" do
       get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_ORIGIN' => 'http://good.com').should be_ok
     end