Ignore changing Accept-Encoding header, fixes #56

2023-03-27 23:18:01 -04:00 · 2014-01-03 04:33:50 +02:00 · 2014-01-03 04:33:50 +02:00 · 4e40d2c5ce
commit 4e40d2c5ce
parent 06927d60a8
2 changed files with 6 additions and 5 deletions
--- a/rack-protection/lib/rack/protection/session_hijacking.rb
+++ b/rack-protection/lib/rack/protection/session_hijacking.rb
@ -9,12 +9,12 @@ module Rack
    #
    # Tracks request properties like the user agent in the session and empties
    # the session if those properties change. This essentially prevents attacks
-    # from Firesheep. Since all headers taken into consideration might be
-    # spoofed, too, this will not prevent all hijacking attempts.
+    # from Firesheep. Since all headers taken into consideration can be
+    # spoofed, too, this will not prevent determined hijacking attempts.
    class SessionHijacking < Base
      default_reaction :drop_session
      default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE]
+        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]

      def accepts?(env)
        session = session env
--- a/rack-protection/spec/session_hijacking_spec.rb
+++ b/rack-protection/spec/session_hijacking_spec.rb
@ -17,11 +17,12 @@ describe Rack::Protection::SessionHijacking do
    session.should be_empty
  end

-  it "denies requests with a changing Accept-Encoding header" do
+  it "accepts requests with a changing Accept-Encoding header" do
+    # this is tested because previously it led to clearing the session
    session = {:foo => :bar}
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
-    session.should be_empty
+    session.should_not be_empty
  end

  it "denies requests with a changing Accept-Language header" do