xhr requests cannot be used for the json attack, fixes #39

2013-03-01 15:43:27 +11:00 · 2013-03-01 15:43:27 +11:00 · 8a2514674c
parent 65cf3fd59b
commit 8a2514674c
2 changed files with 17 additions and 6 deletions
--- a/rack-protection/lib/rack/protection/json_csrf.rb
+++ b/rack-protection/lib/rack/protection/json_csrf.rb
@ -14,14 +14,21 @@ module Rack
      default_reaction :deny

      def call(env)
+        request               = Request.new(env)
        status, headers, body = app.call(env)
-        if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
-          if origin(env).nil? and referrer(env) != Request.new(env).host
-            result = react(env)
-            warn env, "attack prevented by #{self.class}"
-          end
+
+        if has_vector? request, headers
+          warn env, "attack prevented by #{self.class}"
+          react(env)
+        else
+          [status, headers, body]
        end
-        result or [status, headers, body]
+      end
+
+      def has_vector?(request, headers)
+        return false if request.xhr?
+        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        origin(request.env).nil? and referrer(request.env) != request.host
      end
    end
  end
--- a/rack-protection/spec/json_csrf_spec.rb
+++ b/rack-protection/spec/json_csrf_spec.rb
@ -27,6 +27,10 @@ describe Rack::Protection::JsonCsrf do
    it "accepts get requests with json responses with no referrer" do
      get('/', {}).should be_ok
    end
+
+    it "accepts XHR requests" do
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
+    end
  end

  describe 'not json response' do