1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00

xhr requests cannot be used for the json attack, fixes #39

This commit is contained in:
Konstantin Haase 2013-03-01 15:43:27 +11:00
parent 65cf3fd59b
commit 8a2514674c
2 changed files with 17 additions and 6 deletions

View file

@ -14,14 +14,21 @@ module Rack
default_reaction :deny default_reaction :deny
def call(env) def call(env)
request = Request.new(env)
status, headers, body = app.call(env) status, headers, body = app.call(env)
if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
if origin(env).nil? and referrer(env) != Request.new(env).host if has_vector? request, headers
result = react(env) warn env, "attack prevented by #{self.class}"
warn env, "attack prevented by #{self.class}" react(env)
end else
[status, headers, body]
end end
result or [status, headers, body] end
def has_vector?(request, headers)
return false if request.xhr?
return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
origin(request.env).nil? and referrer(request.env) != request.host
end end
end end
end end

View file

@ -27,6 +27,10 @@ describe Rack::Protection::JsonCsrf do
it "accepts get requests with json responses with no referrer" do it "accepts get requests with json responses with no referrer" do
get('/', {}).should be_ok get('/', {}).should be_ok
end end
it "accepts XHR requests" do
get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
end
end end
describe 'not json response' do describe 'not json response' do