kotovalexarian-likes-github/sinatra
1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
Code Releases Activity

Show warnings for a JsonCsrf attack.

Browse source 
Since the `JsonCsrf` middleware overrides the `call` method, the default
warning is never displayed. I couldn't figure out why sinatra was
returning a 403 for CORS and JSONP requests, tracked it down to this.
This commit is contained in:
Chris Mytton 2011-12-02 19:42:24 +00:00
parent 7b74143147
commit d528b5aa6c
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
rack-protection/lib/rack/protection/json_csrf.rb
View file

@ -16,7 +16,10 @@ module Rack
def call(env) def call(env)
status, headers, body = app.call(env) status, headers, body = app.call(env)
if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/ if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
result = react(env) if referrer(env) != Request.new(env).host if referrer(env) != Request.new(env).host
result = react(env)
warn env, "attack prevented by #{self.class}"
end
end end
result or [status, headers, body] result or [status, headers, body]
end end