diff --git a/rack-protection/lib/rack/protection/access_control.rb b/rack-protection/lib/rack/protection/access_control.rb
deleted file mode 100644
index 05ccf89b..00000000
--- a/rack-protection/lib/rack/protection/access_control.rb
+++ /dev/null
@@ -1,8 +0,0 @@
-require 'rack/protection'
-
-module Rack
- module Protection
- class AccessControl < Base
- end
- end
-end
diff --git a/rack-protection/lib/rack/protection/authenticity_token.rb b/rack-protection/lib/rack/protection/authenticity_token.rb
index b9eca4f3..8016480f 100644
--- a/rack-protection/lib/rack/protection/authenticity_token.rb
+++ b/rack-protection/lib/rack/protection/authenticity_token.rb
@@ -2,6 +2,17 @@ require 'rack/protection'
module Rack
module Protection
+ ##
+ # Prevented attack:: CSRF
+ # Supported browsers:: all
+ # More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
+ #
+ # Only accepts unsafe HTTP requests if a given access token matches the token
+ # included in the session.
+ #
+ # Compatible with Rails and rack-csrf.
+ #
+ # Not Yet Implemented!
class AuthenticityToken < Base
end
end
diff --git a/rack-protection/lib/rack/protection/escaped_params.rb b/rack-protection/lib/rack/protection/escaped_params.rb
index e37ae4d9..17b82f97 100644
--- a/rack-protection/lib/rack/protection/escaped_params.rb
+++ b/rack-protection/lib/rack/protection/escaped_params.rb
@@ -2,6 +2,16 @@ require 'rack/protection'
module Rack
module Protection
+ ##
+ # Prevented attack:: XSS
+ # Supported browsers:: all
+ # More infos:: http://en.wikipedia.org/wiki/Cross-site_scripting
+ #
+ # Automatically escapes Rack::Request#params so they can be embedded in HTML
+ # or JavaScript without any further issues. Calls +html_safe+ on the escaped
+ # strings if defined, to avoid double-escaping in Rails.
+ #
+ # Not Yet Implemented!
class EscapedParams < Base
end
end
diff --git a/rack-protection/lib/rack/protection/form_token.rb b/rack-protection/lib/rack/protection/form_token.rb
index 7f29dd42..0d6bb622 100644
--- a/rack-protection/lib/rack/protection/form_token.rb
+++ b/rack-protection/lib/rack/protection/form_token.rb
@@ -2,6 +2,20 @@ require 'rack/protection'
module Rack
module Protection
+ ##
+ # Prevented attack:: CSRF
+ # Supported browsers:: all
+ # More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
+ #
+ # Only accepts submitted forms if a given access token matches the token
+ # included in the session. Does not expect such a token from Ajax request.
+ #
+ # This middleware is not used when using the Rack::Protection collection,
+ # since it might be a security issue, depending on your application
+ #
+ # Compatible with Rails and rack-csrf.
+ #
+ # Not Yet Implemented!
class FormToken < AuthenticityToken
end
end
diff --git a/rack-protection/lib/rack/protection/no_referrer.rb b/rack-protection/lib/rack/protection/no_referrer.rb
index 556b09be..b2c4ebf6 100644
--- a/rack-protection/lib/rack/protection/no_referrer.rb
+++ b/rack-protection/lib/rack/protection/no_referrer.rb
@@ -2,6 +2,18 @@ require 'rack/protection'
module Rack
module Protection
+ ##
+ # Prevented attack:: CSRF
+ # Supported browsers:: all
+ # More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
+ #
+ # Only accepts unsafe HTTP requests if the Referer [sic] header is set.
+ # Combine with RemoteRefferer for optimal security.
+ #
+ # This middleware is not used when using the Rack::Protection collection,
+ # since it renders web services unusable.
+ #
+ # Not Yet Implemented!
class NoReferrer < Base
end
end
diff --git a/rack-protection/lib/rack/protection/path_traversal.rb b/rack-protection/lib/rack/protection/path_traversal.rb
index fc367387..feb784c8 100644
--- a/rack-protection/lib/rack/protection/path_traversal.rb
+++ b/rack-protection/lib/rack/protection/path_traversal.rb
@@ -2,6 +2,15 @@ require 'rack/protection'
module Rack
module Protection
+ ##
+ # Prevented attack:: Directory traversal
+ # Supported browsers:: all
+ # More infos:: http://en.wikipedia.org/wiki/Directory_traversal
+ #
+ # Unescapes '/' and '.', expands +path_info+.
+ # Thus GET /foo/%2e%2e%2fbar becomes GET /bar.
+ #
+ # Not Yet Implemented!
class PathTraversal < Base
end
end
diff --git a/rack-protection/lib/rack/protection/remote_referrer.rb b/rack-protection/lib/rack/protection/remote_referrer.rb
index 69d102ab..8892e115 100644
--- a/rack-protection/lib/rack/protection/remote_referrer.rb
+++ b/rack-protection/lib/rack/protection/remote_referrer.rb
@@ -2,6 +2,18 @@ require 'rack/protection'
module Rack
module Protection
+ ##
+ # Prevented attack:: CSRF
+ # Supported browsers:: all
+ # More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
+ #
+ # Does not accept unsafe HTTP requests if the Referer [sic] header is set to
+ # a different host.
+ #
+ # Combine with NoReferrer to also block remote requests from non-HTTP pages
+ # (FTP/HTTPS/...).
+ #
+ # Not Yet Implemented!
class RemoteReferrer < Base
end
end
diff --git a/rack-protection/lib/rack/protection/remote_token.rb b/rack-protection/lib/rack/protection/remote_token.rb
index 64eeafe1..eab48c1d 100644
--- a/rack-protection/lib/rack/protection/remote_token.rb
+++ b/rack-protection/lib/rack/protection/remote_token.rb
@@ -2,6 +2,17 @@ require 'rack/protection'
module Rack
module Protection
+ ##
+ # Prevented attack:: CSRF
+ # Supported browsers:: all
+ # More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
+ #
+ # Only accepts unsafe HTTP requests if a given access token matches the token
+ # included in the session *or* the request comes from the same origin.
+ #
+ # Compatible with Rails and rack-csrf.
+ #
+ # Not Yet Implemented!
class RemoteToken < AuthenticityToken
end
end
diff --git a/rack-protection/lib/rack/protection/session_hihacking.rb b/rack-protection/lib/rack/protection/session_hihacking.rb
index cd9ff616..6bf21ceb 100644
--- a/rack-protection/lib/rack/protection/session_hihacking.rb
+++ b/rack-protection/lib/rack/protection/session_hihacking.rb
@@ -2,6 +2,15 @@ require 'rack/protection'
module Rack
module Protection
+ ##
+ # Prevented attack:: Session Hijacking
+ # Supported browsers:: all
+ # More infos:: http://en.wikipedia.org/wiki/Session_hijacking
+ #
+ # Tracks request properties like the user agent in the session and empties
+ # the session if those properties change.
+ #
+ # Not Yet Implemented!
class SessionHijacking < Base
end
end