Merge pull request #74 from statianzo/invalid-referer

Discard invalid Referer header

lib/rack/protection/base.rb

@@ -92,6 +92,7 @@ def referrer(env)
         ref = env['HTTP_REFERER'].to_s
         return if !options[:allow_empty_referrer] and ref.empty?
         URI.parse(ref).host || Request.new(env).host
+      rescue URI::InvalidURIError
       end
 
       def origin(env)

spec/base_spec.rb

@@ -1,9 +1,40 @@
 require File.expand_path('../spec_helper.rb', __FILE__)
 
 describe Rack::Protection::Base do
+
+  subject { described_class.new(lambda {}) }
+
   describe "#random_string" do
     it "outputs a string of 32 characters" do
-      described_class.new(lambda {}).random_string.length.should == 32
+      subject.random_string.length.should == 32
+    end
+  end
+
+  describe "#referrer" do
+    it "Reads referrer from Referer header" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"}
+      subject.referrer(env).should == "bar.com"
+    end
+
+    it "Reads referrer from Host header when Referer header is relative" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"}
+      subject.referrer(env).should == "foo.com"
+    end
+
+    it "Reads referrer from Host header when Referer header is missing" do
+      env = {"HTTP_HOST" => "foo.com"}
+      subject.referrer(env).should == "foo.com"
+    end
+
+    it "Returns nil when Referer header is missing and allow_empty_referrer is false" do
+      env = {"HTTP_HOST" => "foo.com"}
+      subject.options[:allow_empty_referrer] = false
+      subject.referrer(env).should be_nil
+    end
+
+    it "Returns nil when Referer header is invalid" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"}
+      subject.referrer(env).should be_nil
     end
   end
 end