Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add a `report` reaction

This reaction does not halt the request, but leaves it up to the
app to react on this information. This allows e.g. frameworks to
ignore failures in certain conditions.
  • Loading branch information...
commit 4775e7926df123ed60d98b9e43a46fc17276c033 1 parent dac9197
@skade skade authored
Showing with 17 additions and 0 deletions.
  1. +5 −0 lib/rack/protection/base.rb
  2. +12 −0 spec/protection_spec.rb
View
5 lib/rack/protection/base.rb
@@ -11,6 +11,7 @@ class Base
:message => 'Forbidden', :encryptor => Digest::SHA1,
:session_key => 'rack.session', :status => 403,
:allow_empty_referrer => true,
+ :report_key => "protection.failed",
:html_types => %w[text/html application/xhtml]
}
@@ -63,6 +64,10 @@ def deny(env)
[options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
end
+ def report(env)
+ env[options[:report_key]] = true
+ end
+
def session?(env)
env.include? options[:session_key]
end
View
12 spec/protection_spec.rb
@@ -18,6 +18,18 @@
session.should be_empty
end
+ it 'passes errors through if :reaction => :report is used' do
+ mock_app do
+ use Rack::Protection, :reaction => :report
+ run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] }
+ end
+
+ session = {:foo => :bar}
+ post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
+ last_response.should be_ok
+ body.should == "true"
+ end
+
describe "#html?" do
context "given an appropriate content-type header" do
subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
Please sign in to comment.
Something went wrong with that request. Please try again.