From c935ab18e1873e4394e1ca11229e86da731c1d0a Mon Sep 17 00:00:00 2001 From: Jason Staten Date: Thu, 23 Jan 2014 15:15:44 -0700 Subject: [PATCH 1/3] Discard invalid Referer header If an invalid Referer header such as "http://example.com/bad|uri" is provided, ignore the value of it and skip using the Host header fallback. --- lib/rack/protection/base.rb | 1 + spec/base_spec.rb | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/lib/rack/protection/base.rb b/lib/rack/protection/base.rb index ab5d85a..09d3ff9 100755 --- a/lib/rack/protection/base.rb +++ b/lib/rack/protection/base.rb @@ -92,6 +92,7 @@ def referrer(env) ref = env['HTTP_REFERER'].to_s return if !options[:allow_empty_referrer] and ref.empty? URI.parse(ref).host || Request.new(env).host + rescue URI::InvalidURIError end def origin(env) diff --git a/spec/base_spec.rb b/spec/base_spec.rb index dea7a6a..434e611 100644 --- a/spec/base_spec.rb +++ b/spec/base_spec.rb @@ -6,4 +6,33 @@ described_class.new(lambda {}).random_string.length.should == 32 end end + + describe "#referrer" do + it "Reads referrer from Referrer header" do + env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"} + described_class.new(lambda {}).referrer(env).should == "bar.com" + end + + it "Reads referrer from Host header when Referrer header is relative" do + env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"} + described_class.new(lambda {}).referrer(env).should == "foo.com" + end + + it "Reads referrer from Host header when Referrer header is missing" do + env = {"HTTP_HOST" => "foo.com"} + described_class.new(lambda {}).referrer(env).should == "foo.com" + end + + it "Returns nil when Referrer header is missing and allow_empty_referrer is false" do + env = {"HTTP_HOST" => "foo.com"} + base = described_class.new(lambda {}, :allow_empty_referrer => false) + base.referrer(env).should be_nil + end + + it "Returns nil when Referrer header is invalid" do + env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"} + base = described_class.new(lambda {}) + base.referrer(env).should be_nil + end + end end From 0aec26056cea9e07fc11846ed6d05e62f41897fd Mon Sep 17 00:00:00 2001 From: Jason Staten Date: Thu, 23 Jan 2014 15:22:40 -0700 Subject: [PATCH 2/3] refactor instantiation --- spec/base_spec.rb | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/spec/base_spec.rb b/spec/base_spec.rb index 434e611..9398cc2 100644 --- a/spec/base_spec.rb +++ b/spec/base_spec.rb @@ -1,38 +1,40 @@ require File.expand_path('../spec_helper.rb', __FILE__) describe Rack::Protection::Base do + + subject { described_class.new(lambda {}) } + describe "#random_string" do it "outputs a string of 32 characters" do - described_class.new(lambda {}).random_string.length.should == 32 + subject.random_string.length.should == 32 end end describe "#referrer" do it "Reads referrer from Referrer header" do env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"} - described_class.new(lambda {}).referrer(env).should == "bar.com" + subject.referrer(env).should == "bar.com" end it "Reads referrer from Host header when Referrer header is relative" do env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"} - described_class.new(lambda {}).referrer(env).should == "foo.com" + subject.referrer(env).should == "foo.com" end it "Reads referrer from Host header when Referrer header is missing" do env = {"HTTP_HOST" => "foo.com"} - described_class.new(lambda {}).referrer(env).should == "foo.com" + subject.referrer(env).should == "foo.com" end it "Returns nil when Referrer header is missing and allow_empty_referrer is false" do env = {"HTTP_HOST" => "foo.com"} - base = described_class.new(lambda {}, :allow_empty_referrer => false) - base.referrer(env).should be_nil + subject.options[:allow_empty_referrer] = false + subject.referrer(env).should be_nil end it "Returns nil when Referrer header is invalid" do env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"} - base = described_class.new(lambda {}) - base.referrer(env).should be_nil + subject.referrer(env).should be_nil end end end From 02b765baed45c5c920ca54e43fb45ec07f5f1af3 Mon Sep 17 00:00:00 2001 From: Jason Staten Date: Thu, 23 Jan 2014 15:29:16 -0700 Subject: [PATCH 3/3] fix typoed header name --- spec/base_spec.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/spec/base_spec.rb b/spec/base_spec.rb index 9398cc2..415634a 100644 --- a/spec/base_spec.rb +++ b/spec/base_spec.rb @@ -11,28 +11,28 @@ end describe "#referrer" do - it "Reads referrer from Referrer header" do + it "Reads referrer from Referer header" do env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"} subject.referrer(env).should == "bar.com" end - it "Reads referrer from Host header when Referrer header is relative" do + it "Reads referrer from Host header when Referer header is relative" do env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"} subject.referrer(env).should == "foo.com" end - it "Reads referrer from Host header when Referrer header is missing" do + it "Reads referrer from Host header when Referer header is missing" do env = {"HTTP_HOST" => "foo.com"} subject.referrer(env).should == "foo.com" end - it "Returns nil when Referrer header is missing and allow_empty_referrer is false" do + it "Returns nil when Referer header is missing and allow_empty_referrer is false" do env = {"HTTP_HOST" => "foo.com"} subject.options[:allow_empty_referrer] = false subject.referrer(env).should be_nil end - it "Returns nil when Referrer header is invalid" do + it "Returns nil when Referer header is invalid" do env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"} subject.referrer(env).should be_nil end