Permalink
Browse files

Merge pull request #52 from bugant/master

Check for nil response on JsonCsrf protection
  • Loading branch information...
2 parents b45d31c + eb7e4c9 commit 7c4b33b053d41326de651070081a1639117be05f @rkh rkh committed Apr 8, 2013
Showing with 16 additions and 1 deletion.
  1. +1 −1 lib/rack/protection/json_csrf.rb
  2. +15 −0 spec/json_csrf_spec.rb
@@ -19,7 +19,7 @@ def call(env)
if has_vector? request, headers
warn env, "attack prevented by #{self.class}"
- react(env)
+ react(env) or [status, headers, body]
else
[status, headers, body]
end
View
@@ -31,6 +31,7 @@
it "accepts XHR requests" do
get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
end
+
end
describe 'not json response' do
@@ -41,4 +42,18 @@
end
end
+
+ describe 'with drop_session as default reaction' do
+ it 'reset the session' do
+ mock_app do
+ use Rack::Protection, :reaction => :drop_session
+ run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
+ end
+
+ session = {:foo => :bar}
+ get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
+ last_response.should be_ok
+ session.should be_empty
+ end
+ end
end

0 comments on commit 7c4b33b

Please sign in to comment.