Issue with timestamped static assets #8

Closed
pirj opened this Issue Oct 16, 2011 · 6 comments

Comments

Projects
None yet
3 participants

pirj commented Oct 16, 2011

I'm using rack-protection with Padrino/Sinatra based application, and it fails with asset timestamps (http://localhost:3000/stylesheets/style.css?1317852338):

/home/pirj/.rvm/gems/ruby-1.9.2-p290/gems/rack-protection-1.1.4/lib/rack/protection/escaped_params.rb in escape
    else raise ArgumentError, "cannot escape #{object.inspect}"
/home/pirj/.rvm/gems/ruby-1.9.2-p290/gems/rack-protection-1.1.4/lib/rack/protection/escaped_params.rb in block in escape_hash

because of

Variable    Value
1317852338  nil

Just wanted to comment here so I get notifications for this ticket. Seems like protection needs to coerce the value to string or just not escape nil value params (for the case of asset stamps or query strings with no value)

Owner

rkh commented Oct 16, 2011

Parameter escaping had been disabled in Sinatra 1.3.1. Still, this should be fixed.

@pirj Can you make sure to try with sinatra 1.3.1 and confirm this is no longer an issue?

Owner

rkh commented Oct 16, 2011

Note: 1.3.1 doesn't fix the issue, it should just avoid it.

pirj commented Oct 16, 2011

I'm on Sinatra 1.3.1, Rack 1.3.4, Rack-protection 1.1.2. I suggest Padrino (0.10.5) still uses asset timestamps by default, but this should be fixed anyway since it's not only related to automated timestamps, but rather any GET parameter without a value e.g. http://host.com/mailbox/incoming?nospam.

Hmm, but with 1.3.1 that escaping should be skipped. We don't turn it back on in Padrino, so that's odd. I do agree that escaping should account for no value query keys though, asset timestamps are not the only cases of this.

rkh closed this in ae9c330 Dec 30, 2011

@zzak zzak pushed a commit that referenced this issue Aug 12, 2016

@tobynet tobynet Reflect fix issue #8 by ae9c330 into README.md 83c8f27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment