Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Don't choke on requests that end up without a content-type header #32

Merged
merged 1 commit into from

2 participants

@cheald

Sinatra can send responses without content-type headers. rack-protection blows up on them. This fixes that.

@rkh rkh merged commit 0d1e3c5 into sinatra:master
@rkh
Owner

Thanks. I refactored the code a little and pushed out 1.3.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 27 additions and 2 deletions.
  1. +10 −2 lib/rack/protection/base.rb
  2. +17 −0 spec/protection_spec.rb
View
12 lib/rack/protection/base.rb 100644 → 100755
@@ -98,8 +98,16 @@ def encrypt(value)
alias default_reaction deny
def html?(headers)
- type = headers.detect { |k,v| k.downcase == 'content-type' }.last[/^\w+\/\w+/]
- type == 'text/html' or type == 'application/xhtml'
+ if type = headers.detect { |k,v| k.downcase == 'content-type' }
+ case type.last[/^\w+\/\w+/]
+ when 'text/html', 'application/xhtml'
+ true
+ else
+ false
+ end
+ else
+ false
+ end
end
end
end
View
17 spec/protection_spec.rb 100644 → 100755
@@ -17,4 +17,21 @@
get '/', {}, 'rack.session' => session, 'HTTP_FOO' => 'BAR'
session.should be_empty
end
+
+ describe "#html?" do
+ context "given an appropriate content-type header" do
+ subject { Rack::Protection::Base.new(nil).html?({'content-type' => "text/html"}) }
+ it { should be_true }
+ end
+
+ context "given an inappropriate content-type header" do
+ subject { Rack::Protection::Base.new(nil).html?({'content-type' => "image/gif"}) }
+ it { should be_false }
+ end
+
+ context "given no content-type header" do
+ subject { Rack::Protection::Base.new(nil).html?({}) }
+ it { should be_false }
+ end
+ end
end
Something went wrong with that request. Please try again.