Skip to content
This repository has been archived by the owner on May 16, 2021. It is now read-only.

Check for nil response on JsonCsrf protection #52

Merged
merged 2 commits into from Apr 8, 2013
Merged

Check for nil response on JsonCsrf protection #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d1f0300
Add regression test for issue #50
Apr 8, 2013
eb7e4c9
FIX: check for nil response on JsonCsrf protection
Apr 8, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/rack/protection/json_csrf.rb
View file
Open in desktop
Expand Up @@ -19,7 +19,7 @@ def call(env)

if has_vector? request, headers
warn env, "attack prevented by #{self.class}"
react(env)
react(env) or [status, headers, body]
else
[status, headers, body]
end
Expand Down
15 changes: 15 additions & 0 deletions spec/json_csrf_spec.rb
View file
Open in desktop
Expand Up @@ -31,6 +31,7 @@
it "accepts XHR requests" do
get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
end

end

describe 'not json response' do
Expand All @@ -41,4 +42,18 @@
end

end

describe 'with drop_session as default reaction' do
it 'reset the session' do
mock_app do
use Rack::Protection, :reaction => :drop_session
run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
end

session = {:foo => :bar}
get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
last_response.should be_ok
session.should be_empty
end
end
end