New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge rack protection #1167

Merged
merged 230 commits into from Aug 16, 2016

Conversation

Projects
None yet
@zzak
Member

zzak commented Aug 12, 2016

No description provided.

zzak and others added some commits Jul 25, 2016

Use secure_compare when checking CSRF token
Since string comparisions may return early we want to use a constant
time comparsion function to protect the CSRF token against timing
attacks. Rack::Utils provides a such function.
Add `:without_session` option to skip session based protection
This includes:

* Rack::Protection::SessionHijacking
* Rack::Protection::RemoteToken

Closes #47
Merge pull request #99 from droppedoncaprica/tempFileFix
Fix Tempfile reference being returned as nil
Add img-src CSP directive
It's in the list of defaults; I'm assuming it's just an oversight that
it isn't in the list of allowed KEYs
Include img-src in expected test output
Again, I'm assuming this is the intent, as `should allow changing ...` does
try to change img-src
Merge pull request #112 from jamesdabbs/master
Enclose CSP self in quotes
Turn off CSP by default
/cc mperham/sidekiq#3070

Sorry for breaking stuff, Mike 🙇 🙇 🙇 🙇 🙇 🙇 🙇
Add cookie tossing protection
Mitigate malicious session cookies set on a subdomain from
being read by the parent domain.
Merge pull request #113 from jkowens/cookie_tossing
Add cookie tossing protection
Merge pull request #114 from jkowens/cookie_tossing
Remove extra calls to method that determines cookie paths

@zzak zzak added this to the 2.0.0 milestone Aug 12, 2016

@zzak zzak referenced this pull request Aug 16, 2016

Closed

Mitigate BREACH attack #115

@zzak zzak merged commit aa1f6f9 into master Aug 16, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@zzak zzak deleted the merge-rack-protection branch Aug 16, 2016

@zzak

This comment has been minimized.

Show comment
Hide comment
@zzak

zzak Mar 7, 2018

Member

Hi @kseifriedredhat! I don't think we ever did, here is the original report: sinatra/rack-protection#98

We merged rack-protection into sinatra source when releasing 2.0, which includes this patch. Prior versions to 2.0 shouldn't have it.

Member

zzak commented on 8aa6c42 Mar 7, 2018

Hi @kseifriedredhat! I don't think we ever did, here is the original report: sinatra/rack-protection#98

We merged rack-protection into sinatra source when releasing 2.0, which includes this patch. Prior versions to 2.0 shouldn't have it.

This comment has been minimized.

Show comment
Hide comment
@namusyaka

namusyaka Mar 7, 2018

Member

Thanks for pointing this out. Unfortunately, rack-1.5.x is still being used yet, so I think the commit should be backported. I'm going to work on that this weekend.

Member

namusyaka replied Mar 7, 2018

Thanks for pointing this out. Unfortunately, rack-1.5.x is still being used yet, so I think the commit should be backported. I'm going to work on that this weekend.

This comment has been minimized.

Show comment
Hide comment
@namusyaka

namusyaka Mar 7, 2018

Member

@kseifriedredhat Thank you. Just backported in https://rubygems.org/gems/rack-protection/versions/1.5.5

Member

namusyaka replied Mar 7, 2018

@kseifriedredhat Thank you. Just backported in https://rubygems.org/gems/rack-protection/versions/1.5.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment