Class: Rack::Protection::CookieTossing
- Inherits:
-
Base
- Object
- Base
- Rack::Protection::CookieTossing
show all
- Defined in:
- lib/rack/protection/cookie_tossing.rb
Overview
- Prevented attack
-
Cookie Tossing
- Supported browsers
-
all
- More infos
-
github.com/blog/1466-yummy-cookies-across-domains
Does not accept HTTP requests if the HTTP_COOKIE header contains more than one session cookie. This does not protect against a cookie overflow attack.
Options:
- session_key
-
The name of the session cookie (default: ‘rack.session’)
Constant Summary
Constants inherited
from Base
Base::DEFAULT_OPTIONS
Instance Attribute Summary
Attributes inherited from Base
#app, #options
Instance Method Summary
collapse
Methods inherited from Base
#debug, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn
Instance Method Details
#accepts?(env) ⇒ Boolean
30
31
32
33
34
35
36
37
38
39
40
|
# File 'lib/rack/protection/cookie_tossing.rb', line 30
def accepts?(env)
= env['HTTP_COOKIE']
cookies = Rack::Utils.parse_query(, ';,') { |s| s }
cookies.each do |k, v|
if (k == session_key && Array(v).size > 1) ||
(k != session_key && Rack::Utils.unescape(k) == session_key)
bad_cookies << k
end
end
bad_cookies.empty?
end
|
#bad_cookies ⇒ Object
57
58
59
|
# File 'lib/rack/protection/cookie_tossing.rb', line 57
def bad_cookies
@bad_cookies ||= []
end
|
#call(env) ⇒ Object
22
23
24
25
26
27
28
|
# File 'lib/rack/protection/cookie_tossing.rb', line 22
def call(env)
status, , body = super
response = Rack::Response.new(body, status, )
request = Rack::Request.new(env)
remove_bad_cookies(request, response)
response.finish
end
|
#cookie_paths(path) ⇒ Object
61
62
63
64
65
66
|
# File 'lib/rack/protection/cookie_tossing.rb', line 61
def cookie_paths(path)
path = '/' if path.to_s.empty?
paths = []
Pathname.new(path).descend { |p| paths << p.to_s }
paths
end
|
#empty_cookie(host, path) ⇒ Object
68
69
70
|
# File 'lib/rack/protection/cookie_tossing.rb', line 68
def empty_cookie(host, path)
{ value: '', domain: host, path: path, expires: Time.at(0) }
end
|
#redirect(env) ⇒ Object
51
52
53
54
55
|
# File 'lib/rack/protection/cookie_tossing.rb', line 51
def redirect(env)
request = Request.new(env)
warn env, "attack prevented by #{self.class}"
[302, { 'content-type' => 'text/html', 'location' => request.path }, []]
end
|
#remove_bad_cookies(request, response) ⇒ Object
42
43
44
45
46
47
48
49
|
# File 'lib/rack/protection/cookie_tossing.rb', line 42
def remove_bad_cookies(request, response)
return if bad_cookies.empty?
paths = cookie_paths(request.path)
bad_cookies.each do |name|
paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
end
end
|
#session_key ⇒ Object
72
73
74
|
# File 'lib/rack/protection/cookie_tossing.rb', line 72
def session_key
@session_key ||= options[:session_key]
end
|