diff options
| -rw-r--r-- | Gemfile | 3 | ||||
| -rw-r--r-- | Gemfile.lock | 3 | ||||
| -rw-r--r-- | config/application.rb | 5 | ||||
| -rw-r--r-- | spec/integration/parameter_stripping_spec.rb | 24 |
4 files changed, 35 insertions, 0 deletions
@@ -23,6 +23,9 @@ gem 'net-http-local', '~> 0.1.2', :platforms => [:ruby_18, :ruby_19] gem 'net-purge', '~> 0.1.0' gem 'open4', '~> 1.3.4' gem 'rack', '~> 1.4.5' +if RUBY_VERSION.to_f >= 1.9 + gem 'rack-utf8_sanitizer', '~> 1.3.0' +end gem 'rake', '0.9.2.2' gem 'rails-i18n', '~> 0.7.3' gem 'recaptcha', '~> 0.3.1', :require => 'recaptcha/rails' diff --git a/Gemfile.lock b/Gemfile.lock index 9353b9145..24402bca6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -194,6 +194,8 @@ GEM rack rack-test (0.6.2) rack (>= 1.0) + rack-utf8_sanitizer (1.3.0) + rack (~> 1.0) rails (3.2.21) actionmailer (= 3.2.21) actionpack (= 3.2.21) @@ -342,6 +344,7 @@ DEPENDENCIES pry (~> 0.9.6) quiet_assets (~> 1.0.2) rack (~> 1.4.5) + rack-utf8_sanitizer (~> 1.3.0) rails (= 3.2.21) rails-i18n (~> 0.7.3) rake (= 0.9.2.2) diff --git a/config/application.rb b/config/application.rb index eccf0937c..ed7488454 100644 --- a/config/application.rb +++ b/config/application.rb @@ -84,6 +84,11 @@ module Alaveteli require "#{Rails.root}/lib/whatdotheyknow/strip_empty_sessions" config.middleware.insert_before ::ActionDispatch::Cookies, WhatDoTheyKnow::StripEmptySessions, :key => '_wdtk_cookie_session', :path => "/", :httponly => true + # Strip non-UTF-8 request parameters + if RUBY_VERSION.to_f >= 1.9 + config.middleware.insert 0, Rack::UTF8Sanitizer + end + # Allow the generation of full URLs in emails config.action_mailer.default_url_options = { :host => AlaveteliConfiguration::domain } if AlaveteliConfiguration::force_ssl diff --git a/spec/integration/parameter_stripping_spec.rb b/spec/integration/parameter_stripping_spec.rb new file mode 100644 index 000000000..b910062a9 --- /dev/null +++ b/spec/integration/parameter_stripping_spec.rb @@ -0,0 +1,24 @@ +# -*- encoding : utf-8 -*- +require File.expand_path(File.dirname(__FILE__) + '/../spec_helper') + +describe "When handling bad requests" do + + if RUBY_VERSION.to_f >= 1.9 + + it 'should return a 404 for GET requests to a malformed request URL' do + get 'request/228%85' + response.status.should == 404 + end + + it 'should redirect a bad UTF-8 POST to a malformed attachment URL' do + info_request = FactoryGirl.create(:info_request_with_incoming_attachments) + incoming_message = info_request.incoming_messages.first + data = { :excerpt => "something\xA3\xA1" } + post "/en/request/#{info_request.id}/response/#{incoming_message.id}/attach/2/interesting.pdf/trackback", data + response.status.should == 303 + response.should redirect_to "/en/request/#{info_request.url_title}#incoming-#{incoming_message.id}" + end + + end + +end |