diff options
| -rw-r--r-- | Gemfile | 3 | ||||
| -rw-r--r-- | Gemfile.lock | 3 | ||||
| -rw-r--r-- | config/application.rb | 5 | ||||
| -rwxr-xr-x | script/request-creation-graph | 6 | ||||
| -rwxr-xr-x | script/user-use-graph | 6 | ||||
| -rw-r--r-- | spec/integration/parameter_stripping_spec.rb | 24 |
6 files changed, 37 insertions, 10 deletions
@@ -23,6 +23,9 @@ gem 'net-http-local', '~> 0.1.2', :platforms => [:ruby_18, :ruby_19] gem 'net-purge', '~> 0.1.0' gem 'open4', '~> 1.3.4' gem 'rack', '~> 1.4.5' +if RUBY_VERSION.to_f >= 1.9 + gem 'rack-utf8_sanitizer', '~> 1.3.0' +end gem 'rake', '0.9.2.2' gem 'rails-i18n', '~> 0.7.3' gem 'recaptcha', '~> 0.3.1', :require => 'recaptcha/rails' diff --git a/Gemfile.lock b/Gemfile.lock index 9353b9145..24402bca6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -194,6 +194,8 @@ GEM rack rack-test (0.6.2) rack (>= 1.0) + rack-utf8_sanitizer (1.3.0) + rack (~> 1.0) rails (3.2.21) actionmailer (= 3.2.21) actionpack (= 3.2.21) @@ -342,6 +344,7 @@ DEPENDENCIES pry (~> 0.9.6) quiet_assets (~> 1.0.2) rack (~> 1.4.5) + rack-utf8_sanitizer (~> 1.3.0) rails (= 3.2.21) rails-i18n (~> 0.7.3) rake (= 0.9.2.2) diff --git a/config/application.rb b/config/application.rb index eccf0937c..ed7488454 100644 --- a/config/application.rb +++ b/config/application.rb @@ -84,6 +84,11 @@ module Alaveteli require "#{Rails.root}/lib/whatdotheyknow/strip_empty_sessions" config.middleware.insert_before ::ActionDispatch::Cookies, WhatDoTheyKnow::StripEmptySessions, :key => '_wdtk_cookie_session', :path => "/", :httponly => true + # Strip non-UTF-8 request parameters + if RUBY_VERSION.to_f >= 1.9 + config.middleware.insert 0, Rack::UTF8Sanitizer + end + # Allow the generation of full URLs in emails config.action_mailer.default_url_options = { :host => AlaveteliConfiguration::domain } if AlaveteliConfiguration::force_ssl diff --git a/script/request-creation-graph b/script/request-creation-graph index f3baa2326..9b91e44b9 100755 --- a/script/request-creation-graph +++ b/script/request-creation-graph @@ -17,11 +17,7 @@ cd `dirname $0` cd ../ source commonlib/shlib/deployfns -# TODO: this is nasty :) -OPTION_FOI_DB_HOST=`grep "host:" config/database.yml | head --lines=1 | cut -d ":" -f 2` -OPTION_FOI_DB_PORT=`grep "port:" config/database.yml | head --lines=1 | cut -d ":" -f 2` -OPTION_FOI_DB_NAME=`grep "database:" config/database.yml | head --lines=1 | cut -d ":" -f 2` -OPTION_FOI_DB_USER=`grep "username:" config/database.yml | head --lines=1 | cut -d ":" -f 2` +read OPTION_FOI_DB_HOST OPTION_FOI_DB_PORT OPTION_FOI_DB_NAME OPTION_FOI_DB_USER <<<$(ruby -r yaml -e 'db = YAML::load(STDIN.read); pr = db["production"]; puts pr["host"], pr["port"], pr["database"], pr["username"]' < config/database.yml) SOURCEA=/tmp/foi-creation-rate-graph-data-$RANDOM$RANDOM SOURCEB=/tmp/foi-creation-rate-graph-data-$RANDOM$RANDOM diff --git a/script/user-use-graph b/script/user-use-graph index 00eeb36f8..aad471a4b 100755 --- a/script/user-use-graph +++ b/script/user-use-graph @@ -16,11 +16,7 @@ cd `dirname $0` cd ../ source commonlib/shlib/deployfns -# TODO: this is nasty :) -OPTION_FOI_DB_HOST=`grep "host:" config/database.yml | head --lines=1 | cut -d ":" -f 2` -OPTION_FOI_DB_PORT=`grep "port:" config/database.yml | head --lines=1 | cut -d ":" -f 2` -OPTION_FOI_DB_NAME=`grep "database:" config/database.yml | head --lines=1 | cut -d ":" -f 2` -OPTION_FOI_DB_USER=`grep "username:" config/database.yml | head --lines=1 | cut -d ":" -f 2` +read OPTION_FOI_DB_HOST OPTION_FOI_DB_PORT OPTION_FOI_DB_NAME OPTION_FOI_DB_USER <<<$(ruby -r yaml -e 'db = YAML::load(STDIN.read); pr = db["production"]; puts pr["host"], pr["port"], pr["database"], pr["username"]' < config/database.yml) SOURCEA=/tmp/foi-creation-rate-graph-data-$RANDOM$RANDOM SOURCEB=/tmp/foi-creation-rate-graph-data-$RANDOM$RANDOM diff --git a/spec/integration/parameter_stripping_spec.rb b/spec/integration/parameter_stripping_spec.rb new file mode 100644 index 000000000..b910062a9 --- /dev/null +++ b/spec/integration/parameter_stripping_spec.rb @@ -0,0 +1,24 @@ +# -*- encoding : utf-8 -*- +require File.expand_path(File.dirname(__FILE__) + '/../spec_helper') + +describe "When handling bad requests" do + + if RUBY_VERSION.to_f >= 1.9 + + it 'should return a 404 for GET requests to a malformed request URL' do + get 'request/228%85' + response.status.should == 404 + end + + it 'should redirect a bad UTF-8 POST to a malformed attachment URL' do + info_request = FactoryGirl.create(:info_request_with_incoming_attachments) + incoming_message = info_request.incoming_messages.first + data = { :excerpt => "something\xA3\xA1" } + post "/en/request/#{info_request.id}/response/#{incoming_message.id}/attach/2/interesting.pdf/trackback", data + response.status.should == 303 + response.should redirect_to "/en/request/#{info_request.url_title}#incoming-#{incoming_message.id}" + end + + end + +end |