When the referer header has invalid characters such as a |</

I wrote a fix for it. Should I add it to rack-protection? <div class="snippet-clip

Fix should already be in v1.5.3 according to <a class

Invalid referer raises error about rack-protection HOT 5 CLOSED

sinatra commented on June 9, 2024

Invalid referer raises error

from rack-protection.

Comments (5)

georgeu2000 commented on June 9, 2024

I wrote a fix for it. Should I add it to rack-protection?

module Rack
  class RefererFix
    def initialize app
      @app = app
    end

    def call env
      fix env

      @app.call( env ) # Response not modified.
    end

    def fix env
      env[ 'HTTP_REFERER' ].gsub!( '|', '' ) if env[ 'HTTP_REFERER' ]
    end
  end
end


describe Rack::RefererFix do
  let( :inner_app ) do
    lambda{ |env| [200, env, [ 'All good!' ]]}
  end
  let( :app         ){ Rack::RefererFix.new(inner_app) }

  let( :invalid_uri ){ 'http://www.example.com/invalid|uri'     }
  let( :valid_uri   ){ 'http://www.example.com/invaliduri'      }
  let( :headers     ){{ 'HTTP_REFERER' => invalid_uri          }}

 before do
    get '/', {}, headers
  end

  it 'fixes invalid referer' do
    last_response.headers[ 'HTTP_REFERER' ].should == valid_uri
  end

  context 'when valid referer' do
    let( :headers ){{ 'HTTP_REFERER' => valid_uri }}

    it 'does not change' do
      last_response.headers[ 'HTTP_REFERER' ].should == valid_uri
    end
  end

  context 'when nil referer' do
    let( :headers ){{ 'HTTP_REFERER' => nil }}

    it 'does not raise error' do
      last_response.status.should == 200
    end
  end

  context 'when empty referer' do
    let( :headers ){{ 'HTTP_REFERER' => '' }}

    it 'does not raise error' do
      last_response.status.should == 200
    end
  end
end

from rack-protection.