App: Fix Rack::Csrf skip matching · jcs.org/sinatree@8a73ee8

A skeleton web application configured to use Sinatra and ActiveRecord

App: Fix Rack::Csrf skip matching

We're doing all matching from ApplicationController which needs to
look at the full URL, not the controller-relative path.

jcs.org 2 years ago 8a73ee8a fbf364d9

+17

1 changed file

expand all

lib

app.rb

+17

lib/app.rb

··· 35 35 # setup our custom logging to STDOUT 36 36 require "#{APP_ROOT}/lib/logging.rb" 37 37 38 + # patch up Rack::Csrf to look at request.path for matching skipping rather than 39 + # request.path_info which is relative to the controller's path. since we don't 40 + # route to the per-request controller if Rack::Csrf aborts, we can't do 41 + # controller-relative matching anyway. 42 + module Rack 43 + class Csrf 44 + def any?(list, request) 45 + pi = request.path.empty? ? '/' : request.path 46 + list.any? do |route| 47 + if route =~ (request.request_method + ':' + pi) 48 + return true 49 + end 50 + end 51 + end 52 + end 53 + end 54 + 38 55 class App < Sinatra::Base 39 56 register Sinatra::Namespace 40 57 register Sinatra::ActiveRecordExtension