From 3447bd2f80111ce7373446182055c819a01c03b6 Mon Sep 17 00:00:00 2001 From: Cecylia Bocovich Date: Sat, 13 Feb 2021 18:10:52 -0500 Subject: Monkey patch Rack::Session to send secure cookies to onions (#15725) --- lib/action_dispatch/cookie_jar_extensions.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lib') diff --git a/lib/action_dispatch/cookie_jar_extensions.rb b/lib/action_dispatch/cookie_jar_extensions.rb index 44c39c1f8..f7ffb6cc7 100644 --- a/lib/action_dispatch/cookie_jar_extensions.rb +++ b/lib/action_dispatch/cookie_jar_extensions.rb @@ -13,3 +13,13 @@ module ActionDispatch end ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions) + +module Rack + module SessionPersistedExtensions + def security_matches?(request, options) + request.headers['Host'].ends_with?('.onion') || super + end + end +end + +Rack::Session::Abstract::Persisted.prepend(Rack::SessionPersistedExtensions) -- cgit From 3f8523130da1029ba64d00c03360a2c15f85d9d6 Mon Sep 17 00:00:00 2001 From: Justin Tracey Date: Tue, 16 Feb 2021 14:28:17 +0000 Subject: use host instead of headers to make Rack happy (#15741) "headers" is provided by Rails, Rack can't rely on it --- lib/action_dispatch/cookie_jar_extensions.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/action_dispatch/cookie_jar_extensions.rb b/lib/action_dispatch/cookie_jar_extensions.rb index f7ffb6cc7..492c04065 100644 --- a/lib/action_dispatch/cookie_jar_extensions.rb +++ b/lib/action_dispatch/cookie_jar_extensions.rb @@ -7,7 +7,7 @@ module ActionDispatch # Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service # users. Otherwise, ActionDispatch would drop the cookie over HTTP. def write_cookie?(*) - request.headers['Host'].ends_with?('.onion') || super + request.host.ends_with?('.onion') || super end end end @@ -17,7 +17,7 @@ ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions) module Rack module SessionPersistedExtensions def security_matches?(request, options) - request.headers['Host'].ends_with?('.onion') || super + request.host.ends_with?('.onion') || super end end end -- cgit From c9e8e1739c698291e1b034d19a1b01d75c9e039b Mon Sep 17 00:00:00 2001 From: Justin Tracey Date: Fri, 19 Feb 2021 08:56:14 +0000 Subject: replace all instances of "ends_with?" with "end_with?" (#15745) The "ends_with?" method is just a Rails alias of Ruby's "end_with?" method. Using the latter makes the code less brittle. --- app/controllers/accounts_controller.rb | 6 +++--- app/controllers/application_controller.rb | 2 +- app/controllers/media_proxy_controller.rb | 2 +- app/lib/webfinger.rb | 4 ++-- lib/action_dispatch/cookie_jar_extensions.rb | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) (limited to 'lib') diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index b902ada09..7753ebccc 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -135,15 +135,15 @@ class AccountsController < ApplicationController end def media_requested? - request.path.split('.').first.ends_with?('/media') && !tag_requested? + request.path.split('.').first.end_with?('/media') && !tag_requested? end def replies_requested? - request.path.split('.').first.ends_with?('/with_replies') && !tag_requested? + request.path.split('.').first.end_with?('/with_replies') && !tag_requested? end def tag_requested? - request.path.split('.').first.ends_with?(Addressable::URI.parse("/tagged/#{params[:tag]}").normalize) + request.path.split('.').first.end_with?(Addressable::URI.parse("/tagged/#{params[:tag]}").normalize) end def cached_filtered_status_page diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index c9311c1b6..5b7eec94f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base private def https_enabled? - Rails.env.production? && !request.path.start_with?('/health') && !request.headers["Host"].ends_with?(".onion") + Rails.env.production? && !request.path.start_with?('/health') && !request.headers["Host"].end_with?(".onion") end def authorized_fetch_mode? diff --git a/app/controllers/media_proxy_controller.rb b/app/controllers/media_proxy_controller.rb index 0b1d09de9..1b610318d 100644 --- a/app/controllers/media_proxy_controller.rb +++ b/app/controllers/media_proxy_controller.rb @@ -37,7 +37,7 @@ class MediaProxyController < ApplicationController end def version - if request.path.ends_with?('/small') + if request.path.end_with?('/small') :small else :original diff --git a/app/lib/webfinger.rb b/app/lib/webfinger.rb index 40795a7aa..e0e022cea 100644 --- a/app/lib/webfinger.rb +++ b/app/lib/webfinger.rb @@ -88,7 +88,7 @@ class Webfinger end def standard_url - if @domain.ends_with? ".onion" + if @domain.end_with? ".onion" "http://#{@domain}/.well-known/webfinger?resource=#{@uri}" else "https://#{@domain}/.well-known/webfinger?resource=#{@uri}" @@ -96,7 +96,7 @@ class Webfinger end def host_meta_url - if @domain.ends_with? ".onion" + if @domain.end_with? ".onion" "http://#{@domain}/.well-known/host-meta" else "https://#{@domain}/.well-known/host-meta" diff --git a/lib/action_dispatch/cookie_jar_extensions.rb b/lib/action_dispatch/cookie_jar_extensions.rb index 492c04065..1be9053ba 100644 --- a/lib/action_dispatch/cookie_jar_extensions.rb +++ b/lib/action_dispatch/cookie_jar_extensions.rb @@ -7,7 +7,7 @@ module ActionDispatch # Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service # users. Otherwise, ActionDispatch would drop the cookie over HTTP. def write_cookie?(*) - request.host.ends_with?('.onion') || super + request.host.end_with?('.onion') || super end end end @@ -17,7 +17,7 @@ ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions) module Rack module SessionPersistedExtensions def security_matches?(request, options) - request.host.ends_with?('.onion') || super + request.host.end_with?('.onion') || super end end end -- cgit