From 71146d90fc57fac34bd8ec962c3d5813ccf7d037 Mon Sep 17 00:00:00 2001 From: Hagen Schink Date: Mon, 28 Oct 2013 16:14:03 +0100 Subject: [PATCH 1/3] Adds and configures rack protection gem --- Gemfile | 2 ++ config.ru | 1 + 2 files changed, 3 insertions(+) diff --git a/Gemfile b/Gemfile index 189f7475dc..96a16ef084 100644 --- a/Gemfile +++ b/Gemfile @@ -72,6 +72,8 @@ gem 'oj' # will need to be removed once we are on rails4 as it will be part of the rails4 core gem 'strong_parameters' +gem 'rack-protection' + group :production do # we use dalli as standard memcache client remove this if you don't # requires memcached 1.4+ diff --git a/config.ru b/config.ru index 16f13fbd58..ca10196556 100644 --- a/config.ru +++ b/config.ru @@ -29,4 +29,5 @@ # This file is used by Rack-based servers to start the application. require ::File.expand_path('../config/environment', __FILE__) +use Rack::Protection::JsonCsrf run OpenProject::Application From b2cc2022398480f511f8c02213ea59adb43bb3ef Mon Sep 17 00:00:00 2001 From: Hagen Schink Date: Tue, 29 Oct 2013 12:22:52 +0100 Subject: [PATCH 2/3] Adds 'rack-protection' to Gemfile.lock --- Gemfile.lock | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Gemfile.lock b/Gemfile.lock index 9e2b068407..058cf9b117 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -23,6 +23,7 @@ GIT prototype_legacy_helper (0.0.0) GEM + remote: https://rubygems.org/ remote: https://rubygems.org/ specs: actionmailer (3.2.15) @@ -224,6 +225,8 @@ GEM rack (1.4.5) rack-cache (1.2) rack (>= 0.4) + rack-protection (1.5.1) + rack rack-ssl (1.3.3) rack rack-test (0.6.2) @@ -399,6 +402,7 @@ DEPENDENCIES pry-rescue pry-stack_explorer rabl + rack-protection rack_session_access rails (~> 3.2.15) rails-dev-tweaks (~> 0.6.1) From 2324e81e0da798861fd665a020894d4b0cd4fab2 Mon Sep 17 00:00:00 2001 From: Hagen Schink Date: Tue, 29 Oct 2013 12:24:59 +0100 Subject: [PATCH 3/3] Adds changelog entry --- doc/CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index 47dc690ebc..6c0835d6a5 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -29,6 +29,7 @@ See doc/COPYRIGHT.rdoc for more details. # Changelog +* `#1749` Prevent JSON Hijacking * `#2580` Fixed some unlikely remote code executions ## 3.0.0pre23