Sha256: 9d1d043206fa7814c55e50f596085b48673e7c7b74a24f419f9cfac8cdf925bb

Contents?: true

Size: 840 Bytes

Versions: 6

Compression:

Stored size: 840 Bytes

Contents

---
gem: rack-attack
osvdb: 132234
url: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1
title: |
  rack-attack Gem for Ruby missing normalization before request path
  processing
date: 2015-12-18
description: |
  When using rack-attack with a rails app, developers expect the request
  path to be normalized. In particular, trailing slashes are stripped so
  a request path "/login/" becomes "/login" by the time you're in
  ActionController.

  Since Rack::Attack runs before ActionDispatch, the request path is not
  yet normalized. This can cause throttles and blacklists to not work as
  expected.

  E.g., a throttle:

  `throttle('logins', ...) {|req| req.path == "/login" }`

  would not match a request to '/login/', though Rails would route
  '/login/' to the same '/login' action. 
patched_versions:
  - ">= 4.3.1"

Version data entries

6 entries across 6 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml
bundler-audit-0.6.1 data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml
bundler-audit-0.6.0 data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml
bundler-audit-0.5.0 data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml