test/spec_request.rb in rack-1.6.10 vs test/spec_request.rb in rack-1.6.11
- old
+ new
@@ -423,9 +423,14 @@
request = Rack::Request.new(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_PROTO' => 'https, http, http'))
request.scheme.should.equal "https"
request.should.be.ssl?
end
+ should "prevent scheme abuse" do
+ request = Rack::Request.new(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>'))
+ request.scheme.should.not.equal 'a."><script>alert(1)</script>'
+ end
+
should "parse cookies" do
req = Rack::Request.new \
Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m")
req.cookies.should.equal "foo" => "bar", "quux" => "h&m"
req.cookies.should.equal "foo" => "bar", "quux" => "h&m"