Merge branch 'sanitize-utf8' into develop

mysociety · Jun 11, 2015 · ed049c3 · ed049c3
2 parents 3efe2f3 + 090531b
commit ed049c3
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 0 deletions.
diff --git a/Gemfile b/Gemfile
@@ -23,6 +23,9 @@ gem 'net-http-local', '~> 0.1.2', :platforms => [:ruby_18, :ruby_19]
 gem 'net-purge', '~> 0.1.0'
 gem 'open4', '~> 1.3.4'
 gem 'rack', '~> 1.4.5'
+if RUBY_VERSION.to_f >= 1.9
+  gem 'rack-utf8_sanitizer', '~> 1.3.0'
+end
 gem 'rake', '0.9.2.2'
 gem 'rails-i18n', '~> 0.7.3'
 gem 'recaptcha', '~> 0.3.1', :require => 'recaptcha/rails'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -194,6 +194,8 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
+    rack-utf8_sanitizer (1.3.0)
+      rack (~> 1.0)
     rails (3.2.21)
       actionmailer (= 3.2.21)
       actionpack (= 3.2.21)
@@ -342,6 +344,7 @@ DEPENDENCIES
   pry (~> 0.9.6)
   quiet_assets (~> 1.0.2)
   rack (~> 1.4.5)
+  rack-utf8_sanitizer (~> 1.3.0)
   rails (= 3.2.21)
   rails-i18n (~> 0.7.3)
   rake (= 0.9.2.2)

diff --git a/config/application.rb b/config/application.rb
@@ -84,6 +84,11 @@ class Application < Rails::Application
     require "#{Rails.root}/lib/whatdotheyknow/strip_empty_sessions"
     config.middleware.insert_before ::ActionDispatch::Cookies, WhatDoTheyKnow::StripEmptySessions, :key => '_wdtk_cookie_session', :path => "/", :httponly => true
 
+    # Strip non-UTF-8 request parameters
+    if RUBY_VERSION.to_f >= 1.9
+        config.middleware.insert 0, Rack::UTF8Sanitizer
+    end
+
     # Allow the generation of full URLs in emails
     config.action_mailer.default_url_options = { :host => AlaveteliConfiguration::domain }
     if AlaveteliConfiguration::force_ssl

diff --git a/spec/integration/parameter_stripping_spec.rb b/spec/integration/parameter_stripping_spec.rb
@@ -0,0 +1,24 @@
+# -*- encoding : utf-8 -*-
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+
+describe "When handling bad requests" do
+
+    if RUBY_VERSION.to_f >= 1.9
+
+        it 'should return a 404 for GET requests to a malformed request URL' do
+            get 'request/228%85'
+            response.status.should == 404
+        end
+
+        it 'should redirect a bad UTF-8 POST to a malformed attachment URL' do
+            info_request = FactoryGirl.create(:info_request_with_incoming_attachments)
+            incoming_message = info_request.incoming_messages.first
+            data = { :excerpt => "something\xA3\xA1" }
+            post "/en/request/#{info_request.id}/response/#{incoming_message.id}/attach/2/interesting.pdf/trackback", data
+            response.status.should == 303
+            response.should redirect_to "/en/request/#{info_request.url_title}#incoming-#{incoming_message.id}"
+        end
+
+    end
+
+end