Create a gist now

Instantly share code, notes, and snippets.

@rkh /clean_headers.rb Secret
Created Jan 6, 2014

require 'rack/protection'
module Rack
module Protection
##
# Prevented attack:: Cookie Injection
# Supported browsers:: all (Chrome was affected)
#
# Removes response headers containing illigal characters.
class CleanHeaders < Base
def call(env)
status, headers, body = app.call(env)
new_headers = {}
headers.each do |key, value|
if value =~ /[\000-\011\013-\037]/
warn env, "dropping header: value for #{key} contains illegal characters"
else
new_headers[key] = value
end
end
[status, new_headers, body]
end
end
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment