New Upstream Snapshot - ring-defaults-clojure
Ready changes
Summary
Merged new upstream version: 0.3.4 (was: 0.3.1).
Resulting package
Built on 2022-11-18T13:08 (took 6m36s)
The resulting binary packages can be installed (if you have the apt repository enabled) by running one of:
apt install -t fresh-snapshots libring-defaults-clojure
Diff
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index e04714b..0000000
--- a/.gitignore
+++ /dev/null
@@ -1,9 +0,0 @@
-/target
-/classes
-/checkouts
-pom.xml
-pom.xml.asc
-*.jar
-*.class
-/.lein-*
-/.nrepl-port
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..42836c3
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,30 @@
+# Contributing Guidelines
+
+**Do** follow [the seven rules of a great Git commit message][1].
+
+**Do** follow [the Clojure Style Guide][2].
+
+**Do** include tests for your change when appropriate.
+
+**Do** ensure that the CI checks pass.
+
+**Do** squash the commits in your PR to remove corrections
+irrelevant to the code history, once the PR has been reviewed.
+
+**Do** feel free to pester the project maintainers about the PR if it
+hasn't been responded to. Sometimes notifications can be missed.
+
+**Don't** overuse vertical whitespace; avoid multiple sequential blank
+lines.
+
+**Don't** include more than one feature or fix in a single PR.
+
+**Don't** include changes unrelated to the purpose of the PR. This
+includes changing the project version number, adding lines to the
+`.gitignore` file, or changing the indentation or formatting.
+
+**Don't** open a new PR if changes are requested. Just push to the
+same branch and the PR will be updated.
+
+[1]: https://chris.beams.io/posts/git-commit/#seven-rules
+[2]: https://github.com/bbatsov/clojure-style-guide
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..e238e9e
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,23 @@
+Copyright (c) 2009-2010 Mark McGranaghan
+Copyright (c) 2009-2018 James Reeves
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
diff --git a/README.md b/README.md
index d21ce47..e90a54d 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,7 @@ and HTTP APIs.
Add the following dependency to your `project.clj`:
- [ring/ring-defaults "0.3.1"]
+ [ring/ring-defaults "0.3.4"]
## Basic Usage
@@ -42,7 +42,7 @@ static resources, file uploads, and a bunch of browser-specific
security headers.
The "secure" defaults force SSL. Unencrypted HTTP URLs are redirected
-to the equivlant HTTPS URL, and various headers and flags are sent to
+to the equivalent HTTPS URL, and various headers and flags are sent to
prevent the browser sending sensitive information over insecure
channels.
@@ -138,8 +138,9 @@ The following configuration keys are supported:
server is on a non-standard port. See: [wrap-ssl-redirect][9].
- `:xss-protection` -
- Enable the X-XSS-Protection header that tells supporting browsers
- to use heuristics to detect XSS attacks. See: [wrap-xss-protection][10].
+ **Deprecated** Enable the X-XSS-Protection header. This is [no
+ longer considered best practice][13] and should be avoided.
+ See: [wrap-xss-protection][10].
- `:session` -
A map of options for configuring session handling via the Ring
@@ -175,10 +176,11 @@ The following configuration keys are supported:
[10]: https://ring-clojure.github.io/ring-headers/ring.middleware.x-headers.html#var-wrap-xss-protection
[11]: https://ring-clojure.github.io/ring/ring.middleware.session.html
[12]: https://ring-clojure.github.io/ring/ring.middleware.flash.html
+[13]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
## License
-Copyright © 2017 James Reeves
+Copyright © 2022 James Reeves
Distributed under the MIT License, the same as Ring.
diff --git a/debian/changelog b/debian/changelog
index 6bd66e2..2a63874 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,12 @@
-ring-defaults-clojure (0.3.1-2) UNRELEASED; urgency=normal
+ring-defaults-clojure (0.3.4-1) UNRELEASED; urgency=normal
[ Louis-Philippe Véronneau ]
* d/control: Migrate to the Clojure Team.
- -- Louis-Philippe Véronneau <pollo@debian.org> Sat, 08 Jan 2022 17:54:25 -0500
+ [ Debian Janitor ]
+ * New upstream release.
+
+ -- Louis-Philippe Véronneau <pollo@debian.org> Fri, 18 Nov 2022 13:05:07 -0000
ring-defaults-clojure (0.3.1-1) unstable; urgency=medium
diff --git a/project.clj b/project.clj
index a2bb385..85971e6 100644
--- a/project.clj
+++ b/project.clj
@@ -1,18 +1,17 @@
-(defproject ring/ring-defaults "0.3.1"
+(defproject ring/ring-defaults "0.3.4"
:description "Ring middleware that provides sensible defaults"
:url "https://github.com/ring-clojure/ring-defaults"
:license {:name "The MIT License"
- :url "http://opensource.org/licenses/MIT"}
- :dependencies [[org.clojure/clojure "1.5.1"]
- [ring/ring-core "1.6.0"]
+ :url "http://opensource.org/licenses/MIT"}
+ :dependencies [[org.clojure/clojure "1.7.0"]
+ [ring/ring-core "1.9.6"]
[ring/ring-ssl "0.3.0"]
[ring/ring-headers "0.3.0"]
- [ring/ring-anti-forgery "1.1.0"]
+ [ring/ring-anti-forgery "1.3.0"]
[javax.servlet/javax.servlet-api "3.1.0"]]
- :aliases {"test-all" ["with-profile" "default:+1.6:+1.7:+1.8:+1.9" "test"]}
+ :aliases {"test-all" ["with-profile" "default:+1.8:+1.9:+1.10" "test"]}
:profiles
- {:dev {:dependencies [[ring/ring-mock "0.3.0"]]}
- :1.6 {:dependencies [[org.clojure/clojure "1.6.0"]]}
- :1.7 {:dependencies [[org.clojure/clojure "1.7.0"]]}
- :1.8 {:dependencies [[org.clojure/clojure "1.8.0"]]}
- :1.9 {:dependencies [[org.clojure/clojure "1.9.0-alpha17"]]}})
+ {:dev {:dependencies [[ring/ring-mock "0.4.0"]]}
+ :1.8 {:dependencies [[org.clojure/clojure "1.8.0"]]}
+ :1.9 {:dependencies [[org.clojure/clojure "1.9.0"]]}
+ :1.10 {:dependencies [[org.clojure/clojure "1.10.3"]]}})
diff --git a/src/ring/middleware/defaults.clj b/src/ring/middleware/defaults.clj
index ab2e282..276802a 100644
--- a/src/ring/middleware/defaults.clj
+++ b/src/ring/middleware/defaults.clj
@@ -23,7 +23,7 @@
{:params {:urlencoded true
:keywordize true}
:responses {:not-modified-responses true
- :absolute-redirects true
+ :absolute-redirects false
:content-types true
:default-charset "utf-8"}})
@@ -44,12 +44,11 @@
:session {:flash true
:cookie-attrs {:http-only true, :same-site :strict}}
:security {:anti-forgery true
- :xss-protection {:enable? true, :mode :block}
:frame-options :sameorigin
:content-type-options :nosniff}
:static {:resources "public"}
:responses {:not-modified-responses true
- :absolute-redirects true
+ :absolute-redirects false
:content-types true
:default-charset "utf-8"}})
diff --git a/test/ring/middleware/defaults_test.clj b/test/ring/middleware/defaults_test.clj
index adfb9e2..5ed2c21 100644
--- a/test/ring/middleware/defaults_test.clj
+++ b/test/ring/middleware/defaults_test.clj
@@ -22,12 +22,10 @@
(is (= (set (keys (:headers resp)))
#{"X-Frame-Options"
"X-Content-Type-Options"
- "X-XSS-Protection"
"Content-Type"
"Set-Cookie"}))
(is (= (get-in resp [:headers "X-Frame-Options"]) "SAMEORIGIN"))
(is (= (get-in resp [:headers "X-Content-Type-Options"]) "nosniff"))
- (is (= (get-in resp [:headers "X-XSS-Protection"]) "1; mode=block"))
(is (= (get-in resp [:headers "Content-Type"]) "application/octet-stream"))
(let [set-cookie (first (get-in resp [:headers "Set-Cookie"]))]
(is (.startsWith set-cookie "ring-session="))
@@ -99,13 +97,11 @@
(is (= (set (keys (:headers resp)))
#{"X-Frame-Options"
"X-Content-Type-Options"
- "X-XSS-Protection"
"Strict-Transport-Security"
"Content-Type"
"Set-Cookie"}))
(is (= (get-in resp [:headers "X-Frame-Options"]) "SAMEORIGIN"))
(is (= (get-in resp [:headers "X-Content-Type-Options"]) "nosniff"))
- (is (= (get-in resp [:headers "X-XSS-Protection"]) "1; mode=block"))
(is (= (get-in resp [:headers "Strict-Transport-Security"])
"max-age=31536000; includeSubDomains"))
(is (= (get-in resp [:headers "Content-Type"]) "application/octet-stream"))
@@ -171,3 +167,13 @@
(is (= @resp {:status 200
:headers {"Content-Type" "application/octet-stream"}
:body "foo"})))))
+
+(testing "XSS protection enabled"
+ (let [handler (-> (constantly (response "foo"))
+ (wrap-defaults
+ (-> site-defaults
+ (assoc-in [:security :xss-protection :enable?] true)
+ (assoc-in [:security :xss-protection :mode] :block))))
+ resp (handler (request :get "/"))]
+ (is (not (nil? (get-in resp [:headers "X-XSS-Protection"]))))
+ (is (= (get-in resp [:headers "X-XSS-Protection"]) "1; mode=block"))))
Debdiff
[The following lists of changes regard files as different if they have different names, permissions or owners.]
Files in second set of .debs but not in first
-rw-r--r-- root/root /usr/share/doc/libring-defaults-clojure/CONTRIBUTING.md -rw-r--r-- root/root /usr/share/java/ring-defaults-0.3.4.jar lrwxrwxrwx root/root /usr/share/java/ring-defaults.jar -> ring-defaults-0.3.4.jar
Files in first set of .debs but not in second
-rw-r--r-- root/root /usr/share/java/ring-defaults-0.3.1.jar lrwxrwxrwx root/root /usr/share/java/ring-defaults.jar -> ring-defaults-0.3.1.jar
No differences were encountered in the control files