lib/roda/plugins/disallow_file_uploads.rb
# frozen-string-literal: true raise LoadError, "disallow_file_uploads plugin not supported on Rack <1.6" if Rack.release < '1.6' # class Roda module RodaPlugins # The disallow_file_uploads plugin raises a Roda::RodaPlugins::DisallowFileUploads::Error # if there is an attempt to upload a file. This plugin is useful for applications where # multipart file uploads are not expected and you want to remove the ability for rack # to create temporary files. Example: # # plugin :disallow_file_uploads # # This plugin is only supported on Rack 1.6+. This plugin does not technically # block users from uploading files, it only blocks the parsing of request bodies containing # multipart file uploads. So if you do not call +r.POST+ (or something that calls it such as # +r.params+), then Roda will not attempt to parse the request body, and an exception will not # be raised. module DisallowFileUploads # Exception class used when a multipart file upload is attempted. class Error < RodaError; end NO_TEMPFILE = lambda{|_,_| raise Error, "Support for uploading files has been disabled"} module RequestMethods # HTML escape the input and return the escaped version. def initialize(_, env) env['rack.multipart.tempfile_factory'] = NO_TEMPFILE super end end end register_plugin(:disallow_file_uploads, DisallowFileUploads) end end