Changeset 8184
- Timestamp:
- 11/21/07 21:31:45 (1 year ago)
- Files:
-
- trunk/actionpack/CHANGELOG (modified) (1 diff)
- trunk/actionpack/lib/action_controller/session/cookie_store.rb (modified) (2 diffs)
- trunk/actionpack/test/controller/session_fixation_test.rb (modified) (2 diffs)
- trunk/actionpack/test/controller/session/cookie_store_test.rb (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/actionpack/CHANGELOG
r8166 r8184 1 1 *SVN* 2 3 * Make sure that cookie sessions use a secret that is at least 30 chars in length. [Koz] 2 4 3 5 * Fixed that partial rendering should look at the type of the first render to determine its own type if no other clues are available (like when using text.plain.erb as the extension in AM) #10130 [java] trunk/actionpack/lib/action_controller/session/cookie_store.rb
r8181 r8184 54 54 55 55 # The secret option is required. 56 if options['secret'].blank? 57 raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' 58 end 56 ensure_secret_secure(options['secret']) 59 57 60 58 # Keep the session and its secret on hand so we can read and write cookies. … … 77 75 options['no_hidden'] = true 78 76 options['no_cookies'] = true 77 end 78 79 # To prevent users from using something insecure like "Password" we make sure that the 80 # secret they've provided is at least 30 characters in length. 81 def ensure_secret_secure(secret) 82 # There's no way we can do this check if they've provided a proc for the 83 # secret. 84 return true if secret.is_a?(Proc) 85 86 if secret.blank? 87 raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' 88 end 89 90 if secret.length < 30 91 raise ArgumentError, "Secret should be something secure, like #{CGI::Session.generate_unique_id}. The value you provided: [#{secret}]" 92 end 79 93 end 80 94 trunk/actionpack/test/controller/session_fixation_test.rb
r8176 r8184 1 1 require File.dirname(__FILE__) + '/../abstract_unit' 2 2 3 3 4 class SessionFixationTest < Test::Unit::TestCase … … 13 14 14 15 class TestController < ActionController::Base 15 session :session_key => '_myapp_session_id', :secret => 'secret', :except => :default_session_key16 session :session_key => '_myapp_session_id', :secret => CGI::Session.generate_unique_id, :except => :default_session_key 16 17 session :cookie_only => false, :only => :allow_session_fixation 17 18 trunk/actionpack/test/controller/session/cookie_store_test.rb
r6764 r8184 4 4 5 5 require 'stringio' 6 7 8 class CGI::Session::CookieStore 9 def ensure_secret_secure_with_test_hax(secret) 10 if secret == CookieStoreTest.default_session_options['secret'] 11 return true 12 else 13 ensure_secret_secure_without_test_hax(secret) 14 end 15 end 16 alias_method_chain :ensure_secret_secure, :test_hax 17 end 18 6 19 7 20 # Expose for tests. … … 50 63 end 51 64 65 def test_raises_argument_error_if_secret_is_probably_insecure 66 ["password", "secret", "12345678901234567890123456789"].each do |blank| 67 assert_raise(ArgumentError, blank.inspect) { new_session 'secret' => blank } 68 end 69 end 70 52 71 def test_reconfigures_session_to_omit_id_cookie_and_hidden_field 53 72 new_session do |session|
