JackDanger / rails fork watch download tarball
public
Fork of rails/rails
Description: Ruby on Rails
Homepage: http://rubyonrails.org
Clone URL: git://github.com/JackDanger/rails.git 
Merge [8176] to stable to fix session fixation attacks.  Closes #10048 
[theflow, Koz]


git-svn-id: 
http://svn-commit.rubyonrails.org/rails/branches/1-2-stable@8177 
5ecf4fe2-1ee6-0310-87b1-e25e094e27de
NZKoz (author)
Tue Nov 20 21:00:25 -0800 2007
commit  63e968794acb4435d44f8706d26f065bdcc79487
tree    0c047c607207805170e110b3489fa9e3b804a5c9
parent  65539c9f4d67ad6da7992645533602540c43740a
0
actionpack/lib/action_controller/cgi_process.rb 
...
36
37
38
39
 
40
41
42
43
44
45
 
46
47
48
...
50
51
52
53
54
55
56
 
 
 
 
57
58
59
...
114
115
116
117
 
118
119
120
 
...
36
37
38
 
39
40
41
42
43
44
45
46
47
48
49
...
51
52
53
 
54
55
56
57
58
59
60
61
62
63
...
118
119
120
 
121
122
123
124
 
0
@@ -36,13 +36,14 @@ module ActionController #:nodoc:
0
   end
0
 
0
   class CgiRequest < AbstractRequest #:nodoc:
0
-    attr_accessor :cgi, :session_options, :cookie_only
0
+    attr_accessor :cgi, :session_options
0
     class SessionFixationAttempt < StandardError; end #:nodoc:
0
 
0
     DEFAULT_SESSION_OPTIONS = {
0
       :database_manager => CGI::Session::PStore,
0
       :prefix           => "ruby_sess.",
0
       :session_path     => "/",
0
+      :session_key      => "_session_id",
0
       :cookie_only      => true
0
     } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
0
 
0
@@ -50,10 +51,13 @@ module ActionController #:nodoc:
0
       @cgi = cgi
0
       @session_options = session_options
0
       @env = @cgi.send(:env_table)
0
-      @cookie_only = session_options.delete :cookie_only
0
       super()
0
     end
0
 
0
+    def cookie_only?
0
+      session_options_with_string_keys['cookie_only']
0
+    end
0
+
0
     def query_string
0
       if (qs = @cgi.query_string) && !qs.empty?
0
         qs
0
@@ -114,7 +118,7 @@ module ActionController #:nodoc:
0
           @session = Hash.new
0
         else
0
           stale_session_check! do
0
-            if @cookie_only && request_parameters[session_options_with_string_keys['session_key']]
0
+            if cookie_only? && request_parameters[session_options_with_string_keys['session_key']]
0
               raise SessionFixationAttempt
0
             end
0
             case value = session_options_with_string_keys['new_session']

Comments

    No one has commented yet.