@@ -1,6 +1,7 @@ .rake_tasks config/database.yml config/deploy.rb +config/initializers/session_store.rb db/*.sqlite3 log/*.log public/assets .gitignore @@ -25,6 +25,12 @@ def safe_to_load_application? File.basename($0) != "rake" || !ARGV.any? {|a| a =~ /^db:/ } end +# Make sure we a site-specific secret key file. +unless File.exists?(File.join(File.dirname(__FILE__), + 'initializers/session_store.rb')) + raise "You need to run 'rake db:bootstrap:session' to create a secret key." +end + Rails::Initializer.run do |config| # Settings in config/environments/* take precedence those specified here @@ -45,11 +51,6 @@ Rails::Initializer.run do |config| # (by default production uses :info, the others :debug) # config.log_level = :debug - # Use the database for sessions instead of the file system - # (create the session table with 'rake create_sessions_table') - # config.action_controller.session_store = :active_record_store - config.action_controller.session = { :session_key => "_mephisto_session", :secret => "bd088a0f5b476fe5a2c02653a93ed14a95a8396829ce4e726ee77553ab6438a98d0f3e6d80fc6b120370ba047f28e09f71543ae5f842365e5070e7db51fb2cb9" } - # Make Active Record use UTC-base instead of local time config.active_record.default_timezone = :utc config/environment.rb @@ -3,7 +3,7 @@ SITE_THEME_DIR = File.join(THEME_ROOT, "site-#{(ENV['SITE_ID'] || '1')}") namespace :db do desc "Loads a schema.rb file into the database and then loads the initial database fixtures." - task :bootstrap do |task_args| + task :bootstrap => 'db:bootstrap:session' do |task_args| mkdir_p File.join(RAILS_ROOT, 'log') require 'rubygems' unless Object.const_defined?(:Gem) @@ -69,5 +69,29 @@ namespace :db do FileUtils.rm_rf dir end end + + desc "Create a secret key for use with session cookies" + task :session do + path = File.join(RAILS_ROOT, 'config', 'initializers', 'session_store.rb') + return if File.exists?(path) + File.open(path, 'w') do |f| + f.write <<"EOD" +# This file was generated by 'rake db:bootstrap:session', and should not be +# made visible to public. Do not check it into github! If you have a +# load-balancing Mephisto cluser, you will need to use the same version of +# this file on each machine. And be sure to restart your server when you +# modify this file. + +# Your secret key for verifying cookie session data integrity. If you +# change this key, all old sessions will become invalid! Make sure the +# secret is at least 30 characters and all random, no regular words or +# you'll be exposed to dictionary attacks. +ActionController::Base.session = { + :session_key => '_mephisto_session_2', + :secret => '#{SecureRandom.hex(40)}' +} +EOD + end + end end -end \ No newline at end of file +end lib/tasks/bootstrap.rake 170fe8c55be53add05623fc1236b6bb9b0244b10 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/d558ba11e393b1bd444039d535aad3f9853e2592 d558ba11e393b1bd444039d535aad3f9853e2592 2008-12-10T05:24:32-08:00 2008-12-10T05:23:31-08:00 Security: Make our session secret actually a secret This is the first of several patches produced by our security audit. It addresses the concerns mentioned here: http://groups.google.co.nz/group/rubyonrails-core/browse_thread/thread/4d43c1fa2485f3e3/e63662d7d521663e Note that you will be instructed to run 'rake db:bootstrap:session' when you first try to run Mephisto, and that your session cookie name will change in order to prevent errors about invalid cookie signatures. Thank you to Isaac for helping me track down the best way to solve this problem. 2a141e222e03f8b97df2875ae8089c737676ea95 Eric Kidd git@randomhacks.net