forked from rack/rack-contrib
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rack::ETag now supports SHA-1 and SHA-2 in addition to MD5
- Loading branch information
James Rosen
committed
Feb 6, 2010
1 parent
975d1e8
commit 5f2aa98
Showing
2 changed files
with
76 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,61 @@ | ||
require 'digest/md5' | ||
|
||
module Rack | ||
# Automatically sets the ETag header on all String bodies | ||
# if none is set. | ||
# | ||
# By default, uses an MD5 hash to generate the ETag. | ||
# | ||
# @param [#call] app the underlying Rack application. Required. | ||
# @param [Symbol] digest the digest to use. Optional. Options are [:md5, :sha1, :sha256, :sha384, :sha512]. | ||
class ETag | ||
def initialize(app) | ||
def initialize(app, digest = :md5) | ||
@app = app | ||
load_digest(digest) | ||
@digest_method = self.method("#{digest}_hash") | ||
end | ||
|
||
def call(env) | ||
status, headers, body = @app.call(env) | ||
|
||
if !headers.has_key?('ETag') && body.is_a?(String) | ||
headers['ETag'] = %("#{Digest::MD5.hexdigest(body)}") | ||
headers['ETag'] = %("#{@digest_method.call(body)}") | ||
end | ||
|
||
[status, headers, body] | ||
end | ||
|
||
private | ||
|
||
def load_digest(digest) | ||
case digest | ||
when :md5 | ||
require 'digest/md5' | ||
when :sha1 | ||
require 'digest/sha1' | ||
when :sha256, :sha384, :sha512 | ||
require 'digest/sha2' | ||
else | ||
raise ArgumentError.new("Digest #{digest} is not supported.") | ||
end | ||
end | ||
|
||
def md5_hash(body) | ||
Digest::MD5.hexdigest(body) | ||
end | ||
|
||
def sha1_hash(body) | ||
Digest::SHA1.hexdigest(body) | ||
end | ||
|
||
def sha256_hash(body) | ||
Digest::SHA2.hexdigest(body) | ||
end | ||
|
||
def sha384_hash(body) | ||
(Digest::SHA2.new(384) << body).to_s | ||
end | ||
|
||
def sha512_hash(body) | ||
(Digest::SHA2.new(512) << body).to_s | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5f2aa98
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I applied this in rack-contrib. I believe ETag was taken into rack core, though, so we might need to straighten that out.
5f2aa98
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm -1 on using other hashing algorithms for Etags. There is no security issue.
ETag is so simple (3 really lines), I think it makes more sense to have a SHA1Etag middleware instead of burying the functionality under additional options.
5f2aa98
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aren't there performance advantages to using SHA1/SHA2? I know they're much less likely to collide than etag.
I do like the idea of making this a separate middleware class, though. Or, the ETag middleware should just pick the best one and use it.
5f2aa98
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/to collide than etag/to collide than md5/
5f2aa98
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, we really care about speed here. If SHA1/SHA2 are faster than MD5 lets just make that the default.
5f2aa98
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll see what the actual difference is. Also, I was taking a shower and it occurred to me that collisions don't matter at all because it's just a validator, unless two different pieces of content were to hash to the same value for the same resource, which should be basically impossible even with md5.
5f2aa98
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's a performance benchmark of Ruby's crc32, md5, and sha1:
So it doesn't matter, unless we want to switch to crc32 I suppose.
I'm going to revert back to md5 for now. @jamesarosen: I think it's easy enough to bust out a separate middleware should people want to use SHA1.
5f2aa98
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It isn't totally applicable to rack middleware and dynamic content, but its worth reading how the hash is created for apache
Also, this change is useless - As Tomayko mentioned its simply pretty much impossible.