prevent crash when session cookie value does not contain "--" delimiter

leahneukirchen · Jan 16, 2012 · 881ce76 · 881ce76
1 parent 6cb96fe
commit 881ce76
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
@@ -106,8 +106,10 @@ def unpacked_cookie_data(env)
           if @secrets.size > 0 && session_data
             session_data, digest = session_data.split("--")
 
-            ok = @secrets.any? do |secret|
-              secret && digest == generate_hmac(session_data, secret)
+            if session_data && digest
+              ok = @secrets.any? do |secret|
+                secret && digest == generate_hmac(session_data, secret)
+              end
             end
 
             session_data = nil unless ok

diff --git a/test/spec_session_cookie.rb b/test/spec_session_cookie.rb
@@ -123,6 +123,10 @@ def decode(str); @calls << :decode; str; end
     res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).
       get("/", "HTTP_COOKIE" => "rack.session=blarghfasel")
     res.body.should.equal '{"counter"=>1}'
+
+    app = Rack::Session::Cookie.new(incrementor, :secret => 'test')
+    res = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => "rack.session=")
+    res.body.should.equal '{"counter"=>1}'
   end
 
   bigcookie = lambda do |env|
@@ -176,7 +180,7 @@ def decode(str); @calls << :decode; str; end
     response2 = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" =>
                                                tampered_with_cookie)
 
-    # Tampared cookie was ignored. Counter is back to 1.
+    # Tampered cookie was ignored. Counter is back to 1.
     response2.body.should.equal '{"counter"=>1}'
   end