Merge pull request rack#900 from dmcinnes/disable-cookie-secret-warnings

Allow users to disable the secure cookie warning for custom coders
kuroda · Sep 3, 2015 · 304c1a1 · 304c1a1
2 parents 6c4160b + ed84b6d
commit 304c1a1
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
@@ -105,7 +105,7 @@ def decode(str); str; end
 
       def initialize(app, options={})
         @secrets = options.values_at(:secret, :old_secret).compact
-        warn <<-MSG unless @secrets.size >= 1
+        warn <<-MSG unless secure?(options)
         SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
         This poses a security threat. It is strongly recommended that you
         provide a secret to prevent exploits that may be possible from crafted
@@ -183,6 +183,11 @@ def generate_hmac(data, secret)
         OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
       end
 
+      def secure?(options)
+        @secrets.size >= 1 ||
+        (options[:coder] && options[:let_coder_handle_secure_encoding])
+      end
+
     end
   end
 end
diff --git a/test/spec_session_cookie.rb b/test/spec_session_cookie.rb
@@ -152,6 +152,21 @@ def response_for(options={})
     @warnings.must_be :empty?
   end
 
+  it "doesn't warn if coder is configured to handle encoding" do
+    Rack::Session::Cookie.new(
+      incrementor,
+      :coder => Object.new,
+      :let_coder_handle_secure_encoding => true)
+    @warnings.must_be :empty?
+  end
+
+  it "still warns if coder is not set" do
+    Rack::Session::Cookie.new(
+      incrementor,
+      :let_coder_handle_secure_encoding => true)
+    @warnings.first.must_match(/no secret/i)
+  end
+
   it 'uses a coder' do
     identity = Class.new {
       attr_reader :calls