Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #5515 from rafaelfranca/remove-exclude

Remove exclude option from ActionDispatch::SSL and fix secure cookies
  • Loading branch information...
commit ae977150e7beaa6a45960288acea3801b98639f7 2 parents 09d884c + 6e04a78
@josevalim josevalim authored
View
9 actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -13,14 +13,11 @@ def initialize(app, options = {})
@hsts = {} if @hsts == true
@hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
- @exclude = options[:exclude]
@host = options[:host]
@port = options[:port]
end
def call(env)
- return @app.call(env) if exclude?(env)
-
request = Request.new(env)
if request.ssl?
@@ -34,10 +31,6 @@ def call(env)
end
private
- def exclude?(env)
- @exclude && @exclude.call(env)
- end
-
def redirect_to_https(request)
url = URI(request.url)
url.scheme = "https"
@@ -65,7 +58,7 @@ def flag_cookies_as_secure!(headers)
cookies = cookies.split("\n")
headers['Set-Cookie'] = cookies.map { |cookie|
- if cookie !~ /; secure(;|$)/
+ if cookie !~ /;\s+secure(;|$)/
"#{cookie}; secure"
else
cookie
View
34 actionpack/test/dispatch/ssl_test.rb
@@ -31,12 +31,6 @@ def test_redirects_http_to_https
response.headers['Location']
end
- def test_exclude_from_redirect
- self.app = ActionDispatch::SSL.new(default_app, :exclude => lambda { |env| true })
- get "http://example.org/"
- assert_response :success
- end
-
def test_hsts_header_by_default
get "https://example.org/"
assert_equal "max-age=31536000",
@@ -90,6 +84,34 @@ def test_flag_cookies_as_secure_at_end_of_line
response.headers['Set-Cookie'].split("\n")
end
+ def test_flag_cookies_as_secure_with_more_spaces_before
+ self.app = ActionDispatch::SSL.new(lambda { |env|
+ headers = {
+ 'Content-Type' => "text/html",
+ 'Set-Cookie' => "problem=def; path=/; HttpOnly; secure"
+ }
+ [200, headers, ["OK"]]
+ })
+
+ get "https://example.org/"
+ assert_equal ["problem=def; path=/; HttpOnly; secure"],
+ response.headers['Set-Cookie'].split("\n")
+ end
+
+ def test_flag_cookies_as_secure_with_more_spaces_after
+ self.app = ActionDispatch::SSL.new(lambda { |env|
+ headers = {
+ 'Content-Type' => "text/html",
+ 'Set-Cookie' => "problem=def; path=/; secure; HttpOnly"
+ }
+ [200, headers, ["OK"]]
+ })
+
+ get "https://example.org/"
+ assert_equal ["problem=def; path=/; secure; HttpOnly"],
+ response.headers['Set-Cookie'].split("\n")
+ end
+
def test_no_cookies
self.app = ActionDispatch::SSL.new(lambda { |env|
[200, {'Content-Type' => "text/html"}, ["OK"]]

0 comments on commit ae97715

Please sign in to comment.
Something went wrong with that request. Please try again.