Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

prevent crash when session cookie value does not contain "--" delimiter

  • Loading branch information...
commit 881ce764f3fd70a20c5800892a132f1e6c8e7c50 1 parent 6cb96fe
Yun Huang Yong authored
Showing with 9 additions and 3 deletions.
  1. +4 −2 lib/rack/session/cookie.rb
  2. +5 −1 test/spec_session_cookie.rb
View
6 lib/rack/session/cookie.rb
@@ -106,8 +106,10 @@ def unpacked_cookie_data(env)
if @secrets.size > 0 && session_data
session_data, digest = session_data.split("--")
- ok = @secrets.any? do |secret|
- secret && digest == generate_hmac(session_data, secret)
+ if session_data && digest
+ ok = @secrets.any? do |secret|
+ secret && digest == generate_hmac(session_data, secret)
+ end
end
session_data = nil unless ok
View
6 test/spec_session_cookie.rb
@@ -123,6 +123,10 @@ def decode(str); @calls << :decode; str; end
res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).
get("/", "HTTP_COOKIE" => "rack.session=blarghfasel")
res.body.should.equal '{"counter"=>1}'
+
+ app = Rack::Session::Cookie.new(incrementor, :secret => 'test')
+ res = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => "rack.session=")
+ res.body.should.equal '{"counter"=>1}'
end
bigcookie = lambda do |env|
@@ -176,7 +180,7 @@ def decode(str); @calls << :decode; str; end
response2 = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" =>
tampered_with_cookie)
- # Tampared cookie was ignored. Counter is back to 1.
+ # Tampered cookie was ignored. Counter is back to 1.
response2.body.should.equal '{"counter"=>1}'
end
Please sign in to comment.
Something went wrong with that request. Please try again.