Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

prevent crash when cookie doesn't contain "--" #523

Merged
merged 1 commit into from

4 participants

Brandon Dimcheff jaminben Santiago Pastorino Konstantin Haase
Brandon Dimcheff

This backports 881ce76 so that rack won't crash when there isn't a "--" in the rack_session cookie

Brandon Dimcheff bdimcheff prevent crash when cookie doesn't contain "--"
This backports 881ce76 so that rack
won't crash when there isn't a "--" in the rack_session cookie
18a6b88
Santiago Pastorino spastorino commented on the diff
lib/rack/session/cookie.rb
@@ -55,7 +55,7 @@ def load_session(env)
if @secret && session_data
session_data, digest = session_data.split("--")
- session_data = nil unless Utils.secure_compare(digest, generate_hmac(session_data))
+ session_data = nil unless session_data && digest && Utils.secure_compare(digest, generate_hmac(session_data))
Santiago Pastorino Owner

just checking for digest is enough

hmm I think that if the cookie is the empty string (and thus session_data is nil) it might error without session_data &&. I'll play around with the tests again in a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Santiago Pastorino
Owner

This one seems ok /cc @rkh @raggi

Konstantin Haase
Owner

Except the tests fail.

Santiago Pastorino spastorino referenced this pull request from a commit
Santiago Pastorino spastorino prevent crash when cookie doesn't contain "--"
This backports 881ce76 so that rack
won't crash when there isn't a "--" in the rack_session cookie

Fixes #523
a0ffb24
Santiago Pastorino spastorino referenced this pull request from a commit
Santiago Pastorino spastorino prevent crash when cookie doesn't contain "--"
This backports 881ce76 so that rack
won't crash when there isn't a "--" in the rack_session cookie

Fixes #523

Conflicts:
	lib/rack/session/cookie.rb
	test/spec_session_cookie.rb
65d417e
Santiago Pastorino spastorino merged commit 4b640a0 into from
Santiago Pastorino
Owner

For the record Travis is failing because rack-1.1 didn't have a Gemfile. Let's fix that ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 22, 2013
  1. Brandon Dimcheff

    prevent crash when cookie doesn't contain "--"

    bdimcheff authored
    This backports 881ce76 so that rack
    won't crash when there isn't a "--" in the rack_session cookie
This page is out of date. Refresh to see the latest.
Showing with 6 additions and 1 deletion.
  1. +1 −1  lib/rack/session/cookie.rb
  2. +5 −0 test/spec_rack_session_cookie.rb
2  lib/rack/session/cookie.rb
View
@@ -55,7 +55,7 @@ def load_session(env)
if @secret && session_data
session_data, digest = session_data.split("--")
- session_data = nil unless Utils.secure_compare(digest, generate_hmac(session_data))
+ session_data = nil unless session_data && digest && Utils.secure_compare(digest, generate_hmac(session_data))
Santiago Pastorino Owner

just checking for digest is enough

hmm I think that if the cookie is the empty string (and thus session_data is nil) it might error without session_data &&. I'll play around with the tests again in a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
end
begin
5 test/spec_rack_session_cookie.rb
View
@@ -52,6 +52,11 @@
res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).
get("/", "HTTP_COOKIE" => "rack.session=blarghfasel")
res.body.should.equal '{"counter"=>1}'
+
+ app = Rack::Session::Cookie.new(incrementor, :secret => 'test')
+ res = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => "rack.session=")
+ res.body.should.equal '{"counter"=>1}'
+
end
bigcookie = lambda { |env|
Something went wrong with that request. Please try again.