Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

prevent crash when cookie doesn't contain "--" #523

Merged
merged 1 commit into from

4 participants

@bdimcheff

This backports 881ce76 so that rack won't crash when there isn't a "--" in the rack_session cookie

@bdimcheff bdimcheff prevent crash when cookie doesn't contain "--"
This backports 881ce76 so that rack
won't crash when there isn't a "--" in the rack_session cookie
18a6b88
@spastorino spastorino commented on the diff
lib/rack/session/cookie.rb
@@ -55,7 +55,7 @@ def load_session(env)
if @secret && session_data
session_data, digest = session_data.split("--")
- session_data = nil unless Utils.secure_compare(digest, generate_hmac(session_data))
+ session_data = nil unless session_data && digest && Utils.secure_compare(digest, generate_hmac(session_data))
@spastorino Owner

just checking for digest is enough

hmm I think that if the cookie is the empty string (and thus session_data is nil) it might error without session_data &&. I'll play around with the tests again in a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@spastorino
Owner

This one seems ok /cc @rkh @raggi

@rkh
Owner

Except the tests fail.

@spastorino spastorino referenced this pull request from a commit
@spastorino spastorino prevent crash when cookie doesn't contain "--"
This backports 881ce76 so that rack
won't crash when there isn't a "--" in the rack_session cookie

Fixes #523
a0ffb24
@spastorino spastorino referenced this pull request from a commit
@spastorino spastorino prevent crash when cookie doesn't contain "--"
This backports 881ce76 so that rack
won't crash when there isn't a "--" in the rack_session cookie

Fixes #523

Conflicts:
	lib/rack/session/cookie.rb
	test/spec_session_cookie.rb
65d417e
@spastorino spastorino merged commit 4b640a0 into rack:rack-1.1
@spastorino
Owner

For the record Travis is failing because rack-1.1 didn't have a Gemfile. Let's fix that ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 22, 2013
  1. @bdimcheff

    prevent crash when cookie doesn't contain "--"

    bdimcheff authored
    This backports 881ce76 so that rack
    won't crash when there isn't a "--" in the rack_session cookie
This page is out of date. Refresh to see the latest.
Showing with 6 additions and 1 deletion.
  1. +1 −1  lib/rack/session/cookie.rb
  2. +5 −0 test/spec_rack_session_cookie.rb
View
2  lib/rack/session/cookie.rb
@@ -55,7 +55,7 @@ def load_session(env)
if @secret && session_data
session_data, digest = session_data.split("--")
- session_data = nil unless Utils.secure_compare(digest, generate_hmac(session_data))
+ session_data = nil unless session_data && digest && Utils.secure_compare(digest, generate_hmac(session_data))
@spastorino Owner

just checking for digest is enough

hmm I think that if the cookie is the empty string (and thus session_data is nil) it might error without session_data &&. I'll play around with the tests again in a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
end
begin
View
5 test/spec_rack_session_cookie.rb
@@ -52,6 +52,11 @@
res = Rack::MockRequest.new(Rack::Session::Cookie.new(incrementor)).
get("/", "HTTP_COOKIE" => "rack.session=blarghfasel")
res.body.should.equal '{"counter"=>1}'
+
+ app = Rack::Session::Cookie.new(incrementor, :secret => 'test')
+ res = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => "rack.session=")
+ res.body.should.equal '{"counter"=>1}'
+
end
bigcookie = lambda { |env|
Something went wrong with that request. Please try again.