Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Improve error messages when providing a secret that is too short. Clo…

…ses #10238 [Henrik N]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8200 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit 7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6 1 parent becdb49
@NZKoz NZKoz authored
Showing with 5 additions and 4 deletions.
  1. +5 −4 actionpack/lib/action_controller/session/cookie_store.rb
View
9 actionpack/lib/action_controller/session/cookie_store.rb
@@ -25,7 +25,7 @@
# CGI::Session instance as an argument. It's important that the
# secret is not vulnerable to a dictionary attack. Therefore,
# you should choose a secret consisting of random numbers and
-# letters and preferably more than 30 characters.
+# letters and more than 30 characters.
#
# Example: :secret => '449fe2e7daee471bffae2fd8dc02313d'
# :secret => Proc.new { User.current_user.secret_key }
@@ -38,6 +38,7 @@
class CGI::Session::CookieStore
# Cookies can typically store 4096 bytes.
MAX = 4096
+ SECRET_MIN_LENGTH = 30 # characters
# Raised when storing more than 4K of session data.
class CookieOverflow < StandardError; end
@@ -84,11 +85,11 @@ def ensure_secret_secure(secret)
return true if secret.is_a?(Proc)
if secret.blank?
- raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
+ raise ArgumentError, %Q{A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase of at least #{SECRET_MIN_LENGTH} characters" } in config/environment.rb}
end
- if secret.length < 30
- raise ArgumentError, "Secret should be something secure, like #{CGI::Session.generate_unique_id}. The value you provided: [#{secret}]"
+ if secret.length < SECRET_MIN_LENGTH
+ raise ArgumentError, %Q{Secret should be something secure, like "#{CGI::Session.generate_unique_id}". The value you provided, "#{secret}", is shorter than the minimum length of #{SECRET_MIN_LENGTH} characters}
end
end
Please sign in to comment.
Something went wrong with that request. Please try again.