Skip to content
Browse files

Fix signed cookies by explicitly passing config to the cookie jar

  • Loading branch information...
1 parent ef84e69 commit e3959970e1f669c6ecf79d645b5e4f9d7ed2a4ec @jeremy jeremy committed Apr 4, 2010
View
5 actionpack/lib/action_controller/metal/cookies.rb
@@ -7,10 +7,11 @@ module Cookies
included do
helper_method :cookies
end
-
+
private
def cookies
- request.cookie_jar
+ raise "You must set config.cookie_secret in your app's config" if config.secret.blank?
+ request.cookie_jar(:signing_secret => config.secret)
@negonicrac
negonicrac added a note Apr 5, 2010

shouldn't these lines be:

raise "You must set config.cookie_secret in your app's config" if config.cookie_secret.blank?
request.cookie_jar(:signing_secret => config.cookie_secret)

since config.secret was changed to config.cookie_secret

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
end
end
end
View
42 actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -1,7 +1,7 @@
module ActionDispatch
class Request
- def cookie_jar
- env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self)
+ def cookie_jar(config = {})
+ env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self, config)
end
end
@@ -51,17 +51,18 @@ def cookie_jar
# only HTTP. Defaults to +false+.
class Cookies
class CookieJar < Hash #:nodoc:
- def self.build(request)
- new.tap do |hash|
+ def self.build(request, config = {})
+ new(config).tap do |hash|
hash.update(request.cookies)
end
end
- def initialize
+ def initialize(config = {})
+ @config = config
@set_cookies = {}
@delete_cookies = {}
- super
+ super()
end
# Returns the value of the cookie by +name+, or +nil+ if no such cookie exists.
@@ -111,15 +112,15 @@ def delete(key, options = {})
# cookies.permanent.signed[:remember_me] = current_user.id
# # => Set-Cookie: discount=BAhU--848956038e692d7046deab32b7131856ab20e14e; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT
def permanent
- @permanent ||= PermanentCookieJar.new(self)
+ @permanent ||= PermanentCookieJar.new(self, @config)
end
# Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from
# the cookie again. This is useful for creating cookies with values that the user is not supposed to change. If a signed
# cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception will
# be raised.
#
- # This jar requires that you set a suitable secret for the verification on ActionController::Base.cookie_verifier_secret.
+ # This jar requires that you set a suitable secret for the verification on your app's config.cookie_secret.
#
# Example:
#
@@ -128,7 +129,7 @@ def permanent
#
# cookies.signed[:discount] # => 45
def signed
- @signed ||= SignedCookieJar.new(self)
+ @signed ||= SignedCookieJar.new(self, @config)
end
def write(response)
@@ -138,8 +139,9 @@ def write(response)
end
class PermanentCookieJar < CookieJar #:nodoc:
- def initialize(parent_jar)
+ def initialize(parent_jar, config = {})
@parent_jar = parent_jar
+ @config = config
end
def []=(key, options)
@@ -154,11 +156,7 @@ def []=(key, options)
end
def signed
- @signed ||= SignedCookieJar.new(self)
- end
-
- def controller
- @parent_jar.controller
+ @signed ||= SignedCookieJar.new(self, @config)
end
def method_missing(method, *arguments, &block)
@@ -167,18 +165,16 @@ def method_missing(method, *arguments, &block)
end
class SignedCookieJar < CookieJar #:nodoc:
- def initialize(parent_jar)
- unless ActionController::Base.config.secret
- raise "You must set ActionController::Base.config.secret"
- end
-
+ def initialize(parent_jar, config = {})
+ raise 'Missing cookie signing secret' if config[:signing_secret].blank?
@postmodern
postmodern added a note Apr 5, 2010

After this commit, the signing_secret appears to be always blank.

@jeremy
Ruby on Rails member
jeremy added a note Apr 5, 2010

Because cookie_jar is called without config the first time. Doh.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@parent_jar = parent_jar
- @verifier = ActiveSupport::MessageVerifier.new(ActionController::Base.config.secret)
+ @config = config
+ @verifier = ActiveSupport::MessageVerifier.new(config[:signing_secret])
end
def [](name)
- if value = @parent_jar[name]
- @verifier.verify(value)
+ if signed_message = @parent_jar[name]
+ @verifier.verify(signed_message)
end
end

0 comments on commit e395997

Please sign in to comment.
Something went wrong with that request. Please try again.