Permalink
Browse files

Merge branch '1.1'

Conflicts:
	project.clj
	ring-core/project.clj
	ring-devel/project.clj
	ring-jetty-adapter/project.clj
	ring-servlet/project.clj
  • Loading branch information...
2 parents 334e399 + 2f083a9 commit adcc81a9bab138b5898099a1dbe5f23c5659737c @weavejester weavejester committed Jan 12, 2013
View
4 README.md
@@ -25,11 +25,11 @@ complete description of the Ring interface.
To include one of the above libraries, for example `ring-core`, add
the following to your `:dependencies`:
- [ring/ring-core "1.1.6"]
+ [ring/ring-core "1.1.7"]
To include all of them:
- [ring "1.1.6"]
+ [ring "1.1.7"]
## Documentation
View
2 project.clj
@@ -15,7 +15,7 @@
"ring-jetty-adapter"
"ring-servlet"]
:codox
- {:src-dir-uri "http://github.com/ring-clojure/ring/blob/1.1.6"
+ {:src-dir-uri "http://github.com/ring-clojure/ring/blob/1.1.7"
:src-linenum-anchor-prefix "L"
:sources ["ring-core/src"
"ring-devel/src"
View
2 ring-core/src/ring/middleware/cookies.clj
@@ -52,7 +52,7 @@
(for [[name value] cookies]
(if-let [value (codec/form-decode-str value)]
(if (.startsWith ^String value "\"")
- [name (read-string value)]
+ [name (binding [*read-eval* false] (read-string value))]
[name value])))))
(defn- get-cookie
View
9 ring-core/src/ring/middleware/session/cookie.clj
@@ -71,10 +71,14 @@
secret-key)
(secure-random-bytes 16)))
+(defn- serialize [x]
+ {:post [(= x (binding [*read-eval* false] (read-string %)))]}
+ (pr-str x))
+
(defn- seal
"Seal a Clojure data structure into an encrypted and HMACed string."
[key data]
- (let [data (encrypt key (.getBytes (pr-str data)))]
+ (let [data (encrypt key (.getBytes (serialize data)))]
(str (codec/base64-encode data) "--" (hmac key data))))
(defn- secure-compare [^String a ^String b]
@@ -89,7 +93,8 @@
(let [[data mac] (.split string "--")
data (codec/base64-decode data)]
(if (secure-compare mac (hmac key data))
- (read-string (decrypt key data)))))
+ (binding [*read-eval* false]
+ (read-string (decrypt key data))))))
(deftype CookieStore [secret-key]
SessionStore
View
19 ring-core/test/ring/middleware/session/test/cookie.clj
@@ -1,6 +1,8 @@
(ns ring.middleware.session.test.cookie
(:use clojure.test
- [ring.middleware.session store cookie]))
+ [ring.middleware.session store cookie])
+ (:require [ring.middleware.session.cookie :as cookie]
+ [ring.util.codec :as codec]))
(deftest cookie-session-read-not-exist
(let [store (cookie-store)]
@@ -30,3 +32,18 @@
(is (not= sess-key sess-key*))
(is (= (read-session store sess-key*)
{}))))
+
+(defn seal-code-injection [key code]
+ (let [data (#'cookie/encrypt key (.getBytes (str "#=" (pr-str code))))]
+ (str (codec/base64-encode data) "--" (#'cookie/hmac key data))))
+
+(deftest cookie-session-code-injection
+ (let [secret-key (#'cookie/secure-random-bytes 16)
+ store (cookie-store {:key secret-key})
+ session (seal-code-injection secret-key `(+ 1 1))]
+ (is (thrown? RuntimeException (read-session store session)))))
+
+(deftest cookie-session-keyword-injection
+ (let [store (cookie-store)
+ bad-data {:foo 1 (keyword "bar 3 :baz ") 2}]
+ (is (thrown? AssertionError (write-session store nil bad-data)))))

0 comments on commit adcc81a

Please sign in to comment.