Filter session_id on secure requests.

smartinez87 · Aug 25, 2011 · 31841ed · 31841ed
1 parent 7700622
commit 31841ed
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/lib/exception_notifier/views/exception_notifier/_session.text.erb b/lib/exception_notifier/views/exception_notifier/_session.text.erb
@@ -1,2 +1,2 @@
-* session id: <%= raw @request.session['session_id'].inspect.html_safe %>
+* session id: <%= @request.ssl? ? "[FILTERED]" : (raw @request.session['session_id'].inspect.html_safe) %>
 * data: <%= raw PP.pp(@request.session, "") %>
diff --git a/test/dummy/test/functional/posts_controller_test.rb b/test/dummy/test/functional/posts_controller_test.rb
@@ -56,4 +56,17 @@ class PostsControllerTest < ActionController::TestCase
     assert @ignored_exception.class.inspect == "ActiveRecord::RecordNotFound"
     assert_nil @ignored_mail
   end
+
+  test "should filter session_id on secure requests" do
+    request.env['HTTPS'] = 'on'
+    begin
+      @post = posts(:one)
+      post :create, :post => @post.attributes
+    rescue => e
+      @secured_mail = ExceptionNotifier::Notifier.exception_notification(request.env, e)
+    end
+
+    assert request.ssl?
+    assert @secured_mail.body.include? "* session id: [FILTERED]\n  *"
+  end
 end