diff options
author | Hongli Lai (Phusion) <hongli@phusion.nl> | 2008-12-03 19:30:35 +0100 |
---|---|---|
committer | Hongli Lai (Phusion) <hongli@phusion.nl> | 2008-12-03 19:30:35 +0100 |
commit | ccb96f2297e8783165cba764e9b5d51e1a15ff87 (patch) | |
tree | 3229e6fdddc42054615514d843c555e341003033 /actionpack/lib/action_controller/session | |
parent | fb2325e35855d62abd2c76ce03feaa3ca7992e4f (diff) | |
parent | 761a633a9c0a45d76ef3ed10da97e3696c3ded79 (diff) | |
download | rails-ccb96f2297e8783165cba764e9b5d51e1a15ff87.tar.gz rails-ccb96f2297e8783165cba764e9b5d51e1a15ff87.tar.bz2 rails-ccb96f2297e8783165cba764e9b5d51e1a15ff87.zip |
Merge commit 'origin/master' into savepoints
Conflicts:
activerecord/lib/active_record/fixtures.rb
activerecord/test/cases/defaults_test.rb
Diffstat (limited to 'actionpack/lib/action_controller/session')
-rw-r--r-- | actionpack/lib/action_controller/session/cookie_store.rb | 32 |
1 files changed, 14 insertions, 18 deletions
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb index f2fb200950..ea0ea4f841 100644 --- a/actionpack/lib/action_controller/session/cookie_store.rb +++ b/actionpack/lib/action_controller/session/cookie_store.rb @@ -1,6 +1,5 @@ require 'cgi' require 'cgi/session' -require 'openssl' # to generate the HMAC message digest # This cookie-based session store is the Rails default. Sessions typically # contain at most a user_id and flash message; both fit within the 4K cookie @@ -121,32 +120,20 @@ class CGI::Session::CookieStore write_cookie('value' => nil, 'expires' => 1.year.ago) end - # Generate the HMAC keyed message digest. Uses SHA1 by default. - def generate_digest(data) - key = @secret.respond_to?(:call) ? @secret.call(@session) : @secret - OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), key, data) - end - private # Marshal a session hash into safe cookie data. Include an integrity hash. def marshal(session) - data = ActiveSupport::Base64.encode64s(Marshal.dump(session)) - "#{data}--#{generate_digest(data)}" + verifier.generate(session) end # Unmarshal cookie data to a hash and verify its integrity. def unmarshal(cookie) if cookie - data, digest = cookie.split('--') - - # Do two checks to transparently support old double-escaped data. - unless digest == generate_digest(data) || digest == generate_digest(data = CGI.unescape(data)) - delete - raise TamperedWithCookie - end - - Marshal.load(ActiveSupport::Base64.decode64(data)) + verifier.verify(cookie) end + rescue ActiveSupport::MessageVerifier::InvalidSignature + delete + raise TamperedWithCookie end # Read the session data cookie. @@ -164,4 +151,13 @@ class CGI::Session::CookieStore def clear_old_cookie_value @session.cgi.cookies[@cookie_options['name']].clear end + + def verifier + if @secret.respond_to?(:call) + key = @secret.call + else + key = @secret + end + ActiveSupport::MessageVerifier.new(key, @digest) + end end |