diff options
| author | Michael Koziarski <michael@koziarski.com> | 2007-11-24 22:41:16 +0000 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2007-11-24 22:41:16 +0000 |
| commit | 7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6 (patch) | |
| tree | dcbe3319e6f8cdd098023f84116194d78fab2946 /actionpack/lib/action_controller | |
| parent | becdb49186c575bf96a82a949ac04b6078680d52 (diff) | |
| download | rails-7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6.tar.gz rails-7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6.tar.bz2 rails-7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6.zip | |
Improve error messages when providing a secret that is too short. Closes #10238 [Henrik N]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8200 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/lib/action_controller')
| -rw-r--r-- | actionpack/lib/action_controller/session/cookie_store.rb | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb index 81092882f7..0da092225a 100644 --- a/actionpack/lib/action_controller/session/cookie_store.rb +++ b/actionpack/lib/action_controller/session/cookie_store.rb @@ -25,7 +25,7 @@ require 'openssl' # to generate the HMAC message digest # CGI::Session instance as an argument. It's important that the # secret is not vulnerable to a dictionary attack. Therefore, # you should choose a secret consisting of random numbers and -# letters and preferably more than 30 characters. +# letters and more than 30 characters. # # Example: :secret => '449fe2e7daee471bffae2fd8dc02313d' # :secret => Proc.new { User.current_user.secret_key } @@ -38,6 +38,7 @@ require 'openssl' # to generate the HMAC message digest class CGI::Session::CookieStore # Cookies can typically store 4096 bytes. MAX = 4096 + SECRET_MIN_LENGTH = 30 # characters # Raised when storing more than 4K of session data. class CookieOverflow < StandardError; end @@ -84,11 +85,11 @@ class CGI::Session::CookieStore return true if secret.is_a?(Proc) if secret.blank? - raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' + raise ArgumentError, %Q{A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase of at least #{SECRET_MIN_LENGTH} characters" } in config/environment.rb} end - if secret.length < 30 - raise ArgumentError, "Secret should be something secure, like #{CGI::Session.generate_unique_id}. The value you provided: [#{secret}]" + if secret.length < SECRET_MIN_LENGTH + raise ArgumentError, %Q{Secret should be something secure, like "#{CGI::Session.generate_unique_id}". The value you provided, "#{secret}", is shorter than the minimum length of #{SECRET_MIN_LENGTH} characters} end end |