diff options
author | Vipul A M <vipulnsward@gmail.com> | 2016-07-09 04:03:43 -0700 |
---|---|---|
committer | Vipul A M <vipulnsward@gmail.com> | 2016-09-01 02:53:48 +0530 |
commit | ae32b69ab9647f4072d6852c4d4d1f2a939360c1 (patch) | |
tree | 16e711ce8df8e449a5281fd75a5d73abfc56a305 /actionpack/lib/action_dispatch/middleware | |
parent | fd2446cd8156f288598cdb47172cfe31ec24c1ee (diff) | |
download | rails-ae32b69ab9647f4072d6852c4d4d1f2a939360c1.tar.gz rails-ae32b69ab9647f4072d6852c4d4d1f2a939360c1.tar.bz2 rails-ae32b69ab9647f4072d6852c4d4d1f2a939360c1.zip |
Follow up of #25602
Since keys are truncated, ruby 2.4 doesn't accept keys greater than their lenghts.
keys of same value but different lenght and greater than key size of cipher, produce the same results
as reproduced at https://gist.github.com/rhenium/b81355fe816dcfae459cc5eadfc4f6f9
Since our default cipher is 'aes-256-cbc', key length for which is 32 bytes, limit the length of key being passed to Encryptor to 32 bytes.
This continues to support backwards compat with any existing signed data, already encrupted and signed with 32+ byte keys.
Also fixes the passing of this value in multiple tests.
Diffstat (limited to 'actionpack/lib/action_dispatch/middleware')
-rw-r--r-- | actionpack/lib/action_dispatch/middleware/cookies.rb | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index ff83c4beca..8d7884b3b5 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -567,17 +567,19 @@ module ActionDispatch class EncryptedCookieJar < AbstractCookieJar # :nodoc: include SerializedCookieJars + DEFAULT_CIPHER = 'aes-256-cbc' - def initialize(parent_jar) - super + def initialize(parent_jar, cipher: DEFAULT_CIPHER) + super(parent_jar) if ActiveSupport::LegacyKeyGenerator === key_generator raise "You didn't set secrets.secret_key_base, which is required for this cookie jar. " + "Read the upgrade documentation to learn more about this new config option." end - secret = key_generator.generate_key(request.encrypted_cookie_salt || "") - sign_secret = key_generator.generate_key(request.encrypted_signed_cookie_salt || "") + key_len = OpenSSL::Cipher.new(cipher).key_len + secret = key_generator.generate_key(request.encrypted_cookie_salt || '')[0, key_len] + sign_secret = key_generator.generate_key(request.encrypted_signed_cookie_salt || '') @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer) end |