Make sure that cookie sessions use a secret that is at least 30 chars in length. [Koz]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

1 files changed, 19 insertions, 0 deletions

diff --git a/actionpack/test/controller/session/cookie_store_test.rb b/actionpack/test/controller/session/cookie_store_test.rb
index 0084f35dea..b2655c72d9 100755
--- a/actionpack/test/controller/session/cookie_store_test.rb
+++ b/actionpack/test/controller/session/cookie_store_test.rb
@@ -4,6 +4,19 @@ require 'action_controller/cgi_ext'
 
 require 'stringio'
 
+
+class CGI::Session::CookieStore
+  def ensure_secret_secure_with_test_hax(secret)
+    if secret == CookieStoreTest.default_session_options['secret']
+      return true
+    else
+      ensure_secret_secure_without_test_hax(secret)
+    end
+  end
+  alias_method_chain :ensure_secret_secure, :test_hax
+end
+
+
 # Expose for tests.
 class CGI
   attr_reader :output_cookies, :output_hidden
@@ -49,6 +62,12 @@ class CookieStoreTest < Test::Unit::TestCase
     end
   end
 
+  def test_raises_argument_error_if_secret_is_probably_insecure
+    ["password", "secret", "12345678901234567890123456789"].each do |blank|
+      assert_raise(ArgumentError, blank.inspect) { new_session 'secret' => blank }
+    end
+  end
+
   def test_reconfigures_session_to_omit_id_cookie_and_hidden_field
     new_session do |session|
       assert_equal true, @options['no_hidden']