diff options
| author | Michael Koziarski <michael@koziarski.com> | 2007-11-21 21:31:45 +0000 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2007-11-21 21:31:45 +0000 |
| commit | ec93d61fb9a571aeb714ddc9bd594510485f5b7f (patch) | |
| tree | ba9ccc3914248b0f5c7bf6a6f3eaa592d56b3de0 /actionpack/test | |
| parent | 13ab54db484a98a768f5e57e21e00eb7ee01dce4 (diff) | |
| download | rails-ec93d61fb9a571aeb714ddc9bd594510485f5b7f.tar.gz rails-ec93d61fb9a571aeb714ddc9bd594510485f5b7f.tar.bz2 rails-ec93d61fb9a571aeb714ddc9bd594510485f5b7f.zip | |
Make sure that cookie sessions use a secret that is at least 30 chars in length. [Koz]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test')
| -rwxr-xr-x | actionpack/test/controller/session/cookie_store_test.rb | 19 | ||||
| -rw-r--r-- | actionpack/test/controller/session_fixation_test.rb | 3 |
2 files changed, 21 insertions, 1 deletions
diff --git a/actionpack/test/controller/session/cookie_store_test.rb b/actionpack/test/controller/session/cookie_store_test.rb index 0084f35dea..b2655c72d9 100755 --- a/actionpack/test/controller/session/cookie_store_test.rb +++ b/actionpack/test/controller/session/cookie_store_test.rb @@ -4,6 +4,19 @@ require 'action_controller/cgi_ext' require 'stringio' + +class CGI::Session::CookieStore + def ensure_secret_secure_with_test_hax(secret) + if secret == CookieStoreTest.default_session_options['secret'] + return true + else + ensure_secret_secure_without_test_hax(secret) + end + end + alias_method_chain :ensure_secret_secure, :test_hax +end + + # Expose for tests. class CGI attr_reader :output_cookies, :output_hidden @@ -49,6 +62,12 @@ class CookieStoreTest < Test::Unit::TestCase end end + def test_raises_argument_error_if_secret_is_probably_insecure + ["password", "secret", "12345678901234567890123456789"].each do |blank| + assert_raise(ArgumentError, blank.inspect) { new_session 'secret' => blank } + end + end + def test_reconfigures_session_to_omit_id_cookie_and_hidden_field new_session do |session| assert_equal true, @options['no_hidden'] diff --git a/actionpack/test/controller/session_fixation_test.rb b/actionpack/test/controller/session_fixation_test.rb index 0b0dce770e..34a7aa2d0d 100644 --- a/actionpack/test/controller/session_fixation_test.rb +++ b/actionpack/test/controller/session_fixation_test.rb @@ -1,5 +1,6 @@ require File.dirname(__FILE__) + '/../abstract_unit' + class SessionFixationTest < Test::Unit::TestCase class MockCGI < CGI #:nodoc: attr_accessor :stdoutput, :env_table @@ -12,7 +13,7 @@ class SessionFixationTest < Test::Unit::TestCase end class TestController < ActionController::Base - session :session_key => '_myapp_session_id', :secret => 'secret', :except => :default_session_key + session :session_key => '_myapp_session_id', :secret => CGI::Session.generate_unique_id, :except => :default_session_key session :cookie_only => false, :only => :allow_session_fixation def default_session_key |