diff options
| author | Santiago Pastorino <santiago@wyeworks.com> | 2011-04-06 19:12:32 -0300 |
|---|---|---|
| committer | Santiago Pastorino <santiago@wyeworks.com> | 2011-04-06 19:12:35 -0300 |
| commit | 0d455673620a1646b1149e1e4a185143d46bb7b8 (patch) | |
| tree | 3d0624e5146b070564974123eb17a836f5be64ec /actionpack | |
| parent | 0e4748cd415660eb91e63d50aa15cdd027c612dd (diff) | |
| download | rails-0d455673620a1646b1149e1e4a185143d46bb7b8.tar.gz rails-0d455673620a1646b1149e1e4a185143d46bb7b8.tar.bz2 rails-0d455673620a1646b1149e1e4a185143d46bb7b8.zip | |
Add tests to verify that signed and permanent cookies raises if someone tries
to modify the cookies when it was already streamed back to the client
or converted to HTTP headers
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/test/dispatch/cookies_test.rb | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb index 0d374e1d8b..2a32614ca1 100644 --- a/actionpack/test/dispatch/cookies_test.rb +++ b/actionpack/test/dispatch/cookies_test.rb @@ -497,6 +497,9 @@ class CookiesTest < ActionController::TestCase end class CookiesIntegrationTest < ActionDispatch::IntegrationTest + SessionKey = '_myapp_session' + SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33' + class TestController < ActionController::Base def dont_set_cookies head :ok @@ -529,8 +532,56 @@ class CookiesIntegrationTest < ActionDispatch::IntegrationTest end end + def test_setting_permanent_cookies_raises_after_stream_back_to_client + with_test_route_set do + env = {} + get '/set_cookies', nil, env + assert_raise(ActionDispatch::ClosedError) { + request.cookie_jar.permanent['alert'] = 'alert' + cookies['alert'] = 'alert' + } + end + end + + def test_setting_permanent_cookies_raises_after_stream_back_to_client_even_with_an_empty_flash + with_test_route_set do + env = {} + get '/dont_set_cookies', nil, {} + assert_raise(ActionDispatch::ClosedError) { + request.cookie_jar.permanent['alert'] = 'alert' + } + end + end + + def test_setting_signed_cookies_raises_after_stream_back_to_client + with_test_route_set do + env = {} + get '/set_cookies', nil, env + assert_raise(ActionDispatch::ClosedError) { + request.cookie_jar.signed['alert'] = 'alert' + cookies['alert'] = 'alert' + } + end + end + + def test_setting_signed_cookies_raises_after_stream_back_to_client_even_with_an_empty_flash + with_test_route_set do + env = {} + get '/dont_set_cookies', nil, {} + assert_raise(ActionDispatch::ClosedError) { + request.cookie_jar.signed['alert'] = 'alert' + } + end + end + private + # Overwrite get to send SessionSecret in env hash + def get(path, parameters = nil, env = {}) + env["action_dispatch.secret_token"] ||= SessionSecret + super + end + def with_test_route_set with_routing do |set| set.draw do |