aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
authorMichael Koziarski <michael@koziarski.com>2007-11-24 22:41:16 +0000
committerMichael Koziarski <michael@koziarski.com>2007-11-24 22:41:16 +0000
commit7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6 (patch)
treedcbe3319e6f8cdd098023f84116194d78fab2946 /actionpack
parentbecdb49186c575bf96a82a949ac04b6078680d52 (diff)
downloadrails-7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6.tar.gz
rails-7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6.tar.bz2
rails-7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6.zip
Improve error messages when providing a secret that is too short. Closes #10238 [Henrik N]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8200 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/lib/action_controller/session/cookie_store.rb9
1 files changed, 5 insertions, 4 deletions
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 81092882f7..0da092225a 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -25,7 +25,7 @@ require 'openssl' # to generate the HMAC message digest
# CGI::Session instance as an argument. It's important that the
# secret is not vulnerable to a dictionary attack. Therefore,
# you should choose a secret consisting of random numbers and
-# letters and preferably more than 30 characters.
+# letters and more than 30 characters.
#
# Example: :secret => '449fe2e7daee471bffae2fd8dc02313d'
# :secret => Proc.new { User.current_user.secret_key }
@@ -38,6 +38,7 @@ require 'openssl' # to generate the HMAC message digest
class CGI::Session::CookieStore
# Cookies can typically store 4096 bytes.
MAX = 4096
+ SECRET_MIN_LENGTH = 30 # characters
# Raised when storing more than 4K of session data.
class CookieOverflow < StandardError; end
@@ -84,11 +85,11 @@ class CGI::Session::CookieStore
return true if secret.is_a?(Proc)
if secret.blank?
- raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
+ raise ArgumentError, %Q{A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase of at least #{SECRET_MIN_LENGTH} characters" } in config/environment.rb}
end
- if secret.length < 30
- raise ArgumentError, "Secret should be something secure, like #{CGI::Session.generate_unique_id}. The value you provided: [#{secret}]"
+ if secret.length < SECRET_MIN_LENGTH
+ raise ArgumentError, %Q{Secret should be something secure, like "#{CGI::Session.generate_unique_id}". The value you provided, "#{secret}", is shorter than the minimum length of #{SECRET_MIN_LENGTH} characters}
end
end