Merge pull request #9196 from AndreyChernyh/fix-cookies-with-null-session

Fix #9168 Initialize NullCookieJar with all options needed for KeyGenerator
author: Santiago Pastorino <santiago@wyeworks.com> 2013-02-08 12:27:11 -0800
committer: Santiago Pastorino <santiago@wyeworks.com> 2013-02-08 12:27:11 -0800
commit: 86bfdbb509f005f7ac1198524fe3ce4036443e4c (patch)
tree: ec7c94db55a2f1962b44ed97d2180733c476042d /actionpack
parent: 10d301e6ef8d98be39e0d2f6e9f6cfbfac576e4d (diff)
parent: 4127332a5f516188df7b35f3f8886723b8c4859d (diff)
download: rails-86bfdbb509f005f7ac1198524fe3ce4036443e4c.tar.gz
rails-86bfdbb509f005f7ac1198524fe3ce4036443e4c.tar.bz2
rails-86bfdbb509f005f7ac1198524fe3ce4036443e4c.zip
4 files changed, 49 insertions, 5 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index d6a2687037..c11adebb1e 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -13,6 +13,11 @@
 
     *Yves Senn*
 
+*   Fix error (#9168) which was produced by setting signed/encrypted 
+    cookie when :null_session forgery protection method was used.
+
+    *Andrey Chernih*
+
 *   `assert_template` can be used to verify the locals of partials,
     which live inside a directory.
     Fixes #8516.
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 77b173979e..17379cf7ac 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -126,7 +126,7 @@ module ActionController #:nodoc:
             host          = request.host
             secure        = request.ssl?
 
-            new(key_generator, host, secure)
+            new(key_generator, host, secure, options_for_env({}))
           end
 
           def write(*)
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 0f02d230d4..2ee2838920 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -110,13 +110,17 @@ module ActionDispatch
       # $& => example.local
       DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
 
+      def self.options_for_env(env) #:nodoc:
+        { signed_cookie_salt: env[SIGNED_COOKIE_SALT] || '',
+          encrypted_cookie_salt: env[ENCRYPTED_COOKIE_SALT] || '',
+          encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT] || '',
+          token_key: env[TOKEN_KEY] }
+      end
+
       def self.build(request)
         env = request.env
         key_generator = env[GENERATOR_KEY]
-        options = { signed_cookie_salt: env[SIGNED_COOKIE_SALT],
-                    encrypted_cookie_salt: env[ENCRYPTED_COOKIE_SALT],
-                    encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT],
-                    token_key: env[TOKEN_KEY] }
+        options = options_for_env env
 
         host = request.host
         secure = request.ssl?
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 7571192f97..c272e785c2 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -66,6 +66,19 @@ class RequestForgeryProtectionControllerUsingException < ActionController::Base
   protect_from_forgery :only => %w(index meta), :with => :exception
 end
 
+class RequestForgeryProtectionControllerUsingNullSession < ActionController::Base
+  protect_from_forgery :with => :null_session
+
+  def signed
+    cookies.signed[:foo] = 'bar'
+    render :nothing => true
+  end
+
+  def encrypted
+    cookies.encrypted[:foo] = 'bar'
+    render :nothing => true
+  end
+end
 
 class FreeCookieController < RequestForgeryProtectionControllerUsingResetSession
   self.allow_forgery_protection = false
@@ -287,6 +300,28 @@ class RequestForgeryProtectionControllerUsingResetSessionTest < ActionController
   end
 end
 
+class NullSessionDummyKeyGenerator
+  def generate_key(secret)
+    '03312270731a2ed0d11ed091c2338a06'
+  end
+end
+
+class RequestForgeryProtectionControllerUsingNullSessionTest < ActionController::TestCase  
+  def setup
+    @request.env[ActionDispatch::Cookies::GENERATOR_KEY] = NullSessionDummyKeyGenerator.new
+  end
+
+  test 'should allow to set signed cookies' do
+    post :signed
+    assert_response :ok
+  end
+
+  test 'should allow to set encrypted cookies' do
+    post :encrypted
+    assert_response :ok
+  end
+end
+
 class RequestForgeryProtectionControllerUsingExceptionTest < ActionController::TestCase
   include RequestForgeryProtectionTests
   def assert_blocked
author	Santiago Pastorino <santiago@wyeworks.com>	2013-02-08 12:27:11 -0800
committer	Santiago Pastorino <santiago@wyeworks.com>	2013-02-08 12:27:11 -0800
commit	86bfdbb509f005f7ac1198524fe3ce4036443e4c (patch)
tree	ec7c94db55a2f1962b44ed97d2180733c476042d /actionpack
parent	10d301e6ef8d98be39e0d2f6e9f6cfbfac576e4d (diff)
parent	4127332a5f516188df7b35f3f8886723b8c4859d (diff)
download	rails-86bfdbb509f005f7ac1198524fe3ce4036443e4c.tar.gz rails-86bfdbb509f005f7ac1198524fe3ce4036443e4c.tar.bz2 rails-86bfdbb509f005f7ac1198524fe3ce4036443e4c.zip