From 7aab8b9a15976aa40149ac8d5ff396f3e0e8fbc6 Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Sat, 24 Nov 2007 22:41:16 +0000 Subject: Improve error messages when providing a secret that is too short. Closes #10238 [Henrik N] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8200 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- actionpack/lib/action_controller/session/cookie_store.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'actionpack/lib/action_controller/session/cookie_store.rb') diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb index 81092882f7..0da092225a 100644 --- a/actionpack/lib/action_controller/session/cookie_store.rb +++ b/actionpack/lib/action_controller/session/cookie_store.rb @@ -25,7 +25,7 @@ require 'openssl' # to generate the HMAC message digest # CGI::Session instance as an argument. It's important that the # secret is not vulnerable to a dictionary attack. Therefore, # you should choose a secret consisting of random numbers and -# letters and preferably more than 30 characters. +# letters and more than 30 characters. # # Example: :secret => '449fe2e7daee471bffae2fd8dc02313d' # :secret => Proc.new { User.current_user.secret_key } @@ -38,6 +38,7 @@ require 'openssl' # to generate the HMAC message digest class CGI::Session::CookieStore # Cookies can typically store 4096 bytes. MAX = 4096 + SECRET_MIN_LENGTH = 30 # characters # Raised when storing more than 4K of session data. class CookieOverflow < StandardError; end @@ -84,11 +85,11 @@ class CGI::Session::CookieStore return true if secret.is_a?(Proc) if secret.blank? - raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' + raise ArgumentError, %Q{A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase of at least #{SECRET_MIN_LENGTH} characters" } in config/environment.rb} end - if secret.length < 30 - raise ArgumentError, "Secret should be something secure, like #{CGI::Session.generate_unique_id}. The value you provided: [#{secret}]" + if secret.length < SECRET_MIN_LENGTH + raise ArgumentError, %Q{Secret should be something secure, like "#{CGI::Session.generate_unique_id}". The value you provided, "#{secret}", is shorter than the minimum length of #{SECRET_MIN_LENGTH} characters} end end -- cgit v1.2.3