From ec93d61fb9a571aeb714ddc9bd594510485f5b7f Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Wed, 21 Nov 2007 21:31:45 +0000
Subject: Make sure that cookie sessions use a secret that is at least 30 chars
 in length. [Koz]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 .../lib/action_controller/session/cookie_store.rb    | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

(limited to 'actionpack/lib/action_controller/session/cookie_store.rb')

diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 6de4d88ca0..81092882f7 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -53,9 +53,7 @@ class CGI::Session::CookieStore
     end
 
     # The secret option is required.
-    if options['secret'].blank?
-      raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
-    end
+    ensure_secret_secure(options['secret'])
 
     # Keep the session and its secret on hand so we can read and write cookies.
     @session, @secret = session, options['secret']
@@ -78,6 +76,22 @@ class CGI::Session::CookieStore
     options['no_cookies'] = true
   end
 
+  # To prevent users from using something insecure like "Password" we make sure that the
+  # secret they've provided is at least 30 characters in length.
+  def ensure_secret_secure(secret)
+    # There's no way we can do this check if they've provided a proc for the
+    # secret.
+    return true if secret.is_a?(Proc)
+
+    if secret.blank?
+      raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
+    end
+
+    if secret.length < 30
+      raise ArgumentError, "Secret should be something secure, like #{CGI::Session.generate_unique_id}.  The value you provided: [#{secret}]"
+    end
+  end
+
   # Restore session data from the cookie.
   def restore
     @original = read_cookie
-- 
cgit v1.2.3