From e67f001e7c1b3d24750e9dd81006d2ad84bbf50e Mon Sep 17 00:00:00 2001 From: Agis- Date: Fri, 11 Jul 2014 13:24:49 +0300 Subject: Use `#bytesize` instead of `#size` when checking for cookie overflow Although the cookie values happens to be ASCII strings because they are Base64 encoded, it is semantically incorrect to check for the number of the characters in the cookie, when we actually want to check for the number of the bytes it consists of. Furthermore it is unecessary coupling with the current implementation that uses Base64 for encoding the values. --- actionpack/lib/action_dispatch/middleware/cookies.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack/lib/action_dispatch/middleware/cookies.rb') diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index e069840b8e..ac9e5effe2 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -468,7 +468,7 @@ module ActionDispatch options = { :value => @verifier.generate(serialize(name, options)) } end - raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE + raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE @parent_jar[name] = options end @@ -526,7 +526,7 @@ module ActionDispatch options[:value] = @encryptor.encrypt_and_sign(serialize(name, options[:value])) - raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE + raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE @parent_jar[name] = options end -- cgit v1.2.3 From cfbedd3479d5021b9fb862ecfa49fc6bc8602994 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Strza=C5=82kowski?= Date: Fri, 8 Aug 2014 21:18:30 +0200 Subject: Add config option for cookies digest You can now configure custom digest for cookies in the same way as `serializer`: config.action_dispatch.cookies_digest = \SHA256' --- actionpack/lib/action_dispatch/middleware/cookies.rb | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'actionpack/lib/action_dispatch/middleware/cookies.rb') diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index ac9e5effe2..55bb9de173 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -90,6 +90,7 @@ module ActionDispatch SECRET_TOKEN = "action_dispatch.secret_token".freeze SECRET_KEY_BASE = "action_dispatch.secret_key_base".freeze COOKIES_SERIALIZER = "action_dispatch.cookies_serializer".freeze + COOKIES_DIGEST = "action_dispatch.cookies_digest".freeze # Cookies can typically store 4096 bytes. MAX_COOKIE_SIZE = 4096 @@ -212,7 +213,8 @@ module ActionDispatch secret_token: env[SECRET_TOKEN], secret_key_base: env[SECRET_KEY_BASE], upgrade_legacy_signed_cookies: env[SECRET_TOKEN].present? && env[SECRET_KEY_BASE].present?, - serializer: env[COOKIES_SERIALIZER] + serializer: env[COOKIES_SERIALIZER], + digest: env[COOKIES_DIGEST] } end @@ -441,6 +443,10 @@ module ActionDispatch serializer end end + + def digest + @options[:digest] || 'SHA1' + end end class SignedCookieJar #:nodoc: @@ -451,7 +457,7 @@ module ActionDispatch @parent_jar = parent_jar @options = options secret = key_generator.generate_key(@options[:signed_cookie_salt]) - @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: NullSerializer) + @verifier = ActiveSupport::MessageVerifier.new(secret, digest: digest, serializer: NullSerializer) end def [](name) -- cgit v1.2.3 From d70ba48c4dd6b57d8f38612ea95a3842337c1419 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Fri, 8 Aug 2014 18:20:17 -0300 Subject: Revert "Merge pull request #16434 from strzalek/cookies-digest-config-option" This reverts commit 705977620539e2be6548027042f33175ebdc2505, reversing changes made to dde91e9bf5ab246f0f684b40288b272f4ba9a699. IT BROKE THE BUILD!!! --- actionpack/lib/action_dispatch/middleware/cookies.rb | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'actionpack/lib/action_dispatch/middleware/cookies.rb') diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index 55bb9de173..ac9e5effe2 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -90,7 +90,6 @@ module ActionDispatch SECRET_TOKEN = "action_dispatch.secret_token".freeze SECRET_KEY_BASE = "action_dispatch.secret_key_base".freeze COOKIES_SERIALIZER = "action_dispatch.cookies_serializer".freeze - COOKIES_DIGEST = "action_dispatch.cookies_digest".freeze # Cookies can typically store 4096 bytes. MAX_COOKIE_SIZE = 4096 @@ -213,8 +212,7 @@ module ActionDispatch secret_token: env[SECRET_TOKEN], secret_key_base: env[SECRET_KEY_BASE], upgrade_legacy_signed_cookies: env[SECRET_TOKEN].present? && env[SECRET_KEY_BASE].present?, - serializer: env[COOKIES_SERIALIZER], - digest: env[COOKIES_DIGEST] + serializer: env[COOKIES_SERIALIZER] } end @@ -443,10 +441,6 @@ module ActionDispatch serializer end end - - def digest - @options[:digest] || 'SHA1' - end end class SignedCookieJar #:nodoc: @@ -457,7 +451,7 @@ module ActionDispatch @parent_jar = parent_jar @options = options secret = key_generator.generate_key(@options[:signed_cookie_salt]) - @verifier = ActiveSupport::MessageVerifier.new(secret, digest: digest, serializer: NullSerializer) + @verifier = ActiveSupport::MessageVerifier.new(secret, serializer: NullSerializer) end def [](name) -- cgit v1.2.3