From ec93d61fb9a571aeb714ddc9bd594510485f5b7f Mon Sep 17 00:00:00 2001 From: Michael Koziarski Date: Wed, 21 Nov 2007 21:31:45 +0000 Subject: Make sure that cookie sessions use a secret that is at least 30 chars in length. [Koz] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8184 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- .../lib/action_controller/session/cookie_store.rb | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb index 6de4d88ca0..81092882f7 100644 --- a/actionpack/lib/action_controller/session/cookie_store.rb +++ b/actionpack/lib/action_controller/session/cookie_store.rb @@ -53,9 +53,7 @@ class CGI::Session::CookieStore end # The secret option is required. - if options['secret'].blank? - raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' - end + ensure_secret_secure(options['secret']) # Keep the session and its secret on hand so we can read and write cookies. @session, @secret = session, options['secret'] @@ -78,6 +76,22 @@ class CGI::Session::CookieStore options['no_cookies'] = true end + # To prevent users from using something insecure like "Password" we make sure that the + # secret they've provided is at least 30 characters in length. + def ensure_secret_secure(secret) + # There's no way we can do this check if they've provided a proc for the + # secret. + return true if secret.is_a?(Proc) + + if secret.blank? + raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb' + end + + if secret.length < 30 + raise ArgumentError, "Secret should be something secure, like #{CGI::Session.generate_unique_id}. The value you provided: [#{secret}]" + end + end + # Restore session data from the cookie. def restore @original = read_cookie -- cgit v1.2.3