From 0d455673620a1646b1149e1e4a185143d46bb7b8 Mon Sep 17 00:00:00 2001
From: Santiago Pastorino <santiago@wyeworks.com>
Date: Wed, 6 Apr 2011 19:12:32 -0300
Subject: Add tests to verify that signed and permanent cookies raises if
 someone tries to modify the cookies when it was already streamed back to the
 client or converted to HTTP headers

---
 actionpack/test/dispatch/cookies_test.rb | 51 ++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

(limited to 'actionpack/test/dispatch')

diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index 0d374e1d8b..2a32614ca1 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -497,6 +497,9 @@ class CookiesTest < ActionController::TestCase
 end
 
 class CookiesIntegrationTest < ActionDispatch::IntegrationTest
+  SessionKey = '_myapp_session'
+  SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33'
+
   class TestController < ActionController::Base
     def dont_set_cookies
       head :ok
@@ -529,8 +532,56 @@ class CookiesIntegrationTest < ActionDispatch::IntegrationTest
     end
   end
 
+  def test_setting_permanent_cookies_raises_after_stream_back_to_client
+    with_test_route_set do
+      env = {}
+      get '/set_cookies', nil, env
+      assert_raise(ActionDispatch::ClosedError) {
+        request.cookie_jar.permanent['alert'] = 'alert'
+        cookies['alert'] = 'alert'
+      }
+    end
+  end
+
+  def test_setting_permanent_cookies_raises_after_stream_back_to_client_even_with_an_empty_flash
+    with_test_route_set do
+      env = {}
+      get '/dont_set_cookies', nil, {}
+      assert_raise(ActionDispatch::ClosedError) {
+        request.cookie_jar.permanent['alert'] = 'alert'
+      }
+    end
+  end
+
+  def test_setting_signed_cookies_raises_after_stream_back_to_client
+    with_test_route_set do
+      env = {}
+      get '/set_cookies', nil, env
+      assert_raise(ActionDispatch::ClosedError) {
+        request.cookie_jar.signed['alert'] = 'alert'
+        cookies['alert'] = 'alert'
+      }
+    end
+  end
+
+  def test_setting_signed_cookies_raises_after_stream_back_to_client_even_with_an_empty_flash
+    with_test_route_set do
+      env = {}
+      get '/dont_set_cookies', nil, {}
+      assert_raise(ActionDispatch::ClosedError) {
+        request.cookie_jar.signed['alert'] = 'alert'
+      }
+    end
+  end
+
   private
 
+  # Overwrite get to send SessionSecret in env hash
+  def get(path, parameters = nil, env = {})
+    env["action_dispatch.secret_token"] ||= SessionSecret
+    super
+  end
+
   def with_test_route_set
     with_routing do |set|
       set.draw do
-- 
cgit v1.2.3