From e3959970e1f669c6ecf79d645b5e4f9d7ed2a4ec Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Sun, 4 Apr 2010 10:16:27 -0700 Subject: Fix signed cookies by explicitly passing config to the cookie jar --- actionpack/lib/action_controller/metal/cookies.rb | 5 +-- .../lib/action_dispatch/middleware/cookies.rb | 42 ++++++++++------------ 2 files changed, 22 insertions(+), 25 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_controller/metal/cookies.rb b/actionpack/lib/action_controller/metal/cookies.rb index 75e5d40a63..4aaa705203 100644 --- a/actionpack/lib/action_controller/metal/cookies.rb +++ b/actionpack/lib/action_controller/metal/cookies.rb @@ -7,10 +7,11 @@ module ActionController #:nodoc: included do helper_method :cookies end - + private def cookies - request.cookie_jar + raise "You must set config.cookie_secret in your app's config" if config.secret.blank? + request.cookie_jar(:signing_secret => config.secret) end end end diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index cb0d12cab1..71dcac9e94 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -1,7 +1,7 @@ module ActionDispatch class Request - def cookie_jar - env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self) + def cookie_jar(config = {}) + env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self, config) end end @@ -51,17 +51,18 @@ module ActionDispatch # only HTTP. Defaults to +false+. class Cookies class CookieJar < Hash #:nodoc: - def self.build(request) - new.tap do |hash| + def self.build(request, config = {}) + new(config).tap do |hash| hash.update(request.cookies) end end - def initialize + def initialize(config = {}) + @config = config @set_cookies = {} @delete_cookies = {} - super + super() end # Returns the value of the cookie by +name+, or +nil+ if no such cookie exists. @@ -111,7 +112,7 @@ module ActionDispatch # cookies.permanent.signed[:remember_me] = current_user.id # # => Set-Cookie: discount=BAhU--848956038e692d7046deab32b7131856ab20e14e; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT def permanent - @permanent ||= PermanentCookieJar.new(self) + @permanent ||= PermanentCookieJar.new(self, @config) end # Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from @@ -119,7 +120,7 @@ module ActionDispatch # cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception will # be raised. # - # This jar requires that you set a suitable secret for the verification on ActionController::Base.cookie_verifier_secret. + # This jar requires that you set a suitable secret for the verification on your app's config.cookie_secret. # # Example: # @@ -128,7 +129,7 @@ module ActionDispatch # # cookies.signed[:discount] # => 45 def signed - @signed ||= SignedCookieJar.new(self) + @signed ||= SignedCookieJar.new(self, @config) end def write(response) @@ -138,8 +139,9 @@ module ActionDispatch end class PermanentCookieJar < CookieJar #:nodoc: - def initialize(parent_jar) + def initialize(parent_jar, config = {}) @parent_jar = parent_jar + @config = config end def []=(key, options) @@ -154,11 +156,7 @@ module ActionDispatch end def signed - @signed ||= SignedCookieJar.new(self) - end - - def controller - @parent_jar.controller + @signed ||= SignedCookieJar.new(self, @config) end def method_missing(method, *arguments, &block) @@ -167,18 +165,16 @@ module ActionDispatch end class SignedCookieJar < CookieJar #:nodoc: - def initialize(parent_jar) - unless ActionController::Base.config.secret - raise "You must set ActionController::Base.config.secret" - end - + def initialize(parent_jar, config = {}) + raise 'Missing cookie signing secret' if config[:signing_secret].blank? @parent_jar = parent_jar - @verifier = ActiveSupport::MessageVerifier.new(ActionController::Base.config.secret) + @config = config + @verifier = ActiveSupport::MessageVerifier.new(config[:signing_secret]) end def [](name) - if value = @parent_jar[name] - @verifier.verify(value) + if signed_message = @parent_jar[name] + @verifier.verify(signed_message) end end -- cgit v1.2.3