From 69ab91ae9396f0101afd13871f179a7f779d3178 Mon Sep 17 00:00:00 2001 From: Lukasz Sarnacki Date: Thu, 23 Jan 2014 16:31:52 +0100 Subject: Log which keys were set to nil in deep_munge deep_munge solves CVE-2013-0155 security vulnerability, but its behaviour is definately confuisng. This commit adds logging to deep_munge. It logs keys for which values were set to nil. Also mentions in guides were added. --- guides/source/action_controller_overview.md | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'guides/source/action_controller_overview.md') diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index f394daa6aa..c55637eb0a 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -112,6 +112,10 @@ NOTE: The actual URL in this example will be encoded as "/clients?ids%5b%5d=1&id The value of `params[:ids]` will now be `["1", "2", "3"]`. Note that parameter values are always strings; Rails makes no attempt to guess or cast the type. +NOTE: Values such as `[]`, `[nil]` or `[nil, nil, ...]` in `params` are replaced +with `nil` for security reasons by default. See [Security Guide](security.html#unsafe-query-generation) +for more information. + To send a hash you include the key name inside the brackets: ```html -- cgit v1.2.3 From b23ffd0dac895aa3fd3afd8d9be36794941731b2 Mon Sep 17 00:00:00 2001 From: Lukasz Sarnacki Date: Fri, 10 Jan 2014 12:57:50 +0100 Subject: Allow session serializer key in config.session_store MessageEncryptor has :serializer option, where any serializer object can be passed. This commit make it possible to set this serializer from configuration level. There are predefined serializers (:marshal_serializer, :json_serialzier) and custom serializer can be passed as String, Symbol (camelized and constantized in ActionDispatch::Session namepspace) or serializer object. Default :json_serializer was also added to generators to provide secure defalt. --- guides/source/action_controller_overview.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'guides/source/action_controller_overview.md') diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index c55637eb0a..0234120b45 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -381,6 +381,28 @@ You can also pass a `:domain` key and specify the domain name for the cookie: YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', domain: ".example.com" ``` +You can pass `:serializer` key to specify serializer for serializing session: + +```ruby +YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: :json_serializer +``` + +Default serializer is `:marshal_serializer`. When Symbol or String is passed it +will look for appropriate class in `ActionDispatch::Session` namespace, so +passing `:my_custom_serializer` would load +`ActionDispatch::Session::MyCustomSerializer`. + +```ruby +YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: :my_custom_serializer +``` + +It is also possible to pass serializer object with defined `load` and `dump` +public methods: + +```ruby +YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: MyCustomSerializer +``` + Rails sets up (for the CookieStore) a secret key used for signing the session data. This can be changed in `config/initializers/secret_token.rb` ```ruby -- cgit v1.2.3 From 42566626e9f9ab8d56194a32fd7e674a20c34fb6 Mon Sep 17 00:00:00 2001 From: Kassio Borges Date: Wed, 29 Jan 2014 18:07:52 -0200 Subject: Fix documentation of new controller filters api [ci skip] The api for filters with classes change and the guides weren't updated. Now the class must respond for methods with the same name as the filter, so the `before_action` calls a `before` method, and so on. The method `#filter` has been deprecated in 4.0.0 and has been removed in 4.1.0: #7560 --- guides/source/action_controller_overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'guides/source/action_controller_overview.md') diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index 0234120b45..6c82375ea1 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -709,7 +709,7 @@ class ApplicationController < ActionController::Base end class LoginFilter - def self.filter(controller) + def self.before(controller) unless controller.send(:logged_in?) controller.flash[:error] = "You must be logged in to access this section" controller.redirect_to controller.new_login_url @@ -718,7 +718,7 @@ class LoginFilter end ``` -Again, this is not an ideal example for this filter, because it's not run in the scope of the controller but gets the controller passed as an argument. The filter class has a class method `filter` which gets run before or after the action, depending on if it's a before or after filter. Classes used as around filters can also use the same `filter` method, which will get run in the same way. The method must `yield` to execute the action. Alternatively, it can have both a `before` and an `after` method that are run before and after the action. +Again, this is not an ideal example for this filter, because it's not run in the scope of the controller but gets the controller passed as an argument. The filter class must implement a method with the same name as the filter, so for the `before_action` filter the class must implement a `before` method, and so on. The `around` method must `yield` to execute the action. Request Forgery Protection -------------------------- -- cgit v1.2.3 From fd487860db3097104cdb8d589f3931d75b767721 Mon Sep 17 00:00:00 2001 From: Guillermo Iguaran Date: Thu, 30 Jan 2014 01:12:23 -0500 Subject: Modify the session serializer implementation Rename allowed options to :marshal and :json, for custom serializers only allow the use of custom classes. --- guides/source/action_controller_overview.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) (limited to 'guides/source/action_controller_overview.md') diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index 6c82375ea1..9eaf03dd82 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -384,20 +384,14 @@ YourApp::Application.config.session_store :cookie_store, key: '_your_app_session You can pass `:serializer` key to specify serializer for serializing session: ```ruby -YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: :json_serializer +YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: :json ``` -Default serializer is `:marshal_serializer`. When Symbol or String is passed it -will look for appropriate class in `ActionDispatch::Session` namespace, so -passing `:my_custom_serializer` would load -`ActionDispatch::Session::MyCustomSerializer`. +The default serializer for new application is `:json`. For compatibility with +old applications `:marshal` is used when `serializer` option is not specified. -```ruby -YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: :my_custom_serializer -``` - -It is also possible to pass serializer object with defined `load` and `dump` -public methods: +It is also possible to pass a custom serializer class with `load` and `dump` +public methods defined: ```ruby YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: MyCustomSerializer -- cgit v1.2.3 From b927d67decb9d4e5103b5991b7e26a4dab4eca92 Mon Sep 17 00:00:00 2001 From: Godfrey Chan Date: Tue, 4 Feb 2014 09:31:48 -0800 Subject: Renamed session_serializer option to cookies_serializer --- guides/source/action_controller_overview.md | 43 ++++++++++++++++++----------- 1 file changed, 27 insertions(+), 16 deletions(-) (limited to 'guides/source/action_controller_overview.md') diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index 9eaf03dd82..b142279991 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -381,22 +381,6 @@ You can also pass a `:domain` key and specify the domain name for the cookie: YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', domain: ".example.com" ``` -You can pass `:serializer` key to specify serializer for serializing session: - -```ruby -YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: :json -``` - -The default serializer for new application is `:json`. For compatibility with -old applications `:marshal` is used when `serializer` option is not specified. - -It is also possible to pass a custom serializer class with `load` and `dump` -public methods defined: - -```ruby -YourApp::Application.config.session_store :cookie_store, key: '_your_app_session', serializer: MyCustomSerializer -``` - Rails sets up (for the CookieStore) a secret key used for signing the session data. This can be changed in `config/initializers/secret_token.rb` ```ruby @@ -588,6 +572,33 @@ end Note that while for session values you set the key to `nil`, to delete a cookie value you should use `cookies.delete(:key)`. +Rails also provides a signed cookie jar and an encrypted cookie jar for storing +sensitive data. The signed cookie jar appends a cryptographic signature on the +cookie values to protect their integrity. The encrypted cookie jar encrypts the +values in addition to signing them, so that they cannot be read by the end user. +Refer to the [API documentation](http://api.rubyonrails.org/classes/ActionDispatch/Cookies.html) +for more details. + +These special cookie jars use a serializer to serialize the assigned values into +strings and deserializes them into Ruby objects on read. + +You can specify what serializer to use: + +```ruby +YourApp::Application.config.cookies_serializer :json +``` + +The possible options are `:marshal` or `:json`. The default serializer for new +applications is `:json`. For compatibility with old applications with existing +cookies, `:marshal` is used when `serializer` option is not specified. + +It is also possible to pass a custom serializer class or object that responds +to `load` and `dump`: + +```ruby +YourApp::Application.config.cookies_serializer MyCustomSerializer +``` + Rendering XML and JSON data --------------------------- -- cgit v1.2.3 From 0b86a6e950ed78822470793deddbec41c6d105f5 Mon Sep 17 00:00:00 2001 From: Godfrey Chan Date: Tue, 11 Feb 2014 02:13:09 -0800 Subject: Updated CHANGELOG, docs, guides and release notes. Also added a `cookies_serializer.rb` initializer to the app template. --- guides/source/action_controller_overview.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'guides/source/action_controller_overview.md') diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index b142279991..222d86afe9 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -585,18 +585,23 @@ strings and deserializes them into Ruby objects on read. You can specify what serializer to use: ```ruby -YourApp::Application.config.cookies_serializer :json +Rails.application.config.action_dispatch.cookies_serializer = :json ``` -The possible options are `:marshal` or `:json`. The default serializer for new -applications is `:json`. For compatibility with old applications with existing -cookies, `:marshal` is used when `serializer` option is not specified. +The default serializer for new applications is `:json`. For compatibility with +old applications with existing cookies, `:marshal` is used when `serializer` +option is not specified. -It is also possible to pass a custom serializer class or object that responds -to `load` and `dump`: +You may also set this option to `:hybrid`, in which case Rails would transparently +deserialize existing (`Marshal`-serialized) cookies on read and re-write them in +the `JSON` format. This is useful for migrating existing applications to the +`:json` serializer. + +It is also possible to pass a custom serializer that responds to `load` and +`dump`: ```ruby -YourApp::Application.config.cookies_serializer MyCustomSerializer +Rails.application.config.action_dispatch.cookies_serializer = MyCustomSerializer ``` Rendering XML and JSON data -- cgit v1.2.3