From c79c40ed82186fc5000cf5beea697b286422bcdb Mon Sep 17 00:00:00 2001
From: Jon Moss <me@jonathanmoss.me>
Date: Mon, 19 Dec 2016 21:24:12 -0500
Subject: Limit length of secret being passed

Very similar to PR #25758, see more in depth reasoning there.
---
 railties/test/application/middleware/session_test.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'railties/test/application/middleware')

diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 0e4acfdcec..959a629ede 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -173,7 +173,7 @@ module ApplicationTests
 
       secret = app.key_generator.generate_key("encrypted cookie")
       sign_secret = app.key_generator.generate_key("signed encrypted cookie")
-      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
 
       get "/foo/read_raw_cookie"
       assert_equal 1, encryptor.decrypt_and_verify(last_response.body)["foo"]
@@ -222,7 +222,7 @@ module ApplicationTests
 
       secret = app.key_generator.generate_key("encrypted cookie")
       sign_secret = app.key_generator.generate_key("signed encrypted cookie")
-      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
 
       get "/foo/read_raw_cookie"
       assert_equal 1, encryptor.decrypt_and_verify(last_response.body)["foo"]
@@ -281,7 +281,7 @@ module ApplicationTests
 
       secret = app.key_generator.generate_key("encrypted cookie")
       sign_secret = app.key_generator.generate_key("signed encrypted cookie")
-      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
 
       get "/foo/read_raw_cookie"
       assert_equal 2, encryptor.decrypt_and_verify(last_response.body)["foo"]
-- 
cgit v1.2.3