2007-05-14 20:08:05 -04:00
|
|
|
require 'action_controller/cgi_ext'
|
2007-02-21 04:17:38 -05:00
|
|
|
require 'action_controller/session/cookie_store'
|
2004-11-23 20:04:44 -05:00
|
|
|
|
|
|
|
module ActionController #:nodoc:
|
|
|
|
class Base
|
2008-01-06 15:53:23 -05:00
|
|
|
# Process a request extracted from a CGI object and return a response. Pass false as <tt>session_options</tt> to disable
|
2004-11-23 20:04:44 -05:00
|
|
|
# sessions (large performance increase if sessions are not needed). The <tt>session_options</tt> are the same as for CGI::Session:
|
|
|
|
#
|
|
|
|
# * <tt>:database_manager</tt> - standard options are CGI::Session::FileStore, CGI::Session::MemoryStore, and CGI::Session::PStore
|
2006-11-06 16:43:21 -05:00
|
|
|
# (default). Additionally, there is CGI::Session::DRbStore and CGI::Session::ActiveRecordStore. Read more about these in
|
2004-11-23 20:04:44 -05:00
|
|
|
# lib/action_controller/session.
|
|
|
|
# * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'.
|
2007-10-02 01:58:16 -04:00
|
|
|
# * <tt>:session_id</tt> - the session id to use. If not provided, then it is retrieved from the +session_key+ cookie, or
|
|
|
|
# automatically generated for a new session.
|
2004-11-23 20:04:44 -05:00
|
|
|
# * <tt>:new_session</tt> - if true, force creation of a new session. If not set, a new session is only created if none currently
|
2006-11-06 16:43:21 -05:00
|
|
|
# exists. If false, a new session is never created, and if none currently exists and the +session_id+ option is not set,
|
2004-11-23 20:04:44 -05:00
|
|
|
# an ArgumentError is raised.
|
2008-05-25 07:29:00 -04:00
|
|
|
# * <tt>:session_expires</tt> - the time the current session expires, as a Time object. If not set, the session will continue
|
2004-11-23 20:04:44 -05:00
|
|
|
# indefinitely.
|
2008-01-06 15:53:23 -05:00
|
|
|
# * <tt>:session_domain</tt> - the hostname domain for which this session is valid. If not set, defaults to the hostname of the
|
2004-11-23 20:04:44 -05:00
|
|
|
# server.
|
|
|
|
# * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS.
|
|
|
|
# * <tt>:session_path</tt> - the path for which this session applies. Defaults to the directory of the CGI script.
|
2007-10-02 01:58:16 -04:00
|
|
|
# * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from
|
|
|
|
# the query string or POST parameters. This protects against session fixation attacks.
|
2006-11-06 16:43:21 -05:00
|
|
|
def self.process_cgi(cgi = CGI.new, session_options = {})
|
2004-11-23 20:04:44 -05:00
|
|
|
new.process_cgi(cgi, session_options)
|
|
|
|
end
|
2006-11-06 16:43:21 -05:00
|
|
|
|
2004-11-23 20:04:44 -05:00
|
|
|
def process_cgi(cgi, session_options = {}) #:nodoc:
|
|
|
|
process(CgiRequest.new(cgi, session_options), CgiResponse.new(cgi)).out
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
class CgiRequest < AbstractRequest #:nodoc:
|
2007-11-20 23:28:59 -05:00
|
|
|
attr_accessor :cgi, :session_options
|
2008-01-06 15:53:23 -05:00
|
|
|
class SessionFixationAttempt < StandardError #:nodoc:
|
|
|
|
end
|
2004-11-23 20:04:44 -05:00
|
|
|
|
2005-07-04 14:30:22 -04:00
|
|
|
DEFAULT_SESSION_OPTIONS = {
|
2007-02-21 04:17:38 -05:00
|
|
|
:database_manager => CGI::Session::CookieStore, # store data in cookie
|
|
|
|
:prefix => "ruby_sess.", # prefix session file names
|
2007-10-02 01:58:16 -04:00
|
|
|
:session_path => "/", # available to all paths in app
|
2007-11-20 23:28:59 -05:00
|
|
|
:session_key => "_session_id",
|
2008-09-16 12:22:11 -04:00
|
|
|
:cookie_only => true,
|
|
|
|
:session_http_only=> true
|
2008-08-08 02:43:12 -04:00
|
|
|
}
|
2004-11-23 20:04:44 -05:00
|
|
|
|
|
|
|
def initialize(cgi, session_options = {})
|
|
|
|
@cgi = cgi
|
|
|
|
@session_options = session_options
|
2008-08-31 16:15:26 -04:00
|
|
|
@env = @cgi.__send__(:env_table)
|
2004-11-23 20:04:44 -05:00
|
|
|
super()
|
|
|
|
end
|
|
|
|
|
2005-02-14 20:45:35 -05:00
|
|
|
def query_string
|
2007-06-22 20:13:40 -04:00
|
|
|
qs = @cgi.query_string if @cgi.respond_to?(:query_string)
|
2007-05-18 02:24:50 -04:00
|
|
|
if !qs.blank?
|
2005-07-23 05:00:05 -04:00
|
|
|
qs
|
2005-04-18 11:43:07 -04:00
|
|
|
else
|
2007-10-03 12:39:18 -04:00
|
|
|
super
|
2005-07-23 05:00:05 -04:00
|
|
|
end
|
2005-02-14 20:45:35 -05:00
|
|
|
end
|
|
|
|
|
2008-08-08 02:43:12 -04:00
|
|
|
def body_stream #:nodoc:
|
|
|
|
@cgi.stdinput
|
2004-11-23 20:04:44 -05:00
|
|
|
end
|
2006-11-06 16:43:21 -05:00
|
|
|
|
2004-11-23 20:04:44 -05:00
|
|
|
def cookies
|
|
|
|
@cgi.cookies.freeze
|
|
|
|
end
|
|
|
|
|
|
|
|
def session
|
2006-07-08 14:14:49 -04:00
|
|
|
unless defined?(@session)
|
2005-11-09 01:00:46 -05:00
|
|
|
if @session_options == false
|
2005-11-21 11:59:25 -05:00
|
|
|
@session = Hash.new
|
2005-07-06 14:43:32 -04:00
|
|
|
else
|
2005-11-09 15:34:44 -05:00
|
|
|
stale_session_check! do
|
2007-11-20 23:28:59 -05:00
|
|
|
if cookie_only? && query_parameters[session_options_with_string_keys['session_key']]
|
2007-10-02 01:58:16 -04:00
|
|
|
raise SessionFixationAttempt
|
|
|
|
end
|
2006-12-31 20:30:28 -05:00
|
|
|
case value = session_options_with_string_keys['new_session']
|
|
|
|
when true
|
|
|
|
@session = new_session
|
|
|
|
when false
|
|
|
|
begin
|
|
|
|
@session = CGI::Session.new(@cgi, session_options_with_string_keys)
|
|
|
|
# CGI::Session raises ArgumentError if 'new_session' == false
|
|
|
|
# and no session cookie or query param is present.
|
|
|
|
rescue ArgumentError
|
|
|
|
@session = Hash.new
|
|
|
|
end
|
|
|
|
when nil
|
2006-12-31 20:13:09 -05:00
|
|
|
@session = CGI::Session.new(@cgi, session_options_with_string_keys)
|
2006-12-31 20:30:28 -05:00
|
|
|
else
|
|
|
|
raise ArgumentError, "Invalid new_session option: #{value}"
|
2005-11-09 15:34:44 -05:00
|
|
|
end
|
|
|
|
@session['__valid_session']
|
2005-11-09 01:00:46 -05:00
|
|
|
end
|
2005-07-06 14:43:32 -04:00
|
|
|
end
|
2004-11-23 20:04:44 -05:00
|
|
|
end
|
2005-11-09 01:00:46 -05:00
|
|
|
@session
|
2004-11-23 20:04:44 -05:00
|
|
|
end
|
2005-11-09 01:00:46 -05:00
|
|
|
|
2004-11-23 20:04:44 -05:00
|
|
|
def reset_session
|
2006-07-08 14:14:49 -04:00
|
|
|
@session.delete if defined?(@session) && @session.is_a?(CGI::Session)
|
2005-11-09 01:00:46 -05:00
|
|
|
@session = new_session
|
2004-11-23 20:04:44 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def method_missing(method_id, *arguments)
|
2008-08-31 16:15:26 -04:00
|
|
|
@cgi.__send__(method_id, *arguments) rescue super
|
2004-11-23 20:04:44 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
private
|
2005-11-09 01:00:46 -05:00
|
|
|
# Delete an old session if it exists then create a new one.
|
2004-11-23 20:04:44 -05:00
|
|
|
def new_session
|
2005-11-09 01:00:46 -05:00
|
|
|
if @session_options == false
|
2005-11-21 11:59:25 -05:00
|
|
|
Hash.new
|
2005-11-09 01:00:46 -05:00
|
|
|
else
|
|
|
|
CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => false)).delete rescue nil
|
|
|
|
CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => true))
|
|
|
|
end
|
2004-11-23 20:04:44 -05:00
|
|
|
end
|
2005-11-09 01:00:46 -05:00
|
|
|
|
2007-11-20 23:28:59 -05:00
|
|
|
def cookie_only?
|
|
|
|
session_options_with_string_keys['cookie_only']
|
|
|
|
end
|
|
|
|
|
2005-11-09 01:00:46 -05:00
|
|
|
def stale_session_check!
|
2005-11-09 15:34:44 -05:00
|
|
|
yield
|
2005-11-09 01:00:46 -05:00
|
|
|
rescue ArgumentError => argument_error
|
2007-01-28 01:19:07 -05:00
|
|
|
if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
|
2005-11-09 01:00:46 -05:00
|
|
|
begin
|
2007-01-28 01:19:07 -05:00
|
|
|
# Note that the regexp does not allow $1 to end with a ':'
|
|
|
|
$1.constantize
|
2005-11-09 01:00:46 -05:00
|
|
|
rescue LoadError, NameError => const_error
|
2006-08-30 01:50:02 -04:00
|
|
|
raise ActionController::SessionRestoreError, <<-end_msg
|
2006-02-09 15:05:11 -05:00
|
|
|
Session contains objects whose class definition isn\'t available.
|
2005-11-09 01:00:46 -05:00
|
|
|
Remember to require the classes for all objects kept in the session.
|
|
|
|
(Original exception: #{const_error.message} [#{const_error.class}])
|
|
|
|
end_msg
|
|
|
|
end
|
|
|
|
|
|
|
|
retry
|
|
|
|
else
|
|
|
|
raise
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2004-12-12 07:43:48 -05:00
|
|
|
def session_options_with_string_keys
|
2006-12-31 20:32:24 -05:00
|
|
|
@session_options_with_string_keys ||= DEFAULT_SESSION_OPTIONS.merge(@session_options).stringify_keys
|
2004-12-12 07:43:48 -05:00
|
|
|
end
|
2004-11-23 20:04:44 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
class CgiResponse < AbstractResponse #:nodoc:
|
|
|
|
def initialize(cgi)
|
|
|
|
@cgi = cgi
|
|
|
|
super()
|
|
|
|
end
|
|
|
|
|
2005-06-22 08:59:36 -04:00
|
|
|
def out(output = $stdout)
|
|
|
|
output.binmode if output.respond_to?(:binmode)
|
|
|
|
output.sync = false if output.respond_to?(:sync=)
|
2006-09-18 19:52:03 -04:00
|
|
|
|
2005-03-03 18:12:57 -05:00
|
|
|
begin
|
2005-06-22 08:59:36 -04:00
|
|
|
output.write(@cgi.header(@headers))
|
2004-12-07 05:50:26 -05:00
|
|
|
|
2008-08-31 16:15:26 -04:00
|
|
|
if @cgi.__send__(:env_table)['REQUEST_METHOD'] == 'HEAD'
|
2005-03-03 18:12:57 -05:00
|
|
|
return
|
|
|
|
elsif @body.respond_to?(:call)
|
2006-04-29 01:06:49 -04:00
|
|
|
# Flush the output now in case the @body Proc uses
|
|
|
|
# #syswrite.
|
|
|
|
output.flush if output.respond_to?(:flush)
|
2005-09-20 06:53:33 -04:00
|
|
|
@body.call(self, output)
|
2005-03-03 18:12:57 -05:00
|
|
|
else
|
2005-06-22 08:59:36 -04:00
|
|
|
output.write(@body)
|
2005-03-03 18:12:57 -05:00
|
|
|
end
|
2005-06-27 05:35:09 -04:00
|
|
|
|
|
|
|
output.flush if output.respond_to?(:flush)
|
2006-09-18 19:52:03 -04:00
|
|
|
rescue Errno::EPIPE, Errno::ECONNRESET
|
|
|
|
# lost connection to parent process, ignore output
|
2004-11-23 20:04:44 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2006-09-18 19:52:03 -04:00
|
|
|
end
|