Fix #9168 Initialize NullCookieJar with all options needed for KeyGenerator

2022-11-09 12:12:34 -05:00 · 2013-02-08 22:22:16 +04:00 · 2013-02-08 22:22:16 +04:00 · 4127332a5f
commit 4127332a5f
parent 01e67316d8
4 changed files with 49 additions and 5 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@ -13,6 +13,11 @@

    *Yves Senn*

+*   Fix error (#9168) which was produced by setting signed/encrypted 
+    cookie when :null_session forgery protection method was used.
+
+    *Andrey Chernih*
+
 *   `assert_template` can be used to verify the locals of partials,
    which live inside a directory.
    Fixes #8516.
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@ -126,7 +126,7 @@ module ActionController #:nodoc:
            host          = request.host
            secure        = request.ssl?

-            new(key_generator, host, secure)
+            new(key_generator, host, secure, options_for_env({}))
          end

          def write(*)
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@ -110,13 +110,17 @@ module ActionDispatch
      # $& => example.local
      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/

+      def self.options_for_env(env) #:nodoc:
+        { signed_cookie_salt: env[SIGNED_COOKIE_SALT] || '',
+          encrypted_cookie_salt: env[ENCRYPTED_COOKIE_SALT] || '',
+          encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT] || '',
+          token_key: env[TOKEN_KEY] }
+      end
+
      def self.build(request)
        env = request.env
        key_generator = env[GENERATOR_KEY]
-        options = { signed_cookie_salt: env[SIGNED_COOKIE_SALT],
-                    encrypted_cookie_salt: env[ENCRYPTED_COOKIE_SALT],
-                    encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT],
-                    token_key: env[TOKEN_KEY] }
+        options = options_for_env env

        host = request.host
        secure = request.ssl?
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@ -66,6 +66,19 @@ class RequestForgeryProtectionControllerUsingException < ActionController::Base
  protect_from_forgery :only => %w(index meta), :with => :exception
 end

+class RequestForgeryProtectionControllerUsingNullSession < ActionController::Base
+  protect_from_forgery :with => :null_session
+
+  def signed
+    cookies.signed[:foo] = 'bar'
+    render :nothing => true
+  end
+
+  def encrypted
+    cookies.encrypted[:foo] = 'bar'
+    render :nothing => true
+  end
+end

 class FreeCookieController < RequestForgeryProtectionControllerUsingResetSession
  self.allow_forgery_protection = false
@ -287,6 +300,28 @@ class RequestForgeryProtectionControllerUsingResetSessionTest < ActionController
  end
 end

+class NullSessionDummyKeyGenerator
+  def generate_key(secret)
+    '03312270731a2ed0d11ed091c2338a06'
+  end
+end
+
+class RequestForgeryProtectionControllerUsingNullSessionTest < ActionController::TestCase  
+  def setup
+    @request.env[ActionDispatch::Cookies::GENERATOR_KEY] = NullSessionDummyKeyGenerator.new
+  end
+
+  test 'should allow to set signed cookies' do
+    post :signed
+    assert_response :ok
+  end
+
+  test 'should allow to set encrypted cookies' do
+    post :encrypted
+    assert_response :ok
+  end
+end
+
 class RequestForgeryProtectionControllerUsingExceptionTest < ActionController::TestCase
  include RequestForgeryProtectionTests
  def assert_blocked