mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Fix signed cookies by explicitly passing config to the cookie jar
This commit is contained in:
parent
ef84e691ff
commit
e3959970e1
2 changed files with 22 additions and 25 deletions
|
@ -10,7 +10,8 @@ module ActionController #:nodoc:
|
|||
|
||||
private
|
||||
def cookies
|
||||
request.cookie_jar
|
||||
raise "You must set config.cookie_secret in your app's config" if config.secret.blank?
|
||||
request.cookie_jar(:signing_secret => config.secret)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
module ActionDispatch
|
||||
class Request
|
||||
def cookie_jar
|
||||
env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self)
|
||||
def cookie_jar(config = {})
|
||||
env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self, config)
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -51,17 +51,18 @@ module ActionDispatch
|
|||
# only HTTP. Defaults to +false+.
|
||||
class Cookies
|
||||
class CookieJar < Hash #:nodoc:
|
||||
def self.build(request)
|
||||
new.tap do |hash|
|
||||
def self.build(request, config = {})
|
||||
new(config).tap do |hash|
|
||||
hash.update(request.cookies)
|
||||
end
|
||||
end
|
||||
|
||||
def initialize
|
||||
def initialize(config = {})
|
||||
@config = config
|
||||
@set_cookies = {}
|
||||
@delete_cookies = {}
|
||||
|
||||
super
|
||||
super()
|
||||
end
|
||||
|
||||
# Returns the value of the cookie by +name+, or +nil+ if no such cookie exists.
|
||||
|
@ -111,7 +112,7 @@ module ActionDispatch
|
|||
# cookies.permanent.signed[:remember_me] = current_user.id
|
||||
# # => Set-Cookie: discount=BAhU--848956038e692d7046deab32b7131856ab20e14e; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT
|
||||
def permanent
|
||||
@permanent ||= PermanentCookieJar.new(self)
|
||||
@permanent ||= PermanentCookieJar.new(self, @config)
|
||||
end
|
||||
|
||||
# Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from
|
||||
|
@ -119,7 +120,7 @@ module ActionDispatch
|
|||
# cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception will
|
||||
# be raised.
|
||||
#
|
||||
# This jar requires that you set a suitable secret for the verification on ActionController::Base.cookie_verifier_secret.
|
||||
# This jar requires that you set a suitable secret for the verification on your app's config.cookie_secret.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
|
@ -128,7 +129,7 @@ module ActionDispatch
|
|||
#
|
||||
# cookies.signed[:discount] # => 45
|
||||
def signed
|
||||
@signed ||= SignedCookieJar.new(self)
|
||||
@signed ||= SignedCookieJar.new(self, @config)
|
||||
end
|
||||
|
||||
def write(response)
|
||||
|
@ -138,8 +139,9 @@ module ActionDispatch
|
|||
end
|
||||
|
||||
class PermanentCookieJar < CookieJar #:nodoc:
|
||||
def initialize(parent_jar)
|
||||
def initialize(parent_jar, config = {})
|
||||
@parent_jar = parent_jar
|
||||
@config = config
|
||||
end
|
||||
|
||||
def []=(key, options)
|
||||
|
@ -154,11 +156,7 @@ module ActionDispatch
|
|||
end
|
||||
|
||||
def signed
|
||||
@signed ||= SignedCookieJar.new(self)
|
||||
end
|
||||
|
||||
def controller
|
||||
@parent_jar.controller
|
||||
@signed ||= SignedCookieJar.new(self, @config)
|
||||
end
|
||||
|
||||
def method_missing(method, *arguments, &block)
|
||||
|
@ -167,18 +165,16 @@ module ActionDispatch
|
|||
end
|
||||
|
||||
class SignedCookieJar < CookieJar #:nodoc:
|
||||
def initialize(parent_jar)
|
||||
unless ActionController::Base.config.secret
|
||||
raise "You must set ActionController::Base.config.secret"
|
||||
end
|
||||
|
||||
def initialize(parent_jar, config = {})
|
||||
raise 'Missing cookie signing secret' if config[:signing_secret].blank?
|
||||
@parent_jar = parent_jar
|
||||
@verifier = ActiveSupport::MessageVerifier.new(ActionController::Base.config.secret)
|
||||
@config = config
|
||||
@verifier = ActiveSupport::MessageVerifier.new(config[:signing_secret])
|
||||
end
|
||||
|
||||
def [](name)
|
||||
if value = @parent_jar[name]
|
||||
@verifier.verify(value)
|
||||
if signed_message = @parent_jar[name]
|
||||
@verifier.verify(signed_message)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in a new issue