1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

23 commits

Author SHA1 Message Date
Roque Pinel
4092f997f0 Fix the message verifier encoding issue
```ruby
verifier = ActiveSupport::MessageVerifier.new('secret')
verifier.verify("\xff") # => ArgumentError: invalid byte sequence in UTF-8
```
2015-06-14 11:35:27 -04:00
claudiob
e428ddecec Remove "rescue" clause around "require 'openssl'"
Some `require 'openssl'` statements were surrounded by `rescue` blocks to deal with Ruby versions that did not support `OpenSSL::Digest::SHA1` or `OpenSSL::PKCS5`.

[As @jeremy explains](a6a0904fcb (commitcomment-8826666)) in the original commit:

> If jruby didn't have jruby-openssl gem, the require wouldn't work. Not sure whether either of these are still relevant today.

According to the [release notes for JRuby 1.7.13](http://www.jruby.org/2014/06/24/jruby-1-7-13.html):

> jruby-openssl 0.9.5 bundled

which means the above `rescue` block is not needed anymore.

All the Ruby versions supported by the current version of Rails provide those OpenSSL libraries, so Travis CI should also be happy by removing the `rescue` blocks.

---

Just to confirm, with JRuby:

    $ ruby --version #=> jruby 1.7.16.1 (1.9.3p392) 2014-10-28 4e93f31 on Java HotSpot(TM) 64-Bit Server VM 1.8.0_20-b26 +jit [darwin-x86_64]
    $ irb
    irb(main):001:0> require 'openssl' #=> true
    irb(main):002:0> OpenSSL::Digest::SHA1 #=> OpenSSL::Digest::SHA1
    irb(main):003:0> OpenSSL::PKCS5 # => OpenSSL::PKCS5

And with Ruby 2.1:

    $ ruby --version #=> ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
    $ irb
    irb(main):001:0> require 'openssl' #=> true
    irb(main):002:0> OpenSSL::Digest::SHA1 #=> OpenSSL::Digest::SHA1
    irb(main):003:0> OpenSSL::PKCS5 #=> OpenSSL::PKCS5
2014-12-03 21:58:02 -08:00
Logan Leger
7ad541f955 Add #verified and #valid_message? to MessageVerifier
This commit adds a `#verified` method to
`ActiveSupport::MessageVerifier` which will return either `false` when
it encounters an error or the message. `#verify` continues to raise an
`InvalidSignature` exception on error.

This commit also adds a convenience boolean method on `MessageVerifier`
as a way to check if a message is valid without performing the
decoding.
2014-12-01 21:43:16 -06:00
Kostiantyn Kahanskyi
4bf9d1938b MessageVerifier raises an appropriate exception if the secret is nil
Otherwise this will lead to another error later on 
when generating a signature:
TypeError (no implicit conversion of nil into String).
2014-09-12 15:09:00 +02:00
Vipul A M
1f80e8d685 PR #10635 introduces rescue from ArgumentError thrown by Base64.strict_decode64.
This broke natural order of things for `StaleSessionCheck#stale_session_check!` which tried auto_loading a class based on `ArgumentError` message , and later retrying the `Marshal#load` of class, successfully allowing auto_loading.

  This PR tries to fix this behavior by forwarding `ArgumentError` 's not raised  by `Base64.strict_decode64` , as is, ahead to `StaleSessionCheck#stale_session_check!`
2013-12-12 22:15:42 +05:30
Rafael Mendonça França
016eb65d7e ✂️
[ci skip]
2013-12-02 20:02:06 -02:00
Ryan Glover
a64d4e85e3 Standardize all JSON encoded times to use 3 decimal fractional seconds 2013-11-07 10:43:51 -05:00
Ryan Davis
adc049b06f Fixed bad tests to clean up after themselves. 2013-05-03 15:37:18 -07:00
José Valim
6a6fc4e1db Remove deprecations from Active Support. 2011-12-20 15:18:42 +01:00
Willem van Bergen
6d520803ee Test deprecation warning when not using an options hash as second parameter. 2011-09-15 15:51:30 -04:00
Willem van Bergen
41fea03342 Use an options hash to specify digest/cipher algorithm and a serializer for MessageVerifier and MessageEncryptor. 2011-09-15 14:27:12 -04:00
Willem van Bergen
db040cdf8b Implement API suggestions of pull request. 2011-09-15 13:15:21 -04:00
Willem van Bergen
a8aaef6762 Fixed tests so that they will also run properly in other timezones. 2011-09-15 09:50:39 -04:00
Willem van Bergen
bffaa888ac Custom serializers and deserializers in MessageVerifier and MessageEncryptor.
By default, these classes use Marshal for serializing and deserializing messages. Unfortunately, the Marshal format is closely associated with Ruby internals and even changes between different interpreters. This makes the resulting message very hard to impossible to unserialize messages generated by these classes in other environments like node.js.

This patch solves this by allowing you to set your own custom serializer and deserializer lambda functions. By default, it still uses Marshal to be backwards compatible.
2011-09-15 08:28:53 -04:00
Jeremy Kemper
41e7c68d87 Ruby 1.9.2: marshaling round-trips Time#zone 2010-03-28 22:52:08 -07:00
Jeremy Kemper
bc1538e995 Repair time dependencies 2009-11-14 11:37:06 -08:00
Pratik Naik
69aa5e8a86 Ensure MessageVerifier raises appropriate exception on tampered data 2009-10-09 02:26:18 +01:00
Jeffrey Hardy
9212138ad0 MessageVerifier#verify raises InvalidSignature if the signature is blank
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
2009-10-05 13:38:26 -07:00
Jeremy Kemper
a6a0904fcb Nah, test SHA1, but skip the test and whine if OpenSSL is borked up 2009-09-24 23:13:56 -07:00
Jeremy Kemper
55f132ab82 Test with MD5 digest in an attempt to mollify CI 2009-09-24 23:10:05 -07:00
Jeremy Kemper
1c36172c13 Ruby 1.9 compat: rename deprecated assert_raises to assert_raise.
[#1617 state:resolved]
2009-03-08 13:11:58 -07:00
Michael Koziarski
f9b1aa7f4c Don't need _message as it's in the class name already 2008-11-23 16:33:56 +01:00
Michael Koziarski
d460c9a255 Add ActiveSupport::MessageVerifier to aid users who need to store tamper-proof messages in cookies etc.
This is particularly useful for things like remember-me tokens in web applications and auto-unsubscribe links in emails.
2008-11-23 15:33:59 +01:00