kotovalexarian-likes-github
/
sinatra
mirror of https://github.com/sinatra/sinatra
1
0
Fork 0
Code Releases Activity

Switch back to Rack::Session::Cookie, but generate a secret.

This commit is contained in:
Konstantin Haase 2011-03-13 00:03:34 +01:00
parent 7b393f3598
commit 93d6e1f35a
2 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES
View File

@ -1,9 +1,7 @@
= 1.2.1 / Not Yet Release
* Switched default session middleware from `Rack::Session::Cookies` to
`Rack::Session::Pool`, to improve security. Using `Rack::Session::Cookies`
without a secret allows injecting arbitrary objects into sessions an, in a
worst case scenario, might lead to code injection. (Konstantin Haase)
* Use a generated session secret when using `enable :sessions`. (Konstantin
Haase)
= 1.2.0 / 2011-03-03

15
lib/sinatra/base.rb
View File

@ -1232,10 +1232,9 @@ module Sinatra
# an instance of this class as end point.
def build(*args, &bk)
builder = Rack::Builder.new
builder.use Rack::Session::Pool if sessions?
builder.use Rack::CommonLogger if logging?
builder.use Rack::MethodOverride if method_override?
builder.use ShowExceptions if show_exceptions?
builder.use Rack::CommonLogger if logging?
builder.use Rack::MethodOverride if method_override?
builder.use ShowExceptions if show_exceptions?
middleware.each { |c,a,b| builder.use(c, *a, &b) }
builder.run new!(*args, &bk)
builder
@ -1246,6 +1245,11 @@ module Sinatra
end
private
def setup_sessions(builder)
return unless sessions?
builder.use Rack::Session::Cookie, :secret => session_secret
end
def detect_rack_handler
servers = Array(server)
servers.each do |server_name|
@ -1342,6 +1346,9 @@ module Sinatra
set :default_encoding, "utf-8"
set :add_charset, [/^text\//, 'application/javascript', 'application/xml', 'application/xhtml+xml']
# explicitly generating this eagerly to play nice with preforking
set :session_secret, '%x' % rand(2**255)
class << self
alias_method :methodoverride?, :method_override?
alias_method :methodoverride=, :method_override=