actionpack 1.13.5 → 1.13.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

data/CHANGELOG CHANGED
@@ -1,3 +1,9 @@
1
+ *1.13.6* (November 24th, 2007)
2
+
3
+ * Correct Broken Fix for session_fixation attacks
4
+
5
+ * Ensure that cookies handle array values correctly. Closes #9937 [queso]
6
+
1
7
  *1.13.5* (October 12th, 2007)
2
8
 
3
9
  * Backport: allow array and hash query parameters. Array route parameters are converted/to/a/path as before. #6765, #7047, #7462 [bgipsy, Jeremy McAnally, Dan Kubb, brendan, Diego Algorta Casamayou]
@@ -36,13 +36,14 @@ module ActionController #:nodoc:
36
36
  end
37
37
 
38
38
  class CgiRequest < AbstractRequest #:nodoc:
39
- attr_accessor :cgi, :session_options, :cookie_only
39
+ attr_accessor :cgi, :session_options
40
40
  class SessionFixationAttempt < StandardError; end #:nodoc:
41
41
 
42
42
  DEFAULT_SESSION_OPTIONS = {
43
43
  :database_manager => CGI::Session::PStore,
44
44
  :prefix => "ruby_sess.",
45
45
  :session_path => "/",
46
+ :session_key => "_session_id",
46
47
  :cookie_only => true
47
48
  } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
48
49
 
@@ -50,10 +51,13 @@ module ActionController #:nodoc:
50
51
  @cgi = cgi
51
52
  @session_options = session_options
52
53
  @env = @cgi.send(:env_table)
53
- @cookie_only = session_options.delete :cookie_only
54
54
  super()
55
55
  end
56
56
 
57
+ def cookie_only?
58
+ session_options_with_string_keys['cookie_only']
59
+ end
60
+
57
61
  def query_string
58
62
  if (qs = @cgi.query_string) && !qs.empty?
59
63
  qs
@@ -114,7 +118,7 @@ module ActionController #:nodoc:
114
118
  @session = Hash.new
115
119
  else
116
120
  stale_session_check! do
117
- if @cookie_only && request_parameters[session_options_with_string_keys['session_key']]
121
+ if cookie_only? && request_parameters[session_options_with_string_keys['session_key']]
118
122
  raise SessionFixationAttempt
119
123
  end
120
124
  case value = session_options_with_string_keys['new_session']
@@ -47,7 +47,10 @@ module ActionController #:nodoc:
47
47
  # Returns the value of the cookie by +name+ -- or nil if no such cookie exists. You set new cookies using either the cookie method
48
48
  # or cookies[]= (for simple name/value cookies without options).
49
49
  def [](name)
50
- @cookies[name.to_s].value.first if @cookies[name.to_s] && @cookies[name.to_s].respond_to?(:value)
50
+ cookie = @cookies[name.to_s]
51
+ if cookie && cookie.respond_to?(:value)
52
+ cookie.size > 1 ? cookie.value : cookie.value.to_s
53
+ end
51
54
  end
52
55
 
53
56
  def []=(name, options)
@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
2
2
  module VERSION #:nodoc:
3
3
  MAJOR = 1
4
4
  MINOR = 13
5
- TINY = 5
5
+ TINY = 6
6
6
 
7
7
  STRING = [MAJOR, MINOR, TINY].join('.')
8
8
  end
@@ -22,7 +22,7 @@ class CookieTest < Test::Unit::TestCase
22
22
  cookies["user_name"] = { "value" => "david", "expires" => Time.local(2005, 10, 10) }
23
23
  cookies["login"] = "XJ-122"
24
24
  end
25
-
25
+
26
26
  def access_frozen_cookies
27
27
  cookies["will"] = "work"
28
28
  end
@@ -91,6 +91,14 @@ class CookieTest < Test::Unit::TestCase
91
91
  assert_equal nil, jar["something_else"]
92
92
  end
93
93
 
94
+ def test_cookiejar_accessor_with_array_value
95
+ a = %w{1 2 3}
96
+ @request.cookies["pages"] = CGI::Cookie.new("name" => "pages", "value" => a, "expires" => Time.local(2025, 10, 10))
97
+ @controller.request = @request
98
+ jar = ActionController::CookieJar.new(@controller)
99
+ assert_equal a, jar["pages"]
100
+ end
101
+
94
102
  def test_delete_cookie_with_path
95
103
  get :delete_cookie_with_path
96
104
  assert_equal "/beaten", @response.headers["cookie"].first.path
@@ -0,0 +1,92 @@
1
+ require File.dirname(__FILE__) + '/../abstract_unit'
2
+
3
+ class SessionFixationTest < Test::Unit::TestCase
4
+ class MockCGI < CGI #:nodoc:
5
+ attr_accessor :stdoutput, :env_table
6
+
7
+ def initialize(env, data = '')
8
+ self.env_table = env
9
+ self.stdoutput = StringIO.new
10
+ super(StringIO.new(data))
11
+ end
12
+ end
13
+
14
+ class TestController < ActionController::Base
15
+ session :session_key => '_myapp_session_id', :secret => 'secret', :except => :default_session_key
16
+ session :cookie_only => false, :only => :allow_session_fixation
17
+
18
+ def default_session_key
19
+ render :text => "default_session_key"
20
+ end
21
+
22
+ def custom_session_key
23
+ render :text => "custom_session_key: #{params[:id]}"
24
+ end
25
+
26
+ def allow_session_fixation
27
+ render :text => "allow_session_fixation"
28
+ end
29
+
30
+ def rescue_action(e) raise end
31
+ end
32
+
33
+ def setup
34
+ @controller = TestController.new
35
+ end
36
+
37
+ def test_should_be_able_to_make_a_successful_request
38
+ cgi = mock_cgi_for_request_to(:custom_session_key, :id => 1)
39
+
40
+ assert_nothing_raised do
41
+ @controller.send(:process, mock_request(cgi), ActionController::CgiResponse.new(cgi))
42
+ end
43
+ assert_equal 'custom_session_key: 1', @controller.response.body
44
+ assert_not_nil @controller.session
45
+ end
46
+
47
+ def test_should_catch_session_fixation_attempt
48
+ cgi = mock_cgi_for_request_to(:custom_session_key, :_myapp_session_id => 42)
49
+
50
+ assert_raises ActionController::CgiRequest::SessionFixationAttempt do
51
+ @controller.send(:process, mock_request(cgi), ActionController::CgiResponse.new(cgi))
52
+ end
53
+ assert_nil @controller.session
54
+ end
55
+
56
+ def test_should_not_catch_session_fixation_attempt_when_cookie_only_setting_is_disabled
57
+ cgi = mock_cgi_for_request_to(:allow_session_fixation, :_myapp_session_id => 42)
58
+
59
+ assert_nothing_raised do
60
+ @controller.send(:process, mock_request(cgi), ActionController::CgiResponse.new(cgi))
61
+ end
62
+ assert !@controller.response.body.blank?
63
+ assert_not_nil @controller.session
64
+ end
65
+
66
+ def test_should_catch_session_fixation_attempt_with_default_session_key
67
+ ActionController::Base.session_store = :p_store # using the default session_key is not possible with cookie store
68
+ cgi = mock_cgi_for_request_to(:default_session_key, :_session_id => 42)
69
+
70
+ assert_raises ActionController::CgiRequest::SessionFixationAttempt do
71
+ @controller.send(:process, mock_request(cgi) , ActionController::CgiResponse.new(cgi))
72
+ end
73
+ assert @controller.response.body.blank?
74
+ assert_nil @controller.session
75
+ end
76
+
77
+ private
78
+
79
+ def mock_cgi_for_request_to(action, params = {})
80
+ MockCGI.new({
81
+ "REQUEST_METHOD" => "GET",
82
+ "QUERY_STRING" => "action=#{action}&#{params.to_query}",
83
+ "REQUEST_URI" => "/",
84
+ "SERVER_PORT" => "80",
85
+ "HTTP_HOST" => "testdomain.com" }, '')
86
+ end
87
+
88
+ def mock_request(cgi)
89
+ ActionController::CgiRequest.new(cgi, {})
90
+ end
91
+
92
+ end
metadata CHANGED
@@ -3,8 +3,8 @@ rubygems_version: 0.9.4
3
3
  specification_version: 1
4
4
  name: actionpack
5
5
  version: !ruby/object:Gem::Version
6
- version: 1.13.5
7
- date: 2007-10-12 00:00:00 -05:00
6
+ version: 1.13.6
7
+ date: 2007-11-24 00:00:00 +13:00
8
8
  summary: Web-flow and rendering framework putting the VC in MVC.
9
9
  require_paths:
10
10
  - lib
@@ -203,6 +203,7 @@ files:
203
203
  - test/controller/routing_test.rb
204
204
  - test/controller/selector_test.rb
205
205
  - test/controller/send_file_test.rb
206
+ - test/controller/session_fixation_test.rb
206
207
  - test/controller/session_management_test.rb
207
208
  - test/controller/test_test.rb
208
209
  - test/controller/url_rewriter_test.rb