RubyGems - encrypted_cookie - Versions diffs - 0.0.3 → 0.0.4 - Mend

encrypted_cookie 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

data.tar.gz.sig +0 -0
data/Manifest +0 -1
data/Rakefile +1 -1
data/encrypted_cookie.gemspec +2 -2
data/lib/encrypted_cookie.rb +15 -5
data/spec/encrypted_cookie_spec.rb +10 -2
metadata +3 -4
metadata.gz.sig +0 -0
data/pkg/encrypted_cookie-0.0.2.gem +0 -0

data.tar.gz.sig CHANGED

Binary file

data/Manifest CHANGED

@@ -3,5 +3,4 @@ README.markdown
 Rakefile
 encrypted_cookie.gemspec
 lib/encrypted_cookie.rb
-pkg/encrypted_cookie-0.0.2.gem
 spec/encrypted_cookie_spec.rb

data/Rakefile CHANGED

@@ -2,7 +2,7 @@ require 'rubygems'
 require 'rake'
 require 'echoe'
-Echoe.new('encrypted_cookie', '0.0.3') do |p|
+Echoe.new('encrypted_cookie', '0.0.4') do |p|
   p.description    = "Encrypted session cookies for Rack"
   p.url            = "http://github.com/cvonkleist/encrypted_cookie"
   p.author         = "Christian von Kleist"

data/encrypted_cookie.gemspec CHANGED

@@ -2,7 +2,7 @@
 Gem::Specification.new do |s|
   s.name = %q{encrypted_cookie}
-  s.version = "0.0.3"
+  s.version = "0.0.4"
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Christian von Kleist"]
@@ -11,7 +11,7 @@ Gem::Specification.new do |s|
   s.description = %q{Encrypted session cookies for Rack}
   s.email = %q{cvonkleist at-a-place-called gmail.com}
   s.extra_rdoc_files = ["README.markdown", "lib/encrypted_cookie.rb"]
-  s.files = ["Manifest", "README.markdown", "Rakefile", "encrypted_cookie.gemspec", "lib/encrypted_cookie.rb", "pkg/encrypted_cookie-0.0.2.gem", "spec/encrypted_cookie_spec.rb"]
+  s.files = ["Manifest", "README.markdown", "Rakefile", "encrypted_cookie.gemspec", "lib/encrypted_cookie.rb", "spec/encrypted_cookie_spec.rb"]
   s.homepage = %q{http://github.com/cvonkleist/encrypted_cookie}
   s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Encrypted_cookie", "--main", "README.markdown"]
   s.require_paths = ["lib"]

data/lib/encrypted_cookie.rb CHANGED

@@ -47,11 +47,10 @@ module Rack
         session_data = request.cookies[@key]
         if session_data
-          #begin
-            session_data = decrypt(session_data)
+          if session_data = decrypt(session_data)
             session_data, digest = session_data.split("--")
-            session_data = nil  unless digest == generate_hmac(session_data)
-          #rescue OpenSSL::Cipher::Cipher
+            session_data = nil unless digest == generate_hmac(session_data)
+          end
         end
         begin
@@ -93,18 +92,29 @@ module Rack
       def encrypt(str)
         aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').encrypt
         aes.key = @secret
-        salt = OpenSSL::Random.random_bytes(aes.key_len)
         iv = OpenSSL::Random.random_bytes(aes.iv_len)
+        aes.iv = iv
         [iv + (aes.update(str) << aes.final)].pack('m0')
       end
+      # decrypts string. returns nil if an error occurs
+      #
+      # returns nil if openssl raises an error during decryption (likely
+      # someone is tampering with the session data, or the sinatra user was
+      # previously using Cookie and has just switched to EncryptedCookie), and
+      # will also return nil if the text to decrypt is too short to possibly be
+      # good aes data.
       def decrypt(str)
         str = str.unpack('m0').first
         aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
         aes.key = @secret
         iv = str[0, aes.iv_len]
+        aes.iv = iv
         crypted_text = str[aes.iv_len..-1]
+        return nil if crypted_text.nil? || iv.nil?
         aes.update(crypted_text) << aes.final
+      rescue
+        nil
       end
     end
   end

data/spec/encrypted_cookie_spec.rb CHANGED

@@ -56,7 +56,7 @@ describe EncryptedApp do
     str = CGI.unescape(data).unpack('m0').first
     aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
     aes.key = 'foo' * 10
-    iv = str[0, aes.iv_len]
+    aes.iv = str[0, aes.iv_len]
     crypted_text = str[aes.iv_len..-1]
     plaintext = (aes.update(crypted_text) << aes.final)
@@ -86,7 +86,15 @@ describe EncryptedApp do
     get '/'
     last_response.body.should == 'session: {"foo"=>"bar"}'
-    rack_mock_session.cookie_jar.instance_variable_get(:@cookies).first.instance_variable_set(:@name_and_value, 'rack.session=lkjsdlfkjsd')
+    # tamper with the cookie (too short to be aes data)
+    rack_mock_session.cookie_jar << Rack::Test::Cookie.new('rack.session=foo', URI.parse('http://example.org//'))
+    get '/'
+    last_response.body.should == 'session: {}'
+    # tamper with the cookie (long enough to attempt aes decryption)
+    rack_mock_session.cookie_jar << Rack::Test::Cookie.new('rack.session=foobarbaz', URI.parse('http://example.org//'))
     get '/'
     last_response.body.should == 'session: {}'
   end

metadata CHANGED

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: encrypted_cookie
 version: !ruby/object:Gem::Version
-  hash: 25
+  hash: 23
   prerelease: false
   segments:
   - 0
   - 0
-  - 3
-  version: 0.0.3
+  - 4
+  version: 0.0.4
 platform: ruby
 authors:
 - Christian von Kleist
@@ -55,7 +55,6 @@ files:
 - Rakefile
 - encrypted_cookie.gemspec
 - lib/encrypted_cookie.rb
-- pkg/encrypted_cookie-0.0.2.gem
 - spec/encrypted_cookie_spec.rb
 has_rdoc: true
 homepage: http://github.com/cvonkleist/encrypted_cookie

metadata.gz.sig CHANGED

Binary file

data/pkg/encrypted_cookie-0.0.2.gem DELETED

Binary file