RubyGems - encrypted_cookie_store-instructure - Versions diffs - 1.1.8 → 1.1.9 - Mend

encrypted_cookie_store-instructure 1.1.8 → 1.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/encrypted_cookie_store-instructure.gemspec +1 -1
data/lib/encrypted_cookie_store.rb +20 -10
metadata +2 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b16bd9cae818665e2b61d8803f40eb4ca0e83658
-  data.tar.gz: 2fc9e679d7d1c78c93a0a730e2f8067222364c70
+  metadata.gz: 5938faacb558e47daa3a3feb7d83920ed6f1e010
+  data.tar.gz: f2c99a2dc7904500b5535c4d713e4e0aff48166c
 SHA512:
-  metadata.gz: 85010965d034869ec494652e907dee515b1516dee5fde32b0e8baae28783391ddfb2ba10591b82f8b85d12bf95a7d99ad6bc385489f795a0884ded9550ac9047
-  data.tar.gz: 08bd59cd9ba1e4b53148684a939978a0f77884994f5e4e9dd15dbb137eea1dd2d696d3f9581bffa31232dc6fd0f06b8f64e05faf60f50a617a6f5b32d1a7ce21
+  metadata.gz: 99a6a26fe916bc5a433732c49c660f2f250c4cda2810873f1b455dbe9402d02259051c24d7fc9a17d507e2654cfca623385231fc2c16462595c4f61d92a5cfbe
+  data.tar.gz: 3476f99cd39abc816a22968fbcec155c634737a52a5b4e97d94d1eed0342221904300aa7a1298964ee060ad178c13bcb91ff943960689b2fae994318ca3f9563

data/encrypted_cookie_store-instructure.gemspec CHANGED Viewed

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = %q{encrypted_cookie_store-instructure}
-  s.version = "1.1.8"
+  s.version = "1.1.9"
   s.authors = ["Cody Cutrer", "Jacob Fugal", "James Williams"]
   s.date = %q{2013-12-20}

data/lib/encrypted_cookie_store.rb CHANGED Viewed

@@ -34,6 +34,8 @@ module ActionDispatch
         @encryption_key = unhex(@secret).freeze
         ensure_encryption_key_secure
+        @allow_legacy_hmac = options[:@allow_legacy_hmac]
         @data_cipher = OpenSSL::Cipher::Cipher.new(EncryptedCookieStore.data_cipher_type)
         options[:refresh_interval] ||= 5.minutes
@@ -45,6 +47,14 @@ module ActionDispatch
         super
       end
+      # overrides method in Rack::Session::Cookie
+      def load_session(env)
+        if time = timestamp(env)
+          env['encrypted_cookie_store.session_refreshed_at'] ||= Time.at(time).utc
+        end
+        super
+      end
       private
       def expire_after(options={})
@@ -79,14 +89,6 @@ module ActionDispatch
         marshal(session_data, options)
       end
-      # overrides method in Rack::Session::Cookie
-      def load_session(env)
-        if time = timestamp(env)
-          env['encrypted_cookie_store.session_refreshed_at'] ||= Time.at(time).utc
-        end
-        super
-      end
       # overrides method in Rack::Session::Abstract::ID
       def commit_session?(env, session, options)
         can_commit = super
@@ -124,7 +126,7 @@ module ActionDispatch
         end
         encrypted_session_data = @data_cipher.update(compressed_session_data) << @data_cipher.final
         timestamp        = Time.now.utc.to_i if expire_after(options)
-        digest           = OpenSSL::HMAC.digest(OpenSSL::Digest.new(@digest), @secret, session_data + timestamp.to_s)
+        digest           = hmac_digest(iv, session_data, timestamp)
         result = "#{base64(iv)}#{compressed_session_data == session_data ? '.' : ' '}#{base64(encrypted_session_data)}.#{base64(digest)}"
         result << ".#{base64([timestamp].pack('N'))}" if expire_after(options)
@@ -146,7 +148,9 @@ module ActionDispatch
           @data_cipher.iv = iv
           session_data = @data_cipher.update(encrypted_session_data) << @data_cipher.final
           session_data = inflate(session_data) if compressed
-          return nil unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest.new(@digest), @secret, session_data + timestamp.to_s)
+          unless digest == hmac_digest(iv, session_data, timestamp)
+            return nil unless @allow_legacy_hmac && digest == hmac_digest(nil, session_data, timestamp)
+          end
           if expire_after(options)
             return nil unless timestamp && Time.now.utc.to_i <= timestamp + expire_after(options)
           end
@@ -215,6 +219,12 @@ module ActionDispatch
       def unhex(hex_data)
         [hex_data].pack("H*")
       end
+      def hmac_digest(iv, session_data, timestamp)
+        hmac_body = session_data + timestamp.to_s
+        hmac_body = iv + hmac_body if iv
+        OpenSSL::HMAC.digest(OpenSSL::Digest.new(@digest), @secret, hmac_body)
+      end
     end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: encrypted_cookie_store-instructure
 version: !ruby/object:Gem::Version
-  version: 1.1.8
+  version: 1.1.9
 platform: ruby
 authors:
 - Cody Cutrer
@@ -123,3 +123,4 @@ signing_key:
 specification_version: 4
 summary: EncryptedCookieStore for Ruby on Rails 3.2
 test_files: []
+has_rdoc: