encrypted_cookie_store-instructure 1.1.8 → 1.1.9

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/encrypted_cookie_store-instructure.gemspec +1 -1
  3. data/lib/encrypted_cookie_store.rb +20 -10
  4. metadata +2 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b16bd9cae818665e2b61d8803f40eb4ca0e83658
4
- data.tar.gz: 2fc9e679d7d1c78c93a0a730e2f8067222364c70
3
+ metadata.gz: 5938faacb558e47daa3a3feb7d83920ed6f1e010
4
+ data.tar.gz: f2c99a2dc7904500b5535c4d713e4e0aff48166c
5
5
  SHA512:
6
- metadata.gz: 85010965d034869ec494652e907dee515b1516dee5fde32b0e8baae28783391ddfb2ba10591b82f8b85d12bf95a7d99ad6bc385489f795a0884ded9550ac9047
7
- data.tar.gz: 08bd59cd9ba1e4b53148684a939978a0f77884994f5e4e9dd15dbb137eea1dd2d696d3f9581bffa31232dc6fd0f06b8f64e05faf60f50a617a6f5b32d1a7ce21
6
+ metadata.gz: 99a6a26fe916bc5a433732c49c660f2f250c4cda2810873f1b455dbe9402d02259051c24d7fc9a17d507e2654cfca623385231fc2c16462595c4f61d92a5cfbe
7
+ data.tar.gz: 3476f99cd39abc816a22968fbcec155c634737a52a5b4e97d94d1eed0342221904300aa7a1298964ee060ad178c13bcb91ff943960689b2fae994318ca3f9563
data/encrypted_cookie_store-instructure.gemspec CHANGED
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = %q{encrypted_cookie_store-instructure}
3
- s.version = "1.1.8"
3
+ s.version = "1.1.9"
4
4
 
5
5
  s.authors = ["Cody Cutrer", "Jacob Fugal", "James Williams"]
6
6
  s.date = %q{2013-12-20}
data/lib/encrypted_cookie_store.rb CHANGED
@@ -34,6 +34,8 @@ module ActionDispatch
34
34
  @encryption_key = unhex(@secret).freeze
35
35
  ensure_encryption_key_secure
36
36
 
37
+ @allow_legacy_hmac = options[:@allow_legacy_hmac]
38
+
37
39
  @data_cipher = OpenSSL::Cipher::Cipher.new(EncryptedCookieStore.data_cipher_type)
38
40
  options[:refresh_interval] ||= 5.minutes
39
41
 
@@ -45,6 +47,14 @@ module ActionDispatch
45
47
  super
46
48
  end
47
49
 
50
+ # overrides method in Rack::Session::Cookie
51
+ def load_session(env)
52
+ if time = timestamp(env)
53
+ env['encrypted_cookie_store.session_refreshed_at'] ||= Time.at(time).utc
54
+ end
55
+ super
56
+ end
57
+
48
58
  private
49
59
 
50
60
  def expire_after(options={})
@@ -79,14 +89,6 @@ module ActionDispatch
79
89
  marshal(session_data, options)
80
90
  end
81
91
 
82
- # overrides method in Rack::Session::Cookie
83
- def load_session(env)
84
- if time = timestamp(env)
85
- env['encrypted_cookie_store.session_refreshed_at'] ||= Time.at(time).utc
86
- end
87
- super
88
- end
89
-
90
92
  # overrides method in Rack::Session::Abstract::ID
91
93
  def commit_session?(env, session, options)
92
94
  can_commit = super
@@ -124,7 +126,7 @@ module ActionDispatch
124
126
  end
125
127
  encrypted_session_data = @data_cipher.update(compressed_session_data) << @data_cipher.final
126
128
  timestamp = Time.now.utc.to_i if expire_after(options)
127
- digest = OpenSSL::HMAC.digest(OpenSSL::Digest.new(@digest), @secret, session_data + timestamp.to_s)
129
+ digest = hmac_digest(iv, session_data, timestamp)
128
130
 
129
131
  result = "#{base64(iv)}#{compressed_session_data == session_data ? '.' : ' '}#{base64(encrypted_session_data)}.#{base64(digest)}"
130
132
  result << ".#{base64([timestamp].pack('N'))}" if expire_after(options)
@@ -146,7 +148,9 @@ module ActionDispatch
146
148
  @data_cipher.iv = iv
147
149
  session_data = @data_cipher.update(encrypted_session_data) << @data_cipher.final
148
150
  session_data = inflate(session_data) if compressed
149
- return nil unless digest == OpenSSL::HMAC.digest(OpenSSL::Digest.new(@digest), @secret, session_data + timestamp.to_s)
151
+ unless digest == hmac_digest(iv, session_data, timestamp)
152
+ return nil unless @allow_legacy_hmac && digest == hmac_digest(nil, session_data, timestamp)
153
+ end
150
154
  if expire_after(options)
151
155
  return nil unless timestamp && Time.now.utc.to_i <= timestamp + expire_after(options)
152
156
  end
@@ -215,6 +219,12 @@ module ActionDispatch
215
219
  def unhex(hex_data)
216
220
  [hex_data].pack("H*")
217
221
  end
222
+
223
+ def hmac_digest(iv, session_data, timestamp)
224
+ hmac_body = session_data + timestamp.to_s
225
+ hmac_body = iv + hmac_body if iv
226
+ OpenSSL::HMAC.digest(OpenSSL::Digest.new(@digest), @secret, hmac_body)
227
+ end
218
228
  end
219
229
  end
220
230
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: encrypted_cookie_store-instructure
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.8
4
+ version: 1.1.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - Cody Cutrer
@@ -123,3 +123,4 @@ signing_key:
123
123
  specification_version: 4
124
124
  summary: EncryptedCookieStore for Ruby on Rails 3.2
125
125
  test_files: []
126
+ has_rdoc: