rack-session-file 0.4.0 → 0.5.0

data/README.md

@@ -17,6 +17,12 @@ use Rack::Session::File, :storage => ENV['TEMP'],
                          :expire_after => 1800
 ```
 
+**NOTICE**: Never use this module in conjunction with other session middlewares (especially `Rack::Session::Cookie`).  That would brake session handling.
+
+### For Sinatra and Padrino
+
+Do not enable session mechanism by `enable :session`.  Built-in session of Sinatra (and Padrino) utilizes `Rack::Session::Cookie`, so it will interfere this module's behavior.  Using this middleware makes `session[]` available in your application without `enable :session`.
+
 ## Usage in Rails 3 Applications
 
 On Gemfile:

data/Rakefile

@@ -1,2 +1,7 @@
 #!/usr/bin/env rake
 require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new :test
+
+task :default => :test

data/lib/rack/session/file.rb

@@ -3,7 +3,7 @@
 module Rack
   module Session
     module File
-      VERSION = '0.4.0'
+      VERSION = '0.5.0'
 
       autoload :Marshal, 'rack/session/file/marshal'
       autoload :PStore, 'rack/session/file/pstore'

data/lib/rack/session/file/abstract.rb

@@ -5,6 +5,8 @@ require 'rack/session/abstract/id'
 module Rack
   module Session
     module File
+      class InvalidSessionIDError < SecurityError; end
+
       class Abstract < Rack::Session::Abstract::ID
         DEFAULT_OPTIONS = Rack::Session::Abstract::ID::DEFAULT_OPTIONS.merge({
           :storage             => Dir.tmpdir,
@@ -161,6 +163,14 @@ module Rack
           def want_thread_safe?
             @env['rack.multithread']
           end
+
+          def ensure_sid_is_valid(sid)
+            unless /^[0-9A-Fa-f]+$/ =~ sid
+              raise InvalidSessionIDError.new("'#{sid}' is not suitable for session ID")
+            end
+
+            true
+          end
         end
       end
     end

data/lib/rack/session/file/marshal.rb

@@ -23,6 +23,8 @@ module Rack
               open_session_file(sid, 'r') do |file|
                 return ::Marshal.load(file)
               end
+            rescue InvalidSessionIDError
+              return nil
             rescue Errno::ENOENT
               return nil
             rescue TypeError
@@ -31,9 +33,12 @@ module Rack
           end
 
           def delete_session(sid)
-            filename = session_file_name(sid)
-            if ::File.exists?(filename)
-              ::File.unlink(filename)
+            begin
+              filename = session_file_name(sid)
+              if ::File.exists?(filename)
+                ::File.unlink(filename)
+              end
+            rescue InvalidSessionIDError
             end
           end
 
@@ -55,6 +60,7 @@ module Rack
           end
 
           def session_file_name(sid)
+            ensure_sid_is_valid(sid)
             return ::File.join(@storage, sid)
           end
 

data/lib/rack/session/file/pstore.rb

@@ -33,6 +33,8 @@ module Rack
                   data[key] = db[key]
                 end
               end
+            rescue InvalidSessionIDError
+              return nil
             rescue TypeError
               return nil
             end
@@ -40,9 +42,12 @@ module Rack
           end
 
           def delete_session(sid)
-            filename = store_for_sid(sid).path
-            if ::File.exists?(filename)
-              ::File.unlink(filename)
+            begin
+              filename = store_for_sid(sid).path
+              if ::File.exists?(filename)
+                ::File.unlink(filename)
+              end
+            rescue InvalidSessionIDError
             end
           end
 
@@ -61,6 +66,7 @@ module Rack
           end
 
           def session_file_name(sid)
+            ensure_sid_is_valid(sid)
             return ::File.join(@storage, sid)
           end
 

data/lib/rack/session/file/yaml.rb

@@ -8,6 +8,7 @@ module Rack
   module Session
     module File
       class YAML < Abstract
+
         def initialize(app, options = {})
           super
           @transaction_options['yaml'] = @default_options.delete(:yaml) || {}
@@ -43,16 +44,21 @@ module Rack
                   data[key] = db[key]
                 end
               end
-            rescue Psych::SyntaxError, Syck::Error, Syck::TypeError
+            rescue InvalidSessionIDError
+              return nil
+            rescue (::Psych::SyntaxError rescue nil), (::Syck::Error rescue nil), (::Syck::TypeError rescue nil)
               return nil
             end
             return data
           end
 
           def delete_session(sid)
-            filename = store_for_sid(sid).path
-            if ::File.exists?(filename)
-              ::File.unlink(filename)
+            begin
+              filename = store_for_sid(sid).path
+              if ::File.exists?(filename)
+                ::File.unlink(filename)
+              end
+            rescue InvalidSessionIDError
             end
           end
 
@@ -67,6 +73,7 @@ module Rack
           end
 
           def session_file_name(sid)
+            ensure_sid_is_valid(sid)
             return ::File.join(@storage, sid)
           end
 

data/rack-session-file.gemspec

@@ -32,7 +32,7 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.name          = "rack-session-file"
   gem.require_paths = ["lib"]
-  gem.version       = '0.4.0'
+  gem.version       = '0.5.0'
 
   if gem.respond_to? :specification_version then
     gem.specification_version = 3

data/spec/common.rb

@@ -65,26 +65,26 @@ shared_examples_for Rack::Session::File do
   end
 
   it 'survives nonexistent cookies' do
-    bad_cookie = 'rack.session=blarghfasel'
+    bad_cookie = 'rack.session=00000001'
     res = Rack::MockRequest.new(pool) \
             .get('/', 'HTTP_COOKIE' => bad_cookie)
 
     res.body.should == '{"counter"=>1}'
     cookie = res['Set-Cookie'][@session_match]
-    cookie.should_not match(/#{bad_cookie}/)
+    cookie.should_not match(/#{bad_cookie}(?:;|$)/)
   end
 
   it 'survives broken session data' do
-    open(::File.join(@storage, 'broken'), 'w') do |f|
-      f.write "\x1\x1o"     # broken data for Marshal, YAML
+    open(::File.join(@storage, '00000002'), 'w') do |f|
+      f.write "\x1\x1o"     # broken data for Marshal and YAML
     end
-    cookie = 'rack.session=broken'
+    bad_cookie = 'rack.session=00000002'
     res = Rack::MockRequest.new(pool) \
-            .get('/', 'HTTP_COOKIE' => cookie)
+            .get('/', 'HTTP_COOKIE' => bad_cookie)
 
     res.body.should == '{"counter"=>1}'
     cookie = res['Set-Cookie'][@session_match]
-    cookie.should_not match(/broken/)
+    cookie.should_not match(/#{bad_cookie}(?:;|$)/)
   end
 
   it 'should maintain freshness' do
@@ -173,5 +173,15 @@ shared_examples_for Rack::Session::File do
 #   res3['Set-Cookie'][@session_match].should == session
     res3.body.should == '{"counter"=>4}'
   end
+
+  it 'omit cookie with bad session id' do
+    bad_cookie = 'rack.session=/etc/passwd'
+    res = Rack::MockRequest.new(pool) \
+            .get('/', 'HTTP_COOKIE' => bad_cookie)
+
+    res.body.should == '{"counter"=>1}'
+    cookie = res['Set-Cookie'][@session_match]
+    cookie.should_not match(/#{bad_cookie}(?:;|$)/)
+  end
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-session-file
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-05 00:00:00.000000000 Z
+date: 2012-11-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -82,7 +82,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -4049294331236196458
+      hash: 3379845102946176394
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -91,7 +91,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -4049294331236196458
+      hash: 3379845102946176394
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.23