diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2015-09-03 07:15:12 +0200 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2015-09-03 07:15:12 +0200 |
commit | 304c1a130b1990a1b0b87c528f4b1c63171b2ef3 (patch) | |
tree | fec0b61c8fcdb5c659811a0966306c44f3db9b1d | |
parent | 6c4160b8c5173299f4b49ea2c9e4aab76f6b9054 (diff) | |
parent | ed84b6d665c36bd24d0934e38ba440e95d52633e (diff) | |
download | rack-304c1a130b1990a1b0b87c528f4b1c63171b2ef3.tar.gz |
Merge pull request #900 from dmcinnes/disable-cookie-secret-warnings
Allow users to disable the secure cookie warning for custom coders
-rw-r--r-- | lib/rack/session/cookie.rb | 7 | ||||
-rw-r--r-- | test/spec_session_cookie.rb | 15 |
2 files changed, 21 insertions, 1 deletions
diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb index 66bb7856..b88e305e 100644 --- a/lib/rack/session/cookie.rb +++ b/lib/rack/session/cookie.rb @@ -105,7 +105,7 @@ module Rack def initialize(app, options={}) @secrets = options.values_at(:secret, :old_secret).compact - warn <<-MSG unless @secrets.size >= 1 + warn <<-MSG unless secure?(options) SECURITY WARNING: No secret option provided to Rack::Session::Cookie. This poses a security threat. It is strongly recommended that you provide a secret to prevent exploits that may be possible from crafted @@ -183,6 +183,11 @@ module Rack OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data) end + def secure?(options) + @secrets.size >= 1 || + (options[:coder] && options[:let_coder_handle_secure_encoding]) + end + end end end diff --git a/test/spec_session_cookie.rb b/test/spec_session_cookie.rb index 5c3f5bd5..2b382b50 100644 --- a/test/spec_session_cookie.rb +++ b/test/spec_session_cookie.rb @@ -152,6 +152,21 @@ describe Rack::Session::Cookie do @warnings.must_be :empty? end + it "doesn't warn if coder is configured to handle encoding" do + Rack::Session::Cookie.new( + incrementor, + :coder => Object.new, + :let_coder_handle_secure_encoding => true) + @warnings.must_be :empty? + end + + it "still warns if coder is not set" do + Rack::Session::Cookie.new( + incrementor, + :let_coder_handle_secure_encoding => true) + @warnings.first.must_match(/no secret/i) + end + it 'uses a coder' do identity = Class.new { attr_reader :calls |