Merge pull request #9196 from AndreyChernyh/fix-cookies-with-null-session

Fix #9168 Initialize NullCookieJar with all options needed for KeyGenerator

Merge pull request #9196 from AndreyChernyh/fix-cookies-with-null-session
Fix #9168 Initialize NullCookieJar with all options needed for KeyGenerator
86bfdbb5 · Santiago Pastorino · 10d301e6 · 4127332a · 86bfdbb5 · 86bfdbb5
4 changed file
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -13,6 +13,11 @@

    *Yves Senn*

+*   Fix error (#9168) which was produced by setting signed/encrypted 
+    cookie when :null_session forgery protection method was used.
+
+    *Andrey Chernih*
+
 *   `assert_template` can be used to verify the locals of partials,
    which live inside a directory.
    Fixes #8516.

--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -126,7 +126,7 @@ def self.build(request)
            host          = request.host
            secure        = request.ssl?

-            new(key_generator, host, secure)
+            new(key_generator, host, secure, options_for_env({}))
          end

          def write(*)

--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -110,13 +110,17 @@ class CookieJar #:nodoc:
      # $& => example.local
      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/

+      def self.options_for_env(env) #:nodoc:
+        { signed_cookie_salt: env[SIGNED_COOKIE_SALT] || '',
+          encrypted_cookie_salt: env[ENCRYPTED_COOKIE_SALT] || '',
+          encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT] || '',
+          token_key: env[TOKEN_KEY] }
+      end
+
      def self.build(request)
        env = request.env
        key_generator = env[GENERATOR_KEY]
-        options = { signed_cookie_salt: env[SIGNED_COOKIE_SALT],
-                    encrypted_cookie_salt: env[ENCRYPTED_COOKIE_SALT],
-                    encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT],
-                    token_key: env[TOKEN_KEY] }
+        options = options_for_env env

        host = request.host
        secure = request.ssl?

--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -66,6 +66,19 @@ class RequestForgeryProtectionControllerUsingException < ActionController::Base
  protect_from_forgery :only => %w(index meta), :with => :exception
 end

+class RequestForgeryProtectionControllerUsingNullSession < ActionController::Base
+  protect_from_forgery :with => :null_session
+
+  def signed
+    cookies.signed[:foo] = 'bar'
+    render :nothing => true
+  end
+
+  def encrypted
+    cookies.encrypted[:foo] = 'bar'
+    render :nothing => true
+  end
+end

 class FreeCookieController < RequestForgeryProtectionControllerUsingResetSession
  self.allow_forgery_protection = false
@@ -287,6 +300,28 @@ class RequestForgeryProtectionControllerUsingResetSessionTest < ActionController
  end
 end

+class NullSessionDummyKeyGenerator
+  def generate_key(secret)
+    '03312270731a2ed0d11ed091c2338a06'
+  end
+end
+
+class RequestForgeryProtectionControllerUsingNullSessionTest < ActionController::TestCase  
+  def setup
+    @request.env[ActionDispatch::Cookies::GENERATOR_KEY] = NullSessionDummyKeyGenerator.new
+  end
+
+  test 'should allow to set signed cookies' do
+    post :signed
+    assert_response :ok
+  end
+
+  test 'should allow to set encrypted cookies' do
+    post :encrypted
+    assert_response :ok
+  end
+end
+
 class RequestForgeryProtectionControllerUsingExceptionTest < ActionController::TestCase
  include RequestForgeryProtectionTests
  def assert_blocked