From c79c40ed82186fc5000cf5beea697b286422bcdb Mon Sep 17 00:00:00 2001 From: Jon Moss Date: Mon, 19 Dec 2016 21:24:12 -0500 Subject: [PATCH] Limit length of secret being passed Very similar to PR #25758, see more in depth reasoning there. --- railties/test/application/middleware/session_test.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb index 0e4acfd..959a629 100644 --- a/railties/test/application/middleware/session_test.rb +++ b/railties/test/application/middleware/session_test.rb @@ -174,7 +174,7 @@ def read_raw_cookie secret = app.key_generator.generate_key('encrypted cookie') sign_secret = app.key_generator.generate_key('signed encrypted cookie') - encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret) + encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret) get '/foo/read_raw_cookie' assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo'] @@ -223,7 +223,7 @@ def read_raw_cookie secret = app.key_generator.generate_key('encrypted cookie') sign_secret = app.key_generator.generate_key('signed encrypted cookie') - encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret) + encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret) get '/foo/read_raw_cookie' assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo'] @@ -282,7 +282,7 @@ def read_raw_cookie secret = app.key_generator.generate_key('encrypted cookie') sign_secret = app.key_generator.generate_key('signed encrypted cookie') - encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret) + encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret) get '/foo/read_raw_cookie' assert_equal 2, encryptor.decrypt_and_verify(last_response.body)['foo']