lib/rack/session/smart_cookie.rb in rack-session-smart_cookie-0.1.4 vs lib/rack/session/smart_cookie.rb in rack-session-smart_cookie-0.2.0
- old
+ new
@@ -68,16 +68,18 @@
end
end
def initialize(app, options={})
options[:coder] ||= MessagePack.new
- options[:hmac] = OpenSSL::Digest(DEFAULT_DIGEST) unless options.key?(:hmac)
+ unless options.key?(:hmac)
+ options[:hmac] = OpenSSL::Digest(options.fetch(:digest, DEFAULT_DIGEST))
+ end
super
if @secrets.any?
- hmac = options[:hmac].new
+ hmac = options[:hmac].new # throwaway object for inspection purposes
warn <<-MSG if BAD_DIGESTS.include?(hmac.name)
SECURITY WARNING: You have elected to use an old and insecure message
digest algorithm (#{hmac.class}).
@@ -88,11 +90,11 @@
exploits that may be possible from crafted cookies.
Called from: #{caller[0]}.
MSG
- unless (SECRET_MIN_BYTESIZE..hmac.block_length).cover?(@secrets.first.bytesize)
+ unless (SECRET_MIN_BYTESIZE .. hmac.block_length).cover?(@secrets.first.bytesize)
show_caveat = hmac.digest_length > SECRET_MIN_BYTESIZE
message = String.new(<<-MSG)
SECURITY WARNING: You have provided a session secret with a sub-optimal
byte size.
@@ -110,10 +112,12 @@
"Called from: #{caller[0]}."
warn message
end
end
+
+ @digest_bytes = options[:digest_bytes]
end
private
def unpacked_cookie_data(request)
@@ -147,10 +151,11 @@
session_data
end
def generate_hmac(data, secret)
- Base64.encode(OpenSSL::HMAC.digest(@hmac.new, secret, data))
+ digest = OpenSSL::HMAC.digest(@hmac.new, secret, data)
+ Base64.encode(@digest_bytes ? digest.byteslice(0, @digest_bytes) : digest)
end
end
end
end