diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2019-12-18 10:07:23 -0800 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2019-12-18 10:07:23 -0800 |
| commit | 7fecaee81f59926b6e1913511c90650e76673b38 (patch) | |
| tree | 287ad9e7a49765b8d45cb334241d54c9df2721b0 /test | |
| parent | e82f06b354fa74ef40740993bd87280bbf010227 (diff) | |
| parent | ef6d23d36a1480980971a8ad81ed0b7621ab8101 (diff) | |
| download | rack-7fecaee81f59926b6e1913511c90650e76673b38.tar.gz | |
Merge branch 'advisory-fix-1'
* advisory-fix-1:
Introduce a new base class to avoid breaking when upgrading
Add a version prefix to the private id to make easier to migrate old values
Fallback to the public id when reading the session in the pool adapter
Also drop the session with the public id when destroying sessions
Fallback to the legacy id when the new id is not found
Add the private id
revert conditionals to master
remove NullSession
remove || raise and get closer to master
store hashed id, send public id
use session id objects
remove more nils
try to ensure we always have some kind of object
Diffstat (limited to 'test')
| -rw-r--r-- | test/spec_session_pool.rb | 43 |
1 files changed, 40 insertions, 3 deletions
diff --git a/test/spec_session_pool.rb b/test/spec_session_pool.rb index fda5f56e..dd1b6573 100644 --- a/test/spec_session_pool.rb +++ b/test/spec_session_pool.rb @@ -8,7 +8,7 @@ require 'rack/session/pool' describe Rack::Session::Pool do session_key = Rack::Session::Pool::DEFAULT_OPTIONS[:key] - session_match = /#{session_key}=[0-9a-fA-F]+;/ + session_match = /#{session_key}=([0-9a-fA-F]+);/ incrementor = lambda do |env| env["rack.session"]["counter"] ||= 0 @@ -16,7 +16,7 @@ describe Rack::Session::Pool do Rack::Response.new(env["rack.session"].inspect).to_a end - session_id = Rack::Lint.new(lambda do |env| + get_session_id = Rack::Lint.new(lambda do |env| Rack::Response.new(env["rack.session"].inspect).to_a end) @@ -145,6 +145,43 @@ describe Rack::Session::Pool do pool.pool.size.must_equal 1 end + it "can read the session with the legacy id" do + pool = Rack::Session::Pool.new(incrementor) + req = Rack::MockRequest.new(pool) + + res0 = req.get("/") + cookie = res0["Set-Cookie"] + session_id = Rack::Session::SessionId.new cookie[session_match, 1] + ses0 = pool.pool[session_id.private_id] + pool.pool[session_id.public_id] = ses0 + pool.pool.delete(session_id.private_id) + + res1 = req.get("/", "HTTP_COOKIE" => cookie) + res1["Set-Cookie"].must_be_nil + res1.body.must_equal '{"counter"=>2}' + pool.pool[session_id.private_id].wont_be_nil + end + + it "drops the session in the legacy id as well" do + pool = Rack::Session::Pool.new(incrementor) + req = Rack::MockRequest.new(pool) + drop = Rack::Utils::Context.new(pool, drop_session) + dreq = Rack::MockRequest.new(drop) + + res0 = req.get("/") + cookie = res0["Set-Cookie"] + session_id = Rack::Session::SessionId.new cookie[session_match, 1] + ses0 = pool.pool[session_id.private_id] + pool.pool[session_id.public_id] = ses0 + pool.pool.delete(session_id.private_id) + + res2 = dreq.get("/", "HTTP_COOKIE" => cookie) + res2["Set-Cookie"].must_be_nil + res2.body.must_equal '{"counter"=>2}' + pool.pool[session_id.private_id].must_be_nil + pool.pool[session_id.public_id].must_be_nil + end + # anyone know how to do this better? it "should merge sessions when multithreaded" do unless $DEBUG @@ -193,7 +230,7 @@ describe Rack::Session::Pool do end it "does not return a cookie if cookie was not written (only read)" do - app = Rack::Session::Pool.new(session_id) + app = Rack::Session::Pool.new(get_session_id) res = Rack::MockRequest.new(app).get("/") res["Set-Cookie"].must_be_nil end |