projects / catagits/Web-Session.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw (parent: ad80e44)
check wrong format request session_id
Masahiro Chiba [Sun, 13 Dec 2009 03:35:23 +0000 (11:35 +0800)]
lib/Plack/Session/State.pm patch | blob | blame | history
lib/Plack/Session/State/Cookie.pm patch | blob | blame | history
t/003_basic_w_file_store.t patch | blob | blame | history
t/lib/TestSession.pm patch | blob | blame | history

diff --git a/lib/Plack/Session/State.pm b/lib/Plack/Session/State.pm
index 10a1368..d8fe1db 100644 (file)
--- a/lib/Plack/Session/State.pm
+++ b/lib/Plack/Session/State.pm
@@ -7,6 +7,7 @@ use Digest::SHA1 ();
 use Plack::Util::Accessor qw[
     session_key
     sid_generator
+    sid_checker
 ];
 
 sub new {
@@ -17,6 +18,7 @@ sub new {
     $params{'sid_generator'} ||= sub {
         Digest::SHA1::sha1_hex(rand() . $$ . {} . time)
     };
+    $params{'sid_checker'} ||= qr/\A[0-9a-f]{40}\Z/;
 
     bless { %params } => $class;
 }
@@ -37,16 +39,36 @@ sub check_expired {
     return $id;
 }
 
+sub check_request_session_id {
+    my ($self, $request) = @_;
+
+    my $reqest_session_id = $self->get_request_session_id($request);
+    my $sid_checker = $self->sid_checker;
+
+    defined $reqest_session_id && $reqest_session_id =~ m{$sid_checker};
+}
+
 sub get_session_id {
     my ($self, $request) = @_;
-    $self->extract( $request )
+    (
+        $self->check_request_session_id($request)
+        &&
+        $self->extract( $request )
+    )
         ||
     $self->generate( $request )
 }
 
+sub get_request_session_id {
+    my ($self, $request ) = @_;
+
+    $request->param( $self->session_key );
+}
+
 sub extract {
     my ($self, $request) = @_;
-    $self->check_expired( $request->param( $self->session_key ) );
+
+    $self->check_expired( $self->get_request_session_id($request) );
 }
 
 sub generate {
@@ -104,7 +126,7 @@ L<Plack::Session::State::Cookie> for an example of this.
 
 =item B<new ( %params )>
 
-The C<%params> can include I<session_key> and I<sid_generator>,
+The C<%params> can include I<session_key>, I<sid_generator> and I<sid_checker>
 however in both cases a default will be provided for you.
 
 =item B<session_key>
@@ -117,6 +139,10 @@ This is a CODE ref used to generate unique session ids, by default
 it will generate a SHA1 using fairly sufficient entropy. If you are
 concerned or interested, just read the source.
 
+=item B<sid_checker>
+
+This is a regex used to check requested session id,
+
 =back
 
 =head2 Session ID Managment
diff --git a/lib/Plack/Session/State/Cookie.pm b/lib/Plack/Session/State/Cookie.pm
index e723d8e..12631d4 100644 (file)
--- a/lib/Plack/Session/State/Cookie.pm
+++ b/lib/Plack/Session/State/Cookie.pm
@@ -17,9 +17,14 @@ sub expire_session_id {
     $self->expires( 0 );
 }
 
+sub get_request_session_id {
+    my ($self, $request ) = @_;
+    ($request->cookie( $self->session_key ) || return )->value;
+}
+
 sub extract {
     my ($self, $request) = @_;
-    $self->check_expired( ( $request->cookie( $self->session_key ) || return )->value );
+    $self->check_expired( $self->get_request_session_id($request) || return );
 }
 
 sub finalize {
diff --git a/t/003_basic_w_file_store.t b/t/003_basic_w_file_store.t
index e5f6817..1801df0 100644 (file)
--- a/t/003_basic_w_file_store.t
+++ b/t/003_basic_w_file_store.t
@@ -37,6 +37,6 @@ t::lib::TestSession::run_all_tests(
     },
 );
 
-unlink $_ foreach glob( File::Spec->catdir($TMP, '*') );
+#unlink $_ foreach glob( File::Spec->catdir($TMP, '*') );
 
 done_testing;
diff --git a/t/lib/TestSession.pm b/t/lib/TestSession.pm
index d642d9e..3f6371b 100644 (file)
--- a/t/lib/TestSession.pm
+++ b/t/lib/TestSession.pm
@@ -227,6 +227,36 @@ sub run_all_tests {
 
         $response_test->( $resp, $sids[1] );
     }
+
+    {
+        # wrong format session_id
+        my $r = $request_creator->({ plack_session => '../wrong' });
+
+        my $s = Plack::Session->new(
+            state   => $state,
+            store   => $storage,
+            request => $r,
+        );
+
+
+        isnt('../wrong' => $s->id, '... regenerate session id');
+
+        ok(!$s->get('foo'), '... no value stored for foo in session');
+
+        lives_ok {
+            $s->set( foo => 'baz' );
+        } '... set the value successfully';
+
+        is($s->get('foo'), 'baz', '... got the foo value back successfully from session');
+
+        my $resp = $r->new_response;
+
+        lives_ok {
+            $s->finalize( $resp );
+        } '... finalized session successfully';
+
+        $response_test->( $resp, $s );
+    }
 }
 
-1;
\ No newline at end of file
+1;
Unnamed repository; edit this file 'description' to name the repository.