Problem with session methods after Rails 2.3.4
22 views
Skip to first unread message
Simon Chiu
Sep 4, 2009, 7:50:44 AM9/4/09
to Authlogic
After upgrading to Rails 2.3.4 where they fixed some unicode XSS
security, I noticed this. It looks like it is referring to these lines
of code in authlogic's session handling
file: authlogic/session/session.rb
def session_credentials
[controller.session[session_key], controller.session["#
{session_key}_#{klass.primary_key}"]].compact
end
If you clear your browser's cookies, it seems to be okay for one page
refresh, but the next one will bring up the same problem.
Anyone else experiencing this?
-- begin trace --
NoMethodError in SignupsController#new
undefined method `^' for "2":String
RAILS_ROOT: /code/myapp
Application Trace | Framework Trace | Full Trace
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
message_verifier.rb:46:in `block in secure_compare'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
message_verifier.rb:45:in `each'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
message_verifier.rb:45:in `secure_compare'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
message_verifier.rb:28:in `verify'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
cookie_store.rb:156:in `unmarshal'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
cookie_store.rb:145:in `load_session'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
abstract_store.rb:62:in `block in load!'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
abstract_store.rb:70:in `stale_session_check!'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
abstract_store.rb:61:in `load!'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
abstract_store.rb:28:in `[]'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/session.rb:46:in `session_credentials'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/session.rb:33:in `persist_by_session'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:178:in `evaluate_method'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:166:in `call'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:93:in `block in run'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:92:in `each'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:92:in `run'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:276:in `run_callbacks'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/callbacks.rb:78:in `persist'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/persistence.rb:55:in `persisting?'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/persistence.rb:39:in `find'
-- end trace --
security, I noticed this. It looks like it is referring to these lines
of code in authlogic's session handling
file: authlogic/session/session.rb
def session_credentials
[controller.session[session_key], controller.session["#
{session_key}_#{klass.primary_key}"]].compact
end
If you clear your browser's cookies, it seems to be okay for one page
refresh, but the next one will bring up the same problem.
Anyone else experiencing this?
-- begin trace --
NoMethodError in SignupsController#new
undefined method `^' for "2":String
RAILS_ROOT: /code/myapp
Application Trace | Framework Trace | Full Trace
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
message_verifier.rb:46:in `block in secure_compare'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
message_verifier.rb:45:in `each'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
message_verifier.rb:45:in `secure_compare'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
message_verifier.rb:28:in `verify'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
cookie_store.rb:156:in `unmarshal'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
cookie_store.rb:145:in `load_session'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
abstract_store.rb:62:in `block in load!'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
abstract_store.rb:70:in `stale_session_check!'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
abstract_store.rb:61:in `load!'
/.gem/ruby/1.9.1/gems/actionpack-2.3.4/lib/action_controller/session/
abstract_store.rb:28:in `[]'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/session.rb:46:in `session_credentials'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/session.rb:33:in `persist_by_session'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:178:in `evaluate_method'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:166:in `call'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:93:in `block in run'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:92:in `each'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:92:in `run'
/.gem/ruby/1.9.1/gems/activesupport-2.3.4/lib/active_support/
callbacks.rb:276:in `run_callbacks'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/callbacks.rb:78:in `persist'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/persistence.rb:55:in `persisting?'
/.gem/ruby/1.9.1/gems/binarylogic-authlogic-2.1.1/lib/authlogic/
session/persistence.rb:39:in `find'
-- end trace --
Geoffrey Dagley
Sep 11, 2009, 2:31:12 PM9/11/09
to Authlogic
It looks like this is an issue with Rails 2.3.4 and Ruby 1.9
https://rails.lighthouseapp.com/projects/8994/tickets/3144-undefined-method-for-string-ror-234
You can download the fixed file and drop it into your Rails until they
release Rails 2.3.5.
http://bit.ly/i6eiL (github) http://bit.ly/2URRYd (raw)
Hope this helps.
https://rails.lighthouseapp.com/projects/8994/tickets/3144-undefined-method-for-string-ror-234
You can download the fixed file and drop it into your Rails until they
release Rails 2.3.5.
http://bit.ly/i6eiL (github) http://bit.ly/2URRYd (raw)
Hope this helps.
Simon Chiu
Sep 12, 2009, 8:32:16 AM9/12/09
to Authlogic
Thanks Geoffrey. Will take a look at this.
Cheers,
Simon
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages