Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

root/branches/1-2-stable/actionpack/lib/action_controller/cgi_process.rb

Revision 8177, 8.4 kB (checked in by nzkoz, 1 year ago)

Merge [8176] to stable to fix session fixation attacks. Closes #10048 [theflow, Koz]

Line 
1 require 'action_controller/cgi_ext/cgi_ext'
2 require 'action_controller/cgi_ext/cookie_performance_fix'
3 require 'action_controller/cgi_ext/raw_post_data_fix'
4 require 'action_controller/cgi_ext/session_performance_fix'
5 require 'action_controller/cgi_ext/pstore_performance_fix'
6
7 module ActionController #:nodoc:
8   class Base
9     # Process a request extracted from an CGI object and return a response. Pass false as <tt>session_options</tt> to disable
10     # sessions (large performance increase if sessions are not needed). The <tt>session_options</tt> are the same as for CGI::Session:
11     #
12     # * <tt>:database_manager</tt> - standard options are CGI::Session::FileStore, CGI::Session::MemoryStore, and CGI::Session::PStore
13     #   (default). Additionally, there is CGI::Session::DRbStore and CGI::Session::ActiveRecordStore. Read more about these in
14     #   lib/action_controller/session.
15     # * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'.
16     # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ cookie, or
17     #   automatically generated for a new session.
18     # * <tt>:new_session</tt> - if true, force creation of a new session.  If not set, a new session is only created if none currently
19     #   exists.  If false, a new session is never created, and if none currently exists and the +session_id+ option is not set,
20     #   an ArgumentError is raised.
21     # * <tt>:session_expires</tt> - the time the current session expires, as a +Time+ object.  If not set, the session will continue
22     #   indefinitely.
23     # * <tt>:session_domain</tt> -  the hostname domain for which this session is valid. If not set, defaults to the hostname of the
24     #   server.
25     # * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS.
26     # * <tt>:session_path</tt> - the path for which this session applies.  Defaults to the directory of the CGI script.
27     # * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from
28     #   the query string or POST parameters. This protects against session fixation attacks.
29     def self.process_cgi(cgi = CGI.new, session_options = {})
30       new.process_cgi(cgi, session_options)
31     end
32
33     def process_cgi(cgi, session_options = {}) #:nodoc:
34       process(CgiRequest.new(cgi, session_options), CgiResponse.new(cgi)).out
35     end
36   end
37
38   class CgiRequest < AbstractRequest #:nodoc:
39     attr_accessor :cgi, :session_options
40     class SessionFixationAttempt < StandardError; end #:nodoc:
41
42     DEFAULT_SESSION_OPTIONS = {
43       :database_manager => CGI::Session::PStore,
44       :prefix           => "ruby_sess.",
45       :session_path     => "/",
46       :session_key      => "_session_id",
47       :cookie_only      => true
48     } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
49
50     def initialize(cgi, session_options = {})
51       @cgi = cgi
52       @session_options = session_options
53       @env = @cgi.send(:env_table)
54       super()
55     end
56
57     def cookie_only?
58       session_options_with_string_keys['cookie_only']
59     end
60
61     def query_string
62       if (qs = @cgi.query_string) && !qs.empty?
63         qs
64       elsif uri = @env['REQUEST_URI']
65         parts = uri.split('?')
66         parts.shift
67         parts.join('?')
68       else
69         @env['QUERY_STRING'] || ''
70       end
71     end
72
73     def query_parameters
74       @query_parameters ||=
75         (qs = self.query_string).empty? ? {} : CGIMethods.parse_query_parameters(qs)
76     end
77
78     def request_parameters
79       @request_parameters ||=
80         if ActionController::Base.param_parsers.has_key?(content_type)
81           CGIMethods.parse_formatted_request_parameters(content_type, @env['RAW_POST_DATA'])
82         else
83           CGIMethods.parse_request_parameters(@cgi.params)
84         end
85     end
86
87     def cookies
88       @cgi.cookies.freeze
89     end
90
91     def host_with_port
92       if forwarded = env["HTTP_X_FORWARDED_HOST"]
93         forwarded.split(/,\s?/).last
94       elsif http_host = env['HTTP_HOST']
95         http_host
96       elsif server_name = env['SERVER_NAME']
97         server_name
98       else
99         "#{env['SERVER_ADDR']}:#{env['SERVER_PORT']}"
100       end
101     end
102
103     def host
104       host_with_port[/^[^:]+/]
105     end
106
107     def port
108       if host_with_port =~ /:(\d+)$/
109         $1.to_i
110       else
111         standard_port
112       end
113     end
114
115     def session
116       unless defined?(@session)
117         if @session_options == false
118           @session = Hash.new
119         else
120           stale_session_check! do
121             if cookie_only? && request_parameters[session_options_with_string_keys['session_key']]
122               raise SessionFixationAttempt
123             end
124             case value = session_options_with_string_keys['new_session']
125               when true
126                 @session = new_session
127               when false
128                 begin
129                   @session = CGI::Session.new(@cgi, session_options_with_string_keys)
130                 # CGI::Session raises ArgumentError if 'new_session' == false
131                 # and no session cookie or query param is present.
132                 rescue ArgumentError
133                   @session = Hash.new
134                 end
135               when nil
136                 @session = CGI::Session.new(@cgi, session_options_with_string_keys)
137               else
138                 raise ArgumentError, "Invalid new_session option: #{value}"
139             end
140             @session['__valid_session']
141           end
142         end
143       end
144       @session
145     end
146
147     def reset_session
148       @session.delete if defined?(@session) && @session.is_a?(CGI::Session)
149       @session = new_session
150     end
151
152     def method_missing(method_id, *arguments)
153       @cgi.send(method_id, *arguments) rescue super
154     end
155
156     private
157       # Delete an old session if it exists then create a new one.
158       def new_session
159         if @session_options == false
160           Hash.new
161         else
162           CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => false)).delete rescue nil
163           CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => true))
164         end
165       end
166
167       def stale_session_check!
168         yield
169       rescue ArgumentError => argument_error
170         if argument_error.message =~ %r{undefined class/module ([\w:]+)}
171           begin
172             Module.const_missing($1)
173           rescue LoadError, NameError => const_error
174             raise ActionController::SessionRestoreError, <<-end_msg
175 Session contains objects whose class definition isn\'t available.
176 Remember to require the classes for all objects kept in the session.
177 (Original exception: #{const_error.message} [#{const_error.class}])
178 end_msg
179           end
180
181           retry
182         else
183           raise
184         end
185       end
186
187       def session_options_with_string_keys
188         @session_options_with_string_keys ||= DEFAULT_SESSION_OPTIONS.merge(@session_options).stringify_keys
189       end
190   end
191
192   class CgiResponse < AbstractResponse #:nodoc:
193     def initialize(cgi)
194       @cgi = cgi
195       super()
196     end
197
198     def out(output = $stdout)
199       convert_content_type!
200       set_content_length!
201
202       output.binmode      if output.respond_to?(:binmode)
203       output.sync = false if output.respond_to?(:sync=)
204
205       begin
206         output.write(@cgi.header(@headers))
207
208         if @cgi.send(:env_table)['REQUEST_METHOD'] == 'HEAD'
209           return
210         elsif @body.respond_to?(:call)
211           # Flush the output now in case the @body Proc uses
212           # #syswrite.
213           output.flush if output.respond_to?(:flush)
214           @body.call(self, output)
215         else
216           output.write(@body)
217         end
218
219         output.flush if output.respond_to?(:flush)
220       rescue Errno::EPIPE, Errno::ECONNRESET
221         # lost connection to parent process, ignore output
222       end
223     end
224
225     private
226       def convert_content_type!
227         if content_type = @headers.delete("Content-Type")
228           @headers["type"] = content_type
229         end
230         if content_type = @headers.delete("Content-type")
231           @headers["type"] = content_type
232         end
233         if content_type = @headers.delete("content-type")
234           @headers["type"] = content_type
235         end
236       end
237      
238       # Don't set the Content-Length for block-based bodies as that would mean reading it all into memory. Not nice
239       # for, say, a 2GB streaming file.
240       def set_content_length!
241         @headers["Content-Length"] = @body.size unless @body.respond_to?(:call)
242       end
243   end
244 end
Note: See TracBrowser for help on using the browser.