Download as
Browse Code »

Commit c56be7002d5bff816a45c4a679aa5ff2988237fa

Authored by Antonio Terceiro
1 parent 75570d37
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

ActionItem922: generate a unique session secret for each installation

Showing 1 changed file with 12 additions and 1 deletions   Show diff stats
config/environment.rb
  Diff comments   View file @c56be70
@@ -18,6 +18,17 @@ extra_controller_dirs = %w[ @@ -18,6 +18,17 @@ extra_controller_dirs = %w[
18 app/controllers/public 18 app/controllers/public
19 ].map {|item| File.join(RAILS_ROOT, item) } 19 ].map {|item| File.join(RAILS_ROOT, item) }
20 20
  21 +def noosfero_session_secret
  22 + file = File.join(File.dirname(__FILE__), 'session.secret')
  23 + if !File.exists?(file)
  24 + secret = (1..128).map { %w[0 1 2 3 4 5 6 7 8 9 a b c d e f][rand(16)] }.join('')
  25 + File.open(file, 'w') do |f|
  26 + f.puts secret
  27 + end
  28 + end
  29 + File.read(file).strip
  30 +end
  31 +
21 Rails::Initializer.run do |config| 32 Rails::Initializer.run do |config|
22 # Settings in config/environments/* take precedence those specified here 33 # Settings in config/environments/* take precedence those specified here
23 34
@@ -51,7 +62,7 @@ Rails::Initializer.run do |config| @@ -51,7 +62,7 @@ Rails::Initializer.run do |config|
51 # no regular words or you'll be exposed to dictionary attacks. 62 # no regular words or you'll be exposed to dictionary attacks.
52 config.action_controller.session = { 63 config.action_controller.session = {
53 :session_key => '_noosfero_session', 64 :session_key => '_noosfero_session',
54 - :secret => '7372009258e02886ca36278257637a008959504400f6286cd09133f6e9131d23460dd77e289bf99b480a3b4d017be0578b59335ce6a1c74e3644e37514926009' 65 + :secret => noosfero_session_secret(),
55 } 66 }
56 67
57 # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper 68 # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper