Created
September 26, 2011 23:39
-
-
Save nel/1243778 to your computer and use it in GitHub Desktop.
Never ever do this in a Rack middleware, memory leak + security issue included
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class MyMiddleWare | |
| REDIRECT = [302, { 'Content-Type' => 'text/html; charset=utf-8', 'Location' => '/admin' }, []] | |
| def initialize(app) | |
| @app = app | |
| end | |
| def call(env) | |
| if <blabla> | |
| REDIRECT | |
| else | |
| @app.call(env) | |
| end | |
| end | |
| end |
Because the constant will be later modified, cookie will be appended over and over and so will session_id. This will grant all visitors all cookies, make session theft very easy, pass session from one guy to the other and all sort of nasty things.
Never use constant as Rack response NEVER, or make sure they are deep frozen.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Why?