vendor/rails/actionpack/lib/action_controller/cgi_process.rb

   1 require 'action_controller/cgi_ext'
   2 require 'action_controller/session/cookie_store'
   3
   4 module ActionController #:nodoc:
   5   class Base
   6     # Process a request extracted from a CGI object and return a response. Pass false as <tt>session_options</tt> to disable
   7     # sessions (large performance increase if sessions are not needed). The <tt>session_options</tt> are the same as for CGI::Session:
   8     #
   9     # * <tt>:database_manager</tt> - standard options are CGI::Session::FileStore, CGI::Session::MemoryStore, and CGI::Session::PStore
  10     #   (default). Additionally, there is CGI::Session::DRbStore and CGI::Session::ActiveRecordStore. Read more about these in
  11     #   lib/action_controller/session.
  12     # * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'.
  13     # * <tt>:session_id</tt> - the session id to use.  If not provided, then it is retrieved from the +session_key+ cookie, or
  14     #   automatically generated for a new session.
  15     # * <tt>:new_session</tt> - if true, force creation of a new session.  If not set, a new session is only created if none currently
  16     #   exists.  If false, a new session is never created, and if none currently exists and the +session_id+ option is not set,
  17     #   an ArgumentError is raised.
  18     # * <tt>:session_expires</tt> - the time the current session expires, as a Time object.  If not set, the session will continue
  19     #   indefinitely.
  20     # * <tt>:session_domain</tt> - the hostname domain for which this session is valid. If not set, defaults to the hostname of the
  21     #   server.
  22     # * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS.
  23     # * <tt>:session_path</tt> - the path for which this session applies.  Defaults to the directory of the CGI script.
  24     # * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from
  25     #   the query string or POST parameters. This protects against session fixation attacks.
  26     def self.process_cgi(cgi = CGI.new, session_options = {})
  27       new.process_cgi(cgi, session_options)
  28     end
  29
  30     def process_cgi(cgi, session_options = {}) #:nodoc:
  31       process(CgiRequest.new(cgi, session_options), CgiResponse.new(cgi)).out
  32     end
  33   end
  34
  35   class CgiRequest < AbstractRequest #:nodoc:
  36     attr_accessor :cgi, :session_options
  37     class SessionFixationAttempt < StandardError #:nodoc:
  38     end
  39
  40     DEFAULT_SESSION_OPTIONS = {
  41       :database_manager => CGI::Session::CookieStore, # store data in cookie
  42       :prefix           => "ruby_sess.",    # prefix session file names
  43       :session_path     => "/",             # available to all paths in app
  44       :session_key      => "_session_id",
  45       :cookie_only      => true,
  46       :session_http_only=> true
  47     }
  48
  49     def initialize(cgi, session_options = {})
  50       @cgi = cgi
  51       @session_options = session_options
  52       @env = @cgi.__send__(:env_table)
  53       super()
  54     end
  55
  56     def query_string
  57       qs = @cgi.query_string if @cgi.respond_to?(:query_string)
  58       if !qs.blank?
  59         qs
  60       else
  61         super
  62       end
  63     end
  64
  65     def body_stream #:nodoc:
  66       @cgi.stdinput
  67     end
  68
  69     def cookies
  70       @cgi.cookies.freeze
  71     end
  72
  73     def session
  74       unless defined?(@session)
  75         if @session_options == false
  76           @session = Hash.new
  77         else
  78           stale_session_check! do
  79             if cookie_only? && query_parameters[session_options_with_string_keys['session_key']]
  80               raise SessionFixationAttempt
  81             end
  82             case value = session_options_with_string_keys['new_session']
  83               when true
  84                 @session = new_session
  85               when false
  86                 begin
  87                   @session = CGI::Session.new(@cgi, session_options_with_string_keys)
  88                 # CGI::Session raises ArgumentError if 'new_session' == false
  89                 # and no session cookie or query param is present.
  90                 rescue ArgumentError
  91                   @session = Hash.new
  92                 end
  93               when nil
  94                 @session = CGI::Session.new(@cgi, session_options_with_string_keys)
  95               else
  96                 raise ArgumentError, "Invalid new_session option: #{value}"
  97             end
  98             @session['__valid_session']
  99           end
 100         end
 101       end
 102       @session
 103     end
 104
 105     def reset_session
 106       @session.delete if defined?(@session) && @session.is_a?(CGI::Session)
 107       @session = new_session
 108     end
 109
 110     def method_missing(method_id, *arguments)
 111       @cgi.__send__(method_id, *arguments) rescue super
 112     end
 113
 114     private
 115       # Delete an old session if it exists then create a new one.
 116       def new_session
 117         if @session_options == false
 118           Hash.new
 119         else
 120           CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => false)).delete rescue nil
 121           CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => true))
 122         end
 123       end
 124
 125       def cookie_only?
 126         session_options_with_string_keys['cookie_only']
 127       end
 128
 129       def stale_session_check!
 130         yield
 131       rescue ArgumentError => argument_error
 132         if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
 133           begin
 134             # Note that the regexp does not allow $1 to end with a ':'
 135             $1.constantize
 136           rescue LoadError, NameError => const_error
 137             raise ActionController::SessionRestoreError, <<-end_msg
 138 Session contains objects whose class definition isn\'t available.
 139 Remember to require the classes for all objects kept in the session.
 140 (Original exception: #{const_error.message} [#{const_error.class}])
 141 end_msg
 142           end
 143
 144           retry
 145         else
 146           raise
 147         end
 148       end
 149
 150       def session_options_with_string_keys
 151         @session_options_with_string_keys ||= DEFAULT_SESSION_OPTIONS.merge(@session_options).stringify_keys
 152       end
 153   end
 154
 155   class CgiResponse < AbstractResponse #:nodoc:
 156     def initialize(cgi)
 157       @cgi = cgi
 158       super()
 159     end
 160
 161     def out(output = $stdout)
 162       output.binmode      if output.respond_to?(:binmode)
 163       output.sync = false if output.respond_to?(:sync=)
 164
 165       begin
 166         output.write(@cgi.header(@headers))
 167
 168         if @cgi.__send__(:env_table)['REQUEST_METHOD'] == 'HEAD'
 169           return
 170         elsif @body.respond_to?(:call)
 171           # Flush the output now in case the @body Proc uses
 172           # #syswrite.
 173           output.flush if output.respond_to?(:flush)
 174           @body.call(self, output)
 175         else
 176           output.write(@body)
 177         end
 178
 179         output.flush if output.respond_to?(:flush)
 180       rescue Errno::EPIPE, Errno::ECONNRESET
 181         # lost connection to parent process, ignore output
 182       end
 183     end
 184   end
 185 end