Philip Hallstrom
2009-Oct-26 21:06 UTC
Rails 2.3.4 breaks if I set a cookie''s value to a FixNum ???
Hi all - I just upgraded a project to 2.3.4 (a54f572d6f994615a2053c361728b65520a1cb53) and I get errors if I set a cookie to a number like this: cookies[''foo''] = 123 # errors out on a call to CGI::escape(123) ----------------------------------------------------------------------------------------------------------------- private method `gsub'' called for 0:Fixnum /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/ 1.8/cgi.rb:342:in `escape'' vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in `to_s'' vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in `collect'' vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in `to_s'' vendor/rails/actionpack/lib/action_controller/cookies.rb:92:in `set_cookie'' vendor/rails/actionpack/lib/action_controller/cookies.rb:73:in `[]='' app/controllers/application_controller.rb:33:in `set_cookies'' ----------------------------------------------------------------------------------------------------------------- Digging through the code the offending method is below. ----------------------------------------------------------------------------------------------------------------- diff --git a/vendor/rails/actionpack/lib/action_controller/cgi_ext/ cookie.rb b/vendor/rails/actionpack/lib/action_controller/cgi_ext/ cookie.rb index 009ddd1..a8cb771 100755 --- a/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb +++ b/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb @@ -69,7 +69,7 @@ class CGI #:nodoc: def to_s buf = '''' buf << @name << ''='' - buf << (@value.kind_of?(String) ? CGI::escape(@value) : @value.collect{|v| CGI::escape(v) }.join("&")) + buf << (@value.kind_of?(String) ? CGI::escape(@value) : @value.collect{|v| CGI::escape(v.to_s) }.join("&")) buf << ''; domain='' << @domain if @domain buf << ''; path='' << @path if @path buf << ''; expires='' << CGI::rfc1123_date(@expires) if @expires ----------------------------------------------------------------------------------------------------------------- Couple of questions... CGI::escape''s source indicates it takes a string and does *zero* checking before trying to call gsub on it. So why isn''t this method calling to_s on the value? Is there a reason I''m not thinking of that it shouldn''t do this? Secondly, I tried to add a test to Rails to check this, but none of the cookie tests seem to touch this section of the code. Which seems odd to me and makes me wonder if I''m doing something wrong or if the tests simply don''t trigger this. However, if I make this change in my vendor/rails and hit my application it *does* get called. Any ideas there? And lastly, is this worthy of a bug submission? Or was I living fast and loose thinking I could assign pure numbers to my cookies? Thanks! -philip
Philip Hallstrom
2009-Oct-26 21:11 UTC
Re: Rails 2.3.4 breaks if I set a cookie''s value to a FixNum ???
Hrm. I think I''m losing it... that github commit isn''t 2.3.4, but still the rest applies... I think. Heh. On Oct 26, 2009, at 2:06 PM, Philip Hallstrom wrote:> > Hi all - > > I just upgraded a project to 2.3.4 > (a54f572d6f994615a2053c361728b65520a1cb53) and I get errors if I set a > cookie to a number like this: > > cookies[''foo''] = 123 # errors out on a call to CGI::escape(123) > > ----------------------------------------------------------------------------------------------------------------- > private method `gsub'' called for 0:Fixnum > /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/ > 1.8/cgi.rb:342:in `escape'' > vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in > `to_s'' > vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in > `collect'' > vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in > `to_s'' > vendor/rails/actionpack/lib/action_controller/cookies.rb:92:in > `set_cookie'' > vendor/rails/actionpack/lib/action_controller/cookies.rb:73:in `[]='' > app/controllers/application_controller.rb:33:in `set_cookies'' > ----------------------------------------------------------------------------------------------------------------- > Digging through the code the offending method is below. > ----------------------------------------------------------------------------------------------------------------- > diff --git a/vendor/rails/actionpack/lib/action_controller/cgi_ext/ > cookie.rb b/vendor/rails/actionpack/lib/action_controller/cgi_ext/ > cookie.rb > index 009ddd1..a8cb771 100755 > --- a/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb > +++ b/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb > @@ -69,7 +69,7 @@ class CGI #:nodoc: > def to_s > buf = '''' > buf << @name << ''='' > - buf << (@value.kind_of?(String) ? CGI::escape(@value) : > @value.collect{|v| CGI::escape(v) }.join("&")) > + buf << (@value.kind_of?(String) ? CGI::escape(@value) : > @value.collect{|v| CGI::escape(v.to_s) }.join("&")) > buf << ''; domain='' << @domain if @domain > buf << ''; path='' << @path if @path > buf << ''; expires='' << CGI::rfc1123_date(@expires) if @expires > ----------------------------------------------------------------------------------------------------------------- > Couple of questions... CGI::escape''s source indicates it takes a > string and does *zero* checking before trying to call gsub on it. So > why isn''t this method calling to_s on the value? Is there a reason > I''m not thinking of that it shouldn''t do this? > Secondly, I tried to add a test to Rails to check this, but none of > the cookie tests seem to touch this section of the code. Which seems > odd to me and makes me wonder if I''m doing something wrong or if the > tests simply don''t trigger this. However, if I make this change in my > vendor/rails and hit my application it *does* get called. Any ideas > there? > And lastly, is this worthy of a bug submission? Or was I living fast > and loose thinking I could assign pure numbers to my cookies? > Thanks! > -philip > > > >
Philip Hallstrom
2009-Oct-26 21:30 UTC
Re: Rails 2.3.4 breaks if I set a cookie''s value to a FixNum ??? (IGNORE THIS. DOING SOMETHING STUPID)
All - Sorry for the wasted bandwidth. Not sure what happened, but this isn''t relevant. Sorry. On Oct 26, 2009, at 2:06 PM, Philip Hallstrom wrote:> > Hi all - > > I just upgraded a project to 2.3.4 > (a54f572d6f994615a2053c361728b65520a1cb53) and I get errors if I set a > cookie to a number like this: > > cookies[''foo''] = 123 # errors out on a call to CGI::escape(123) > > ----------------------------------------------------------------------------------------------------------------- > private method `gsub'' called for 0:Fixnum > /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/ > 1.8/cgi.rb:342:in `escape'' > vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in > `to_s'' > vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in > `collect'' > vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in > `to_s'' > vendor/rails/actionpack/lib/action_controller/cookies.rb:92:in > `set_cookie'' > vendor/rails/actionpack/lib/action_controller/cookies.rb:73:in `[]='' > app/controllers/application_controller.rb:33:in `set_cookies'' > ----------------------------------------------------------------------------------------------------------------- > Digging through the code the offending method is below. > ----------------------------------------------------------------------------------------------------------------- > diff --git a/vendor/rails/actionpack/lib/action_controller/cgi_ext/ > cookie.rb b/vendor/rails/actionpack/lib/action_controller/cgi_ext/ > cookie.rb > index 009ddd1..a8cb771 100755 > --- a/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb > +++ b/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb > @@ -69,7 +69,7 @@ class CGI #:nodoc: > def to_s > buf = '''' > buf << @name << ''='' > - buf << (@value.kind_of?(String) ? CGI::escape(@value) : > @value.collect{|v| CGI::escape(v) }.join("&")) > + buf << (@value.kind_of?(String) ? CGI::escape(@value) : > @value.collect{|v| CGI::escape(v.to_s) }.join("&")) > buf << ''; domain='' << @domain if @domain > buf << ''; path='' << @path if @path > buf << ''; expires='' << CGI::rfc1123_date(@expires) if @expires > ----------------------------------------------------------------------------------------------------------------- > Couple of questions... CGI::escape''s source indicates it takes a > string and does *zero* checking before trying to call gsub on it. So > why isn''t this method calling to_s on the value? Is there a reason > I''m not thinking of that it shouldn''t do this? > Secondly, I tried to add a test to Rails to check this, but none of > the cookie tests seem to touch this section of the code. Which seems > odd to me and makes me wonder if I''m doing something wrong or if the > tests simply don''t trigger this. However, if I make this change in my > vendor/rails and hit my application it *does* get called. Any ideas > there? > And lastly, is this worthy of a bug submission? Or was I living fast > and loose thinking I could assign pure numbers to my cookies? > Thanks! > -philip > > > >