Skip to content

Commit

Permalink
Properly delimit length and name in flash cookies.
Browse files Browse the repository at this point in the history
Fixes #1263.
  • Loading branch information
SergioBenitez committed May 17, 2020
1 parent 1010f6a commit a8b029e
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions core/lib/src/response/flash.rs
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ use std::sync::atomic::{AtomicBool, Ordering};
// The name of the actual flash cookie.
const FLASH_COOKIE_NAME: &str = "_flash";

// Character to use as a delimiter after the cookie's name's length.
const FLASH_COOKIE_DELIM: char = ':';

/// Sets a "flash" cookie that will be removed when it is accessed. The
/// analogous request type is [`FlashMessage`].
///
Expand Down Expand Up @@ -181,7 +184,9 @@ impl<'r, R: Responder<'r>> Flash<R> {
}

fn cookie(&self) -> Cookie<'static> {
let content = format!("{}{}{}", self.name.len(), self.name, self.message);
let content = format!("{}{}{}{}",
self.name.len(), FLASH_COOKIE_DELIM, self.name, self.message);

Cookie::build(FLASH_COOKIE_NAME, content)
.max_age(Duration::minutes(5))
.path("/")
Expand Down Expand Up @@ -250,9 +255,9 @@ impl<'a, 'r> FromRequest<'a, 'r> for Flash<&'a Request<'r>> {

// Parse the flash message.
let content = cookie.value();
let (len_str, kv) = match content.find(|c: char| !c.is_digit(10)) {
Some(i) => (&content[..i], &content[i..]),
None => (content, ""),
let (len_str, kv) = match content.find(FLASH_COOKIE_DELIM) {
Some(i) => (&content[..i], &content[(i + 1)..]),
None => return Err(()),
};

match len_str.parse::<usize>() {
Expand Down

0 comments on commit a8b029e

Please sign in to comment.