Rails 2.3.4 breaks if I set a cookie's value to a FixNum?

phallstrom · October 26, 2009, 10:07pm

Hi all -

I just upgraded a project to 2.3.4
(a54f572d6f994615a2053c361728b65520a1cb53) and I get errors if I set a
cookie to a number like this:

cookies[‘foo’] = 123 # errors out on a call to CGI::escape(123)

private method `gsub' called for 0:Fixnum /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/ 1.8/cgi.rb:342:in`escape’
vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in
`to_s' vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in`collect’
vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in
`to_s' vendor/rails/actionpack/lib/action_controller/cookies.rb:92:in`set_cookie’
vendor/rails/actionpack/lib/action_controller/cookies.rb:73:in `[]=' app/controllers/application_controller.rb:33:in`set_cookies’

Digging through the code the offending method is below.

diff --git a/vendor/rails/actionpack/lib/action_controller/cgi_ext/
cookie.rb b/vendor/rails/actionpack/lib/action_controller/cgi_ext/
cookie.rb
index 009ddd1…a8cb771 100755
— a/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb
+++ b/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb
@@ -69,7 +69,7 @@ class CGI #:nodoc:
def to_s
buf = ‘’
buf << @name << ‘=’

 buf << (@value.kind_of?(String) ? CGI::escape(@value) :

@value.collect{|v| CGI::escape(v) }.join("&"))

 buf << (@value.kind_of?(String) ? CGI::escape(@value) :

@value.collect{|v| CGI::escape(v.to_s) }.join("&"))
buf << ‘; domain=’ << @domain if @domain
buf << ‘; path=’ << @path if @path
buf << ‘; expires=’ << CGI::rfc1123_date(@expires) if @expires

Couple of questions… CGI::escape’s source indicates it takes a
string and does zero checking before trying to call gsub on it. So
why isn’t this method calling to_s on the value? Is there a reason
I’m not thinking of that it shouldn’t do this?
Secondly, I tried to add a test to Rails to check this, but none of
the cookie tests seem to touch this section of the code. Which seems
odd to me and makes me wonder if I’m doing something wrong or if the
tests simply don’t trigger this. However, if I make this change in my
vendor/rails and hit my application it does get called. Any ideas
there?
And lastly, is this worthy of a bug submission? Or was I living fast
and loose thinking I could assign pure numbers to my cookies?
Thanks!
-philip

phallstrom · October 26, 2009, 10:13pm

Hrm. I think I’m losing it… that github commit isn’t 2.3.4, but
still the rest applies… I think. Heh.

phallstrom · October 26, 2009, 10:31pm

All -

Sorry for the wasted bandwidth. Not sure what happened, but this
isn’t relevant.

Sorry.

Rails 2.3.4 breaks if I set a cookie's value to a FixNum?

Digging through the code the offending method is below.

@value.collect{|v| CGI::escape(v.to_s) }.join("&")) buf << ‘; domain=’ << @domain if @domain buf << ‘; path=’ << @path if @path buf << ‘; expires=’ << CGI::rfc1123_date(@expires) if @expires

@value.collect{|v| CGI::escape(v.to_s) }.join("&"))
buf << ‘; domain=’ << @domain if @domain
buf << ‘; path=’ << @path if @path
buf << ‘; expires=’ << CGI::rfc1123_date(@expires) if @expires