Hi all -
I just upgraded a project to 2.3.4
(a54f572d6f994615a2053c361728b65520a1cb53) and I get errors if I set a
cookie to a number like this:
cookies[‘foo’] = 123 # errors out on a call to CGI::escape(123)
private method gsub' called for 0:Fixnum /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/ 1.8/cgi.rb:342:in
escape’
vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in
to_s' vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in
collect’
vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb:72:in
to_s' vendor/rails/actionpack/lib/action_controller/cookies.rb:92:in
set_cookie’
vendor/rails/actionpack/lib/action_controller/cookies.rb:73:in []=' app/controllers/application_controller.rb:33:in
set_cookies’
Digging through the code the offending method is below.
diff --git a/vendor/rails/actionpack/lib/action_controller/cgi_ext/
cookie.rb b/vendor/rails/actionpack/lib/action_controller/cgi_ext/
cookie.rb
index 009ddd1…a8cb771 100755
— a/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb
+++ b/vendor/rails/actionpack/lib/action_controller/cgi_ext/cookie.rb
@@ -69,7 +69,7 @@ class CGI #:nodoc:
def to_s
buf = ‘’
buf << @name << ‘=’
-
buf << (@value.kind_of?(String) ? CGI::escape(@value) :
@value.collect{|v| CGI::escape(v) }.join("&"))
-
buf << (@value.kind_of?(String) ? CGI::escape(@value) :
@value.collect{|v| CGI::escape(v.to_s) }.join("&"))
buf << ‘; domain=’ << @domain if @domain
buf << ‘; path=’ << @path if @path
buf << ‘; expires=’ << CGI::rfc1123_date(@expires) if @expires
Couple of questions… CGI::escape’s source indicates it takes a
string and does zero checking before trying to call gsub on it. So
why isn’t this method calling to_s on the value? Is there a reason
I’m not thinking of that it shouldn’t do this?
Secondly, I tried to add a test to Rails to check this, but none of
the cookie tests seem to touch this section of the code. Which seems
odd to me and makes me wonder if I’m doing something wrong or if the
tests simply don’t trigger this. However, if I make this change in my
vendor/rails and hit my application it does get called. Any ideas
there?
And lastly, is this worthy of a bug submission? Or was I living fast
and loose thinking I could assign pure numbers to my cookies?
Thanks!
-philip