August 12 2008

Security Vulernability: Session Cookie Storeby railsdog

There’s been a minor security fix checked into the git repository this morning. The problem relates to users who used the spree gem to create a new spree application but did not change the value of the secret key in config/environment.rb in the newly created app.

Your application is vulnerable if you have the following hash value for config.action_controller_session in your app’s config/environment.rb:

:secret => '2271bed096798b2c9e7b7ec14263e669944808bb94cb56d4befa5757cbb931095a3644c785

To fix it, simply change the value of the hash to some other random hash value with at least 30 characters. This has been fixed in the source and in the upcoming 0.3.0 release so newly generated applications will not have this problem.

For more details please see the related issue report.