Garbage Collection of :form_keys

In each session, keep only the 30 most recent :form_keys generated by form_spam_protection.
This should be more than enough for ordinary usage, but prevents the session data from
becoming inordinately large.

Also, burnt-orange rulz!
This commit is contained in:
Jacques Distler 2008-01-17 03:20:19 -06:00
parent 6359d06ed1
commit 72b4f97382
3 changed files with 9 additions and 7 deletions

View file

@ -34,7 +34,7 @@
<label for="color">Color:</label> <label for="color">Color:</label>
<select id="color" name="color"> <select id="color" name="color">
<%= html_options({ 'Green' => '008B26', 'Purple' => '504685', 'Red' => 'DA0006', <%= html_options({ 'Green' => '008B26', 'Purple' => '504685', 'Red' => 'DA0006',
'Orange' => 'FA6F00', 'Grey' => '8BA2B0' }, @web.color) %> 'Orange' => 'C50', 'Grey' => '8BA2B0' }, @web.color) %>
</select> </select>
<br/> <br/>
<p> <p>

View file

@ -14,13 +14,13 @@ module FormSpamProtection
def protect_form_handler_from_spam def protect_form_handler_from_spam
unless request.get? || request.xml_http_request? unless request.get? || request.xml_http_request?
if params[:_form_key] && session[:form_keys] && session[:form_keys].keys.include?(params[:_form_key]) if params[:_form_key] && session[:form_keys] && session[:form_keys].keys.include?(params[:_form_key])
session[:form_keys][params[:_form_key]] += 1 session[:form_keys][params[:_form_key]][1] += 1
if session[:form_keys][params[:_form_key]] >= 4 if session[:form_keys][params[:_form_key]][1] >= 4
render :text => "You cannot resubmit this form again.", :layout => false, :status => 403 render :text => "You cannot resubmit this form again.", :layout => 'error', :status => 403
return false return false
end end
else else
render :text => "You must have Javascript on to submit this form.", :layout => false, :status => 403 render :text => "You must have Javascript on to submit this form.", :layout => 'error', :status => 403
return false return false
end end
end end

View file

@ -8,7 +8,9 @@ module ActionView
if name == :form && @protect_form_from_spam if name == :form && @protect_form_from_spam
session[:form_keys] ||= {} session[:form_keys] ||= {}
form_key = Digest::SHA1.hexdigest(self.object_id.to_s + rand.to_s) form_key = Digest::SHA1.hexdigest(self.object_id.to_s + rand.to_s)
session[:form_keys][form_key] = 0 session[:form_keys][form_key] = [Time.now, 0]
first = session[:form_keys].values.sort { |a,b| a[0] <=> b[0] } [0]
session[:form_keys].delete(session[:form_keys].index(first)) if session[:form_keys].length > 30
out << domEnkode(form_key) out << domEnkode(form_key)
end end
end end