packages feed

yesod-core 1.6.11 → 1.6.12

raw patch · 3 files changed

+14/−3 lines, 3 files

Files

ChangeLog.md view
@@ -1,5 +1,9 @@ # ChangeLog for yesod-core +## 1.6.12++* Use at most one valid session cookie per request [#1581](https://github.com/yesodweb/yesod/pull/1581)+ ## 1.6.11  * Deprecate insecure JSON parsing functions [#1576](https://github.com/yesodweb/yesod/pull/1576)
Yesod/Core/Class/Yesod.hs view
@@ -23,6 +23,7 @@ import Data.Aeson (object, (.=)) import           Data.List                          (foldl', nub) import qualified Data.Map                           as Map+import           Data.Maybe                         (catMaybes) import           Data.Monoid import           Data.Text                          (Text) import qualified Data.Text                          as T@@ -820,6 +821,12 @@     sbLoadSession = loadClientSession key getCachedDate "_SESSION"   } +justSingleton :: a -> [Maybe a] -> a+justSingleton d = just . catMaybes+  where+    just [s] = s+    just _   = d+ loadClientSession :: CS.Key                   -> IO ClientSessionDateCache -- ^ See 'clientSessionDateCacher'                   -> S8.ByteString -- ^ session name@@ -830,11 +837,11 @@     load = do       date <- getCachedDate       return (sess date, save date)-    sess date = Map.unions $ do+    sess date = justSingleton Map.empty $ do       raw <- [v | (k, v) <- W.requestHeaders req, k == "Cookie"]       val <- [v | (k, v) <- parseCookies raw, k == sessionName]       let host = "" -- fixme, properly lock sessions to client address-      maybe [] return $ decodeClientSession key date host val+      return $ decodeClientSession key date host val     save date sess' = do       -- We should never cache the IV!  Be careful!       iv <- liftIO CS.randomIV
yesod-core.cabal view
@@ -1,5 +1,5 @@ name:            yesod-core-version:         1.6.11+version:         1.6.12 license:         MIT license-file:    LICENSE author:          Michael Snoyman <michael@snoyman.com>