From 43696ef8d0f1069c91fe13830d3db54694cb42cd Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Thu, 24 Apr 2025 19:39:11 +0900
Subject: [PATCH] Add 'digest' option

The option specifies the digest algorithm to hash the session id when
generating the filename for this session's FileStore file.  It is
defaulted to "MD5" because of backward compatibility for now.
---
 lib/cgi/session.rb           | 13 ++++++++++---
 test/cgi/test_cgi_session.rb | 23 ++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/lib/cgi/session.rb b/lib/cgi/session.rb
index aab6086..6d93566 100644
--- a/lib/cgi/session.rb
+++ b/lib/cgi/session.rb
@@ -210,15 +210,19 @@ def create_new_id
     # suffix:: the prefix to add to the session id when generating
     #          the filename for this session's FileStore file.
     #          Defaults to the empty string.
+    # digest:: the digest algorithm to hash the session id when
+    #          generating the filename for this session's FileStore
+    #          file.  Defaults to "MD5".
     def new_store_file(option={}) # :nodoc:
       dir = option['tmpdir'] || Dir::tmpdir
       prefix = option['prefix']
       suffix = option['suffix']
-      require 'digest/md5'
-      md5 = Digest::MD5.hexdigest(session_id)[0,16]
+      algorithm = option['digest'] || 'MD5'
+      require 'digest'
+      digest = Digest(algorithm).hexdigest(session_id)[0,16]
       path = dir+"/"
       path << prefix if prefix
-      path << md5
+      path << digest
       path << suffix if suffix
       if File::exist? path
         hash = nil
@@ -410,6 +414,9 @@ class FileStore
       # suffix:: the prefix to add to the session id when generating
       #          the filename for this session's FileStore file.
       #          Defaults to the empty string.
+      # digest:: the digest algorithm to hash the session id when
+      #          generating the filename for this session's FileStore
+      #          file.  Defaults to "MD5".
       #
       # This session's FileStore file will be created if it does
       # not exist, or opened if it does.
diff --git a/test/cgi/test_cgi_session.rb b/test/cgi/test_cgi_session.rb
index 32b907d..722c471 100644
--- a/test/cgi/test_cgi_session.rb
+++ b/test/cgi/test_cgi_session.rb
@@ -55,8 +55,8 @@ def test_cgi_session_filestore
     assert_equal(value1,session["key1"])
     assert_equal(value2,session["key2"])
     session.close
-
   end
+
   def test_cgi_session_pstore
     update_env(
       'REQUEST_METHOD'  => 'GET',
@@ -92,6 +92,7 @@ def test_cgi_session_pstore
     assert_equal(value2,session["key2"])
     session.close
   end if defined?(::PStore)
+
   def test_cgi_session_specify_session_id
     update_env(
       'REQUEST_METHOD'  => 'GET',
@@ -130,6 +131,7 @@ def test_cgi_session_specify_session_id
     assert_equal("foo",session.session_id)
     session.close
   end
+
   def test_cgi_session_specify_session_key
     update_env(
       'REQUEST_METHOD'  => 'GET',
@@ -166,4 +168,23 @@ def test_cgi_session_specify_session_key
     assert_equal(value2,session["key2"])
     session.close
   end
+
+  def test_cgi_session_filestore_digest
+    session_id = "banana"
+    path_md5 = session_file_store_path("tmpdir"=>@session_dir, "session_id"=>session_id)
+    assert_equal path_md5, session_file_store_path("tmpdir"=>@session_dir, "session_id"=>session_id)
+    path_sha512 = session_file_store_path("tmpdir"=>@session_dir, "session_id"=>session_id, "digest"=>"SHA512")
+    assert_not_equal path_sha512, path_md5
+  end
+
+  private
+
+  def session_file_store_path(options)
+    cgi = Object.new
+    session = CGI::Session.new(cgi, options)
+    session.delete
+    dbman = session.instance_variable_get(:@dbman)
+    assert_kind_of(CGI::Session::FileStore, dbman)
+    dbman.instance_variable_get(:@path)
+  end
 end