aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKasper Timm Hansen <kaspth@gmail.com>2019-08-05 03:57:08 +0200
committerGitHub <noreply@github.com>2019-08-05 03:57:08 +0200
commit4f235e9a86d4589f2081f971e5e66d42586333bb (patch)
treeb555b83df541e5fb6b050691f616a9d0c3e6c145
parent3d1f6feda2f04f0a3e7a9592142ebe559ea1120a (diff)
parent27db230bd105e77e27375033ddcb487ef481686b (diff)
downloadrails-4f235e9a86d4589f2081f971e5e66d42586333bb.tar.gz
rails-4f235e9a86d4589f2081f971e5e66d42586333bb.tar.bz2
rails-4f235e9a86d4589f2081f971e5e66d42586333bb.zip
Merge pull request #36537 from quadule/fix-cookie-rotation-hash-pollution
Fix cookie modification during rotation
-rw-r--r--actionpack/lib/action_dispatch/middleware/cookies.rb8
-rw-r--r--actionpack/test/dispatch/cookies_test.rb13
2 files changed, 19 insertions, 2 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 96bdf570af..9d94d94ffb 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -532,9 +532,13 @@ module ActionDispatch
if value
case
when needs_migration?(value)
- self[name] = Marshal.load(value)
+ Marshal.load(value).tap do |v|
+ self[name] = { value: v }
+ end
when rotate
- self[name] = serializer.load(value)
+ serializer.load(value).tap do |v|
+ self[name] = { value: v }
+ end
else
serializer.load(value)
end
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index d129fa717d..e4d4792de6 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -893,6 +893,19 @@ class CookiesTest < ActionController::TestCase
assert_equal 45, encryptor.decrypt_and_verify(@response.cookies["foo"])
end
+ def test_cookie_with_hash_value_not_modified_by_rotation
+ @request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
+ @request.env["action_dispatch.cookies_rotations"].rotate :signed, digest: "SHA1"
+
+ key_generator = @request.env["action_dispatch.key_generator"]
+ old_secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
+ old_value = ActiveSupport::MessageVerifier.new(old_secret).generate(bar: "baz")
+
+ @request.headers["Cookie"] = "foo=#{old_value}"
+ get :get_signed_cookie
+ assert_equal({ bar: "baz" }, @controller.send(:cookies).signed[:foo])
+ end
+
def test_cookie_with_all_domain_option
get :set_cookie_with_domain
assert_response :success