aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAssain <assainjaleel20@gmail.com>2018-08-13 23:26:26 +0530
committerAssain <assainjaleel20@gmail.com>2018-08-13 23:36:03 +0530
commit5fbdfef0a3ac7652523b27d7e5e6702152c554a1 (patch)
tree1a9db6dae876d1ed4920af0e5343dc0953f73b1d
parentf2970a08b57ebcdb9cbf8eec5d10a7f04eb7b9d3 (diff)
downloadrails-5fbdfef0a3ac7652523b27d7e5e6702152c554a1.tar.gz
rails-5fbdfef0a3ac7652523b27d7e5e6702152c554a1.tar.bz2
rails-5fbdfef0a3ac7652523b27d7e5e6702152c554a1.zip
Changelog for the new purpose metadata and improved tests
-rw-r--r--actionpack/CHANGELOG.md16
-rw-r--r--actionpack/test/dispatch/cookies_test.rb12
2 files changed, 20 insertions, 8 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index a5497aa055..a30f178190 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,19 @@
+* Purpose metadata for signed/encrypted cookies.
+
+ Rails can now thwart attacks that attempt to copy signed/encrypted value
+ of a cookie and use it as the value of another cookie.
+
+ It does so by stashing the cookie-name in the purpose field which is
+ then signed/encrypted along with the cookie value. Then, on a server-side
+ read, we verify the cookie-names and discard any attacked cookies.
+
+ Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which
+ writes cookies with the new purpose and expiry metadata embedded.
+
+ Pull Request: #32937
+
+ *Assain Jaleel*
+
* Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations.
`respond_to` can match multiple types and lead to undefined behavior when
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index 34ead0a4c0..6637c2cae9 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -1405,8 +1405,7 @@ class CookiesTest < ActionController::TestCase
assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite]
- freeze_time do
- travel 1001.years
+ travel 1001.years do
assert_nil cookies.encrypted[:favorite]
end
@@ -1422,8 +1421,7 @@ class CookiesTest < ActionController::TestCase
assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite]
- freeze_time do
- travel 1001.years
+ travel 1001.years do
assert_nil cookies.signed[:favorite]
end
@@ -1439,8 +1437,7 @@ class CookiesTest < ActionController::TestCase
assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite]
- freeze_time do
- travel 1001.years
+ travel 1001.years do
assert_nil cookies.encrypted[:favorite]
end
@@ -1456,8 +1453,7 @@ class CookiesTest < ActionController::TestCase
assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite]
- freeze_time do
- travel 1001.years
+ travel 1001.years do
assert_nil cookies.signed[:favorite]
end