diff options
author | Assain <assainjaleel20@gmail.com> | 2018-08-13 23:26:26 +0530 |
---|---|---|
committer | Assain <assainjaleel20@gmail.com> | 2018-08-13 23:36:03 +0530 |
commit | 5fbdfef0a3ac7652523b27d7e5e6702152c554a1 (patch) | |
tree | 1a9db6dae876d1ed4920af0e5343dc0953f73b1d | |
parent | f2970a08b57ebcdb9cbf8eec5d10a7f04eb7b9d3 (diff) | |
download | rails-5fbdfef0a3ac7652523b27d7e5e6702152c554a1.tar.gz rails-5fbdfef0a3ac7652523b27d7e5e6702152c554a1.tar.bz2 rails-5fbdfef0a3ac7652523b27d7e5e6702152c554a1.zip |
Changelog for the new purpose metadata and improved tests
-rw-r--r-- | actionpack/CHANGELOG.md | 16 | ||||
-rw-r--r-- | actionpack/test/dispatch/cookies_test.rb | 12 |
2 files changed, 20 insertions, 8 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index a5497aa055..a30f178190 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,19 @@ +* Purpose metadata for signed/encrypted cookies. + + Rails can now thwart attacks that attempt to copy signed/encrypted value + of a cookie and use it as the value of another cookie. + + It does so by stashing the cookie-name in the purpose field which is + then signed/encrypted along with the cookie value. Then, on a server-side + read, we verify the cookie-names and discard any attacked cookies. + + Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which + writes cookies with the new purpose and expiry metadata embedded. + + Pull Request: #32937 + + *Assain Jaleel* + * Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations. `respond_to` can match multiple types and lead to undefined behavior when diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb index 34ead0a4c0..6637c2cae9 100644 --- a/actionpack/test/dispatch/cookies_test.rb +++ b/actionpack/test/dispatch/cookies_test.rb @@ -1405,8 +1405,7 @@ class CookiesTest < ActionController::TestCase assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite] - freeze_time do - travel 1001.years + travel 1001.years do assert_nil cookies.encrypted[:favorite] end @@ -1422,8 +1421,7 @@ class CookiesTest < ActionController::TestCase assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite] - freeze_time do - travel 1001.years + travel 1001.years do assert_nil cookies.signed[:favorite] end @@ -1439,8 +1437,7 @@ class CookiesTest < ActionController::TestCase assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite] - freeze_time do - travel 1001.years + travel 1001.years do assert_nil cookies.encrypted[:favorite] end @@ -1456,8 +1453,7 @@ class CookiesTest < ActionController::TestCase assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite] - freeze_time do - travel 1001.years + travel 1001.years do assert_nil cookies.signed[:favorite] end |