diff options
| author | Ryuta Kamizono <kamipo@gmail.com> | 2018-08-30 20:25:00 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-30 20:25:00 +0900 |
| commit | 9297af5daf57c4dca7120a2979ba1923eb4e2a09 (patch) | |
| tree | f7c69dd0c4fbe4efbd550280e39378c7a4bc3396 | |
| parent | fa132efe8232ad374f30532c9ed25f7414f89483 (diff) | |
| parent | 03ba74c8f04c035adf29a7570883a51f7d56a555 (diff) | |
| download | rails-9297af5daf57c4dca7120a2979ba1923eb4e2a09.tar.gz rails-9297af5daf57c4dca7120a2979ba1923eb4e2a09.tar.bz2 rails-9297af5daf57c4dca7120a2979ba1923eb4e2a09.zip | |
Merge pull request #33757 from bogdanvlviv/follow-up-32937
Follow up #32937 [ci skip]
| -rw-r--r-- | actionpack/CHANGELOG.md | 6 | ||||
| -rw-r--r-- | guides/source/configuring.md | 3 | ||||
| -rw-r--r-- | guides/source/upgrading_ruby_on_rails.md | 11 |
3 files changed, 16 insertions, 4 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index a30f178190..0f5afc0416 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -10,8 +10,6 @@ Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which writes cookies with the new purpose and expiry metadata embedded. - Pull Request: #32937 - *Assain Jaleel* * Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations. @@ -39,7 +37,7 @@ *Aaron Kromer* -* Pass along arguments to underlying `get` method in `follow_redirect!` +* Pass along arguments to underlying `get` method in `follow_redirect!`. Now all arguments passed to `follow_redirect!` are passed to the underlying `get` method. This for example allows to set custom headers for the @@ -56,7 +54,7 @@ *Vinicius Stock* -* Introduce ActionDispatch::DebugExceptions.register_interceptor +* Introduce `ActionDispatch::DebugExceptions.register_interceptor`. Exception aware plugin authors can use the newly introduced `.register_interceptor` method to get the processed exception, instead of diff --git a/guides/source/configuring.md b/guides/source/configuring.md index b20a2bb0d2..7265d1e05f 100644 --- a/guides/source/configuring.md +++ b/guides/source/configuring.md @@ -516,6 +516,9 @@ Defaults to `'signed cookie'`. signed and encrypted cookies use the AES-256-GCM cipher or the older AES-256-CBC cipher. It defaults to `true`. +* `config.action_dispatch.use_cookies_with_metadata` enables writing + cookies with the purpose and expiry metadata embedded. It defaults to `true`. + * `config.action_dispatch.perform_deep_munge` configures whether `deep_munge` method should be performed on the parameters. See [Security Guide](security.html#unsafe-query-generation) for more information. It defaults to `true`. diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md index 3f8edd953d..befd4e08c0 100644 --- a/guides/source/upgrading_ruby_on_rails.md +++ b/guides/source/upgrading_ruby_on_rails.md @@ -85,6 +85,17 @@ Rails 6.1. You are encouraged to enable `config.force_ssl` to enforce HTTPS connections throughout your application. If you need to exempt certain endpoints from redirection, you can use `config.ssl_options` to configure that behavior. +### Purpose in signed or encrypted cookie is now embedded in the cookies values + +To improve security, Rails now embeds the purpose information in encrypted or signed cookies value. +Rails can now thwart attacks that attempt to copy signed/encrypted value +of a cookie and use it as the value of another cookie. + +This new embed information make those cookies incompatible with versions of Rails older than 6.0. + +If you require your cookies to be read by 5.2 and older, or you are still validating your 6.0 deploy and want +to allow you to rollback set +`Rails.application.config.action_dispatch.use_cookies_with_metadata` to `false`. Upgrading from Rails 5.1 to Rails 5.2 ------------------------------------- |