Merge branch 'should-escape-cookie' of https://github.com/ma2gedev/rails into ma2gedev-should-escape-cookie

2 files changed, 8 insertions, 1 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 3477aa8b29..601b55cb8f 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -337,7 +337,7 @@ module ActionDispatch
       end
 
       def to_header
-        @cookies.map { |k,v| "#{k}=#{v}" }.join ';'
+        @cookies.map { |k,v| "#{::Rack::Utils.escape(k)}=#{::Rack::Utils.escape(v)}" }.join ';'
       end
 
       def handle_options(options) #:nodoc:
diff --git a/actionpack/test/controller/test_case_test.rb b/actionpack/test/controller/test_case_test.rb
index b9caddcdb7..a054477282 100644
--- a/actionpack/test/controller/test_case_test.rb
+++ b/actionpack/test/controller/test_case_test.rb
@@ -137,6 +137,11 @@ XML
       head :created, location: 'created resource'
     end
 
+    def read_cookie
+      cookies["foo"]
+      render plain: 'ok'
+    end
+
     def delete_cookie
       cookies.delete("foo")
       render plain: 'ok'
@@ -825,8 +830,10 @@ XML
 
   def test_should_have_knowledge_of_client_side_cookie_state_even_if_they_are_not_set
     cookies['foo'] = 'bar'
+    cookies['escape'] = '+'
     get :no_op
     assert_equal 'bar', cookies['foo']
+    assert_equal '+', cookies['escape']
   end
 
   def test_should_detect_if_cookie_is_deleted