diff options
| author | Kasper Timm Hansen <kaspth@gmail.com> | 2018-08-15 19:57:49 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-15 19:57:49 +0200 |
| commit | d25e65a514574c71e31d6dc6d01589addc2b0170 (patch) | |
| tree | fcc5b8cfb855556414cae9e4658a966b3e77d020 | |
| parent | ce47479be03b1c56f5e24b67f9a5802ff30adcc2 (diff) | |
| parent | 5fbdfef0a3ac7652523b27d7e5e6702152c554a1 (diff) | |
| download | rails-d25e65a514574c71e31d6dc6d01589addc2b0170.tar.gz rails-d25e65a514574c71e31d6dc6d01589addc2b0170.tar.bz2 rails-d25e65a514574c71e31d6dc6d01589addc2b0170.zip | |
Merge pull request #33605 from assain/purpose-metadata-changelog-and-tests
Changelog and improved tests for purpose metadata added to cookies
| -rw-r--r-- | actionpack/CHANGELOG.md | 16 | ||||
| -rw-r--r-- | actionpack/test/dispatch/cookies_test.rb | 12 |
2 files changed, 20 insertions, 8 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index a5497aa055..a30f178190 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,19 @@ +* Purpose metadata for signed/encrypted cookies. + + Rails can now thwart attacks that attempt to copy signed/encrypted value + of a cookie and use it as the value of another cookie. + + It does so by stashing the cookie-name in the purpose field which is + then signed/encrypted along with the cookie value. Then, on a server-side + read, we verify the cookie-names and discard any attacked cookies. + + Enable `action_dispatch.use_cookies_with_metadata` to use this feature, which + writes cookies with the new purpose and expiry metadata embedded. + + Pull Request: #32937 + + *Assain Jaleel* + * Raises `ActionController::RespondToMismatchError` with confliciting `respond_to` invocations. `respond_to` can match multiple types and lead to undefined behavior when diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb index 34ead0a4c0..6637c2cae9 100644 --- a/actionpack/test/dispatch/cookies_test.rb +++ b/actionpack/test/dispatch/cookies_test.rb @@ -1405,8 +1405,7 @@ class CookiesTest < ActionController::TestCase assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite] - freeze_time do - travel 1001.years + travel 1001.years do assert_nil cookies.encrypted[:favorite] end @@ -1422,8 +1421,7 @@ class CookiesTest < ActionController::TestCase assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite] - freeze_time do - travel 1001.years + travel 1001.years do assert_nil cookies.signed[:favorite] end @@ -1439,8 +1437,7 @@ class CookiesTest < ActionController::TestCase assert_equal "5-2-Stable Chocolate Cookies", cookies.encrypted[:favorite] - freeze_time do - travel 1001.years + travel 1001.years do assert_nil cookies.encrypted[:favorite] end @@ -1456,8 +1453,7 @@ class CookiesTest < ActionController::TestCase assert_equal "5-2-Stable Choco Chip Cookie", cookies.signed[:favorite] - freeze_time do - travel 1001.years + travel 1001.years do assert_nil cookies.signed[:favorite] end |