Merge pull request #22828 from ma2gedev/should-escape-cookie

A cookie value is incorrect if value contains an escapable string in Rails 5 ActionController::TestCase

1 files changed, 6 insertions, 1 deletions

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 3477aa8b29..f2f3150b56 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -2,6 +2,7 @@ require 'active_support/core_ext/hash/keys'
 require 'active_support/key_generator'
 require 'active_support/message_verifier'
 require 'active_support/json'
+require 'rack/utils'
 
 module ActionDispatch
   class Request
@@ -337,7 +338,7 @@ module ActionDispatch
       end
 
       def to_header
-        @cookies.map { |k,v| "#{k}=#{v}" }.join ';'
+        @cookies.map { |k,v| "#{escape(k)}=#{escape(v)}" }.join '; '
       end
 
       def handle_options(options) #:nodoc:
@@ -419,6 +420,10 @@ module ActionDispatch
 
       private
 
+      def escape(string)
+        ::Rack::Utils.escape(string)
+      end
+
       def make_set_cookie_header(header)
         header = @set_cookies.inject(header) { |m, (k, v)|
           if write_cookie?(v)