diff options
| -rw-r--r-- | actionpack/CHANGELOG.md | 4 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/ssl.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/dispatch/ssl_test.rb | 29 |
3 files changed, 34 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index ee3ff907cc..e2a6ced1dc 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,7 @@ +* Ignore spaces around delimiter in Set-Cookie header. + + *Yamagishi Kazutoshi* + * Remove deprecated Rails application fallback for integration testing, set `ActionDispatch.test_app` instead. diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb index 8d5ab19f60..999c022535 100644 --- a/actionpack/lib/action_dispatch/middleware/ssl.rb +++ b/actionpack/lib/action_dispatch/middleware/ssl.rb @@ -57,7 +57,7 @@ module ActionDispatch cookies = cookies.split("\n") headers['Set-Cookie'] = cookies.map { |cookie| - if cookie !~ /;\s+secure(;|$)/i + if cookie !~ /;\s*secure\s*(;|$)/i "#{cookie}; secure" else cookie diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb index 61b55f3d82..94969f795a 100644 --- a/actionpack/test/dispatch/ssl_test.rb +++ b/actionpack/test/dispatch/ssl_test.rb @@ -124,6 +124,35 @@ class SSLTest < ActionDispatch::IntegrationTest response.headers['Set-Cookie'].split("\n") end + + def test_flag_cookies_as_secure_with_has_not_spaces_before + self.app = ActionDispatch::SSL.new(lambda { |env| + headers = { + 'Content-Type' => "text/html", + 'Set-Cookie' => "problem=def; path=/;secure; HttpOnly" + } + [200, headers, ["OK"]] + }) + + get "https://example.org/" + assert_equal ["problem=def; path=/;secure; HttpOnly"], + response.headers['Set-Cookie'].split("\n") + end + + def test_flag_cookies_as_secure_with_has_not_spaces_after + self.app = ActionDispatch::SSL.new(lambda { |env| + headers = { + 'Content-Type' => "text/html", + 'Set-Cookie' => "problem=def; path=/; secure;HttpOnly" + } + [200, headers, ["OK"]] + }) + + get "https://example.org/" + assert_equal ["problem=def; path=/; secure;HttpOnly"], + response.headers['Set-Cookie'].split("\n") + end + def test_flag_cookies_as_secure_with_ignore_case self.app = ActionDispatch::SSL.new(lambda { |env| headers = { |