aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/CHANGELOG.md6
-rw-r--r--actionpack/lib/action_dispatch/middleware/cookies.rb5
2 files changed, 6 insertions, 5 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 1d4b27a0f9..16090e7946 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -7,14 +7,14 @@
*Michael J Coyne*
-* Use Capybara registered `:puma` server config.
+* Use Capybara registered `:puma` server config.
The Capybara registered `:puma` server ensures the puma server is run in process so
connection sharing and open request detection work correctly by default.
*Thomas Walpole*
-* Cookies `:expires` option supports `ActiveSupport::Duration` object.
+* Cookies `:expires` option supports `ActiveSupport::Duration` object.
cookies[:user_name] = { value: "assain", expires: 1.hour }
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
@@ -23,7 +23,7 @@
*Assain Jaleel*
-* Enforce signed/encrypted cookie expiry server side.
+* Enforce signed/encrypted cookie expiry server side.
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index eb193fcbfb..86a070c6ad 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -615,10 +615,11 @@ module ActionDispatch
end
if upgrade_legacy_hmac_aes_cbc_cookies?
- secret = request.key_generator.generate_key(request.encrypted_cookie_salt)
+ legacy_cipher = "aes-256-cbc"
+ secret = request.key_generator.generate_key(request.encrypted_cookie_salt, ActiveSupport::MessageEncryptor.key_len(legacy_cipher))
sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt)
- @encryptor.rotate secret, sign_secret, cipher: "aes-256-cbc", digest: digest, serializer: SERIALIZER
+ @encryptor.rotate(secret, sign_secret, cipher: legacy_cipher, digest: digest, serializer: SERIALIZER)
end
if upgrade_legacy_signed_cookies?
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-29 14:36:18 +0000