From 4c743587ad6a31908503ab317e37d70361d49e66 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Sun, 10 Mar 2019 16:37:46 -0700 Subject: Fix possible dev mode RCE If the secret_key_base is nil in dev or test generate a key from random bytes and store it in a tmp file. This prevents the app developers from having to share / checkin the secret key for dev / test but also maintains a key between app restarts in dev/test. [CVE-2019-5420] Co-Authored-By: eileencodes Co-Authored-By: John Hawthorn --- actionpack/lib/action_dispatch/middleware/session/cookie_store.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'actionpack/lib/action_dispatch/middleware/session/cookie_store.rb') diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb index 02ccfbc81a..7c43c781c7 100644 --- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb +++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb @@ -24,9 +24,10 @@ module ActionDispatch # # Rails.application.config.session_store :cookie_store, key: '_your_app_session' # - # By default, your secret key base is derived from your application name in - # the test and development environments. In all other environments, it is stored - # encrypted in the config/credentials.yml.enc file. + # In the development and test environments your application's secret key base is + # generated by Rails and stored in a temporary file in tmp/development_secret.txt. + # In all other environments, it is stored encrypted in the + # config/credentials.yml.enc file. # # If your application was not updated to Rails 5.2 defaults, the secret_key_base # will be found in the old config/secrets.yml file. -- cgit v1.2.3