From ca937c59cd69c05cbb92bad4839d931061e15b69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Luis=20Leal=20Cardoso=20Junior?=
 <andrehjr@gmail.com>
Date: Sun, 17 Mar 2019 00:43:43 -0300
Subject: Don't override @set_cookies on CookieJar#update_cookies_from_jar'

When building the cookie_jar for the current test request.
It was possible for this method to override keys currently being set on the test itself.
In situations such as when making two requests mixing creating the cookie on the test and the controller.
---
 actionpack/lib/action_dispatch/middleware/cookies.rb |  2 +-
 actionpack/test/dispatch/cookies_test.rb             | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 1611a8b3dd..b69bcab05c 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -338,7 +338,7 @@ module ActionDispatch
 
       def update_cookies_from_jar
         request_jar = @request.cookie_jar.instance_variable_get(:@cookies)
-        set_cookies = request_jar.reject { |k, _| @delete_cookies.key?(k) }
+        set_cookies = request_jar.reject { |k, _| @delete_cookies.key?(k) || @set_cookies.key?(k) }
 
         @cookies.update set_cookies if set_cookies
       end
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index 4aaac1320e..2c67bb779f 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -123,6 +123,11 @@ class CookiesTest < ActionController::TestCase
       head :ok
     end
 
+    def set_cookie_if_not_present
+      cookies["user_name"] = "alice" unless cookies["user_name"].present?
+      head :ok
+    end
+
     def logout
       cookies.delete("user_name")
       head :ok
@@ -1128,6 +1133,14 @@ class CookiesTest < ActionController::TestCase
     assert_equal "bar", @controller.encrypted_cookie
   end
 
+  def test_cookie_override
+    get :set_cookie_if_not_present
+    assert_equal "alice", cookies["user_name"]
+    cookies["user_name"] = "bob"
+    get :set_cookie_if_not_present
+    assert_equal "bob", cookies["user_name"]
+  end
+
   def test_signed_cookie_with_expires_set_relatively
     request.env["action_dispatch.use_cookies_with_metadata"] = true
 
-- 
cgit v1.2.3