From 1704be74ee00c58ee8b1fb38e9cb0f5086e49771 Mon Sep 17 00:00:00 2001
From: Jonathan Hefner <jonathan@hefner.pro>
Date: Sat, 6 Jun 2020 16:54:15 -0500
Subject: [PATCH] Strict match when choosing cookie domain for host

Prior to this commit, when multiple cookie domains were specified, the
first domain that was a substring of the request host was chosen.  This
allowed, for example, the "example.com" domain to be chosen when the
request host was "example.com.au" or even "myexample.com".

This commit ensures a domain is chosen only if it is equal to or is a
superdomain of the request host.

Fixes #37760.
---
 actionpack/CHANGELOG.md                       |  5 +++++
 .../lib/action_dispatch/middleware/cookies.rb |  7 +++++--
 actionpack/test/dispatch/cookies_test.rb      | 21 +++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 095c51cf08..06654903d6 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   When multiple domains are specified for a cookie, a domain will now be
+    chosen only if it is equal to or is a superdomain of the request host.
+
+    *Jonathan Hefner*
+
 *   `ActionDispatch::Static` handles precompiled Brotli (.br) files.
 
     Adds to existing support for precompiled gzip (.gz) files.
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 9e68ca31ea..05337dfb60 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -457,8 +457,11 @@ module ActionDispatch
               ".#{$&}"
             end
           elsif options[:domain].is_a? Array
-            # If host matches one of the supplied domains without a dot in front of it.
-            options[:domain] = options[:domain].find { |domain| request.host.include? domain.sub(/^\./, "") }
+            # If host matches one of the supplied domains.
+            options[:domain] = options[:domain].find do |domain|
+              domain = domain.delete_prefix(".")
+              request.host == domain || request.host.end_with?(".#{domain}")
+            end
           end
         end
     end
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index a853f19b8e..a6291422b0 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -1106,6 +1106,27 @@ class CookiesTest < ActionController::TestCase
     assert_cookie_header "user_name=rizwanreza; domain=example1.com; path=/; SameSite=Lax"
   end
 
+  def test_cookie_with_several_preset_domains_using_subdomain
+    @request.host = "subdomain.example1.com"
+    get :set_cookie_with_domains
+    assert_response :success
+    assert_cookie_header "user_name=rizwanreza; domain=example1.com; path=/; SameSite=Lax"
+  end
+
+  def test_cookie_with_several_preset_domains_using_similar_tld
+    @request.host = "example1.com.au"
+    get :set_cookie_with_domains
+    assert_response :success
+    assert_cookie_header "user_name=rizwanreza; path=/; SameSite=Lax"
+  end
+
+  def test_cookie_with_several_preset_domains_using_similar_domain
+    @request.host = "myexample1.com"
+    get :set_cookie_with_domains
+    assert_response :success
+    assert_cookie_header "user_name=rizwanreza; path=/; SameSite=Lax"
+  end
+
   def test_cookie_with_several_preset_domains_using_other_domain
     @request.host = "other-domain.com"
     get :set_cookie_with_domains